Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
atw3.dll

Overview

General Information

Sample name:atw3.dll
Analysis ID:1581113
MD5:28a6df75f54f6b40ff2b7b2920001bcb
SHA1:261adac029e864d5480468313319539f3dbd951a
SHA256:c3b6be96582dc92249e78db51d0abe50e78b623f9bcc09405b587d736d6dc451
Tags:dlluser-k0ng0x
Infos:

Detection

Gozi, Ursnif
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Detected Gozi e-Banking trojan
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
System process connects to network (likely due to code injection or exploit)
Yara detected Ursnif
AI detected suspicious sample
Allocates memory in foreign processes
Changes memory attributes in foreign processes to executable or writable
Contain functionality to detect virtual machines
Contains functionality to compare user and computer (likely to detect sandboxes)
Creates a thread in another existing process (thread injection)
Disables SPDY (HTTP compression, likely to perform web injects)
Found PHP interpreter
Found Tor onion address
Hooks registry keys query functions (used to hide registry keys)
Injects code into the Windows Explorer (explorer.exe)
Machine Learning detection for dropped file
Machine Learning detection for sample
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the export address table of user mode modules (user mode EAT hooks)
Modifies the import address table of user mode modules (user mode IAT hooks)
Modifies the prolog of user mode functions (user mode inline hooks)
Overwrites Mozilla Firefox settings
PE file has a writeable .text section
Sigma detected: Suspect Svchost Activity
Switches to a custom stack to bypass stack traces
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to harvest and steal browser information (history, passwords, etc)
Writes to foreign memory regions
Abnormal high CPU Usage
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to dynamically determine API calls
Contains functionality to get notified if a device is plugged in / out
Contains functionality to launch a process as a different user
Contains functionality to launch a program with higher privileges
Contains functionality to query CPU information (cpuid)
Contains functionality to read device registry values (via SetupAPI)
Contains functionality to retrieve information about pressed keystrokes
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Found dropped PE file which has not been started or loaded
Found evasive API chain (date check)
Found evasive API chain checking for process token information
Found large amount of non-executed APIs
HTTP GET or POST without a user agent
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries device information via Setup API
Registers a DLL
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Conhost Spawned By Uncommon Parent Process
Sigma detected: CurrentVersion Autorun Keys Modification
Sigma detected: Remote Thread Creation By Uncommon Source Image
Sigma detected: Uncommon Svchost Parent Process
Stores large binary data to the registry
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • loaddll32.exe (PID: 4444 cmdline: loaddll32.exe "C:\Users\user\Desktop\atw3.dll" MD5: 51E6071F9CBA48E79F10C84515AAE618)
    • conhost.exe (PID: 4136 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 4180 cmdline: cmd.exe /C rundll32.exe "C:\Users\user\Desktop\atw3.dll",#1 MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • rundll32.exe (PID: 5020 cmdline: rundll32.exe "C:\Users\user\Desktop\atw3.dll",#1 MD5: 889B99C52A60DD49227C5E485A016679)
        • svchost.exe (PID: 2720 cmdline: C:\Windows\system32\svchost.exe MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
        • conhost.exe (PID: 2472 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • regsvr32.exe (PID: 2924 cmdline: regsvr32.exe /s C:\Users\user\Desktop\atw3.dll MD5: 878E47C8656E53AE8A8A21E927C6F7E0)
      • svchost.exe (PID: 2344 cmdline: C:\Windows\system32\svchost.exe MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
        • explorer.exe (PID: 2580 cmdline: C:\Windows\Explorer.EXE MD5: 662F4F92FDE3557E86D110526BB578D5)
          • RuntimeBroker.exe (PID: 4872 cmdline: C:\Windows\System32\RuntimeBroker.exe -Embedding MD5: BA4CFE6461AFA1004C52F19C8F2169DC)
          • RuntimeBroker.exe (PID: 5092 cmdline: C:\Windows\System32\RuntimeBroker.exe -Embedding MD5: BA4CFE6461AFA1004C52F19C8F2169DC)
          • rundll32.exe (PID: 1060 cmdline: "C:\Windows\system32\rundll32.exe" "C:\Users\user\AppData\Roaming\Microsoft\Avicprov\adsnrans.dll",DllRegisterServer MD5: EF3179D498793BF4234F708D3BE28633)
          • RuntimeBroker.exe (PID: 5116 cmdline: C:\Windows\System32\RuntimeBroker.exe -Embedding MD5: BA4CFE6461AFA1004C52F19C8F2169DC)
          • RuntimeBroker.exe (PID: 1532 cmdline: C:\Windows\System32\RuntimeBroker.exe -Embedding MD5: BA4CFE6461AFA1004C52F19C8F2169DC)
    • rundll32.exe (PID: 1396 cmdline: rundll32.exe C:\Users\user\Desktop\atw3.dll,DllRegisterServer MD5: 889B99C52A60DD49227C5E485A016679)
      • svchost.exe (PID: 3760 cmdline: C:\Windows\system32\svchost.exe MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
    • svchost.exe (PID: 6148 cmdline: C:\Windows\system32\svchost.exe MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Gozi, Gozi CRM2000 Ursnif aka Snifula2006 Gozi v1.0, Gozi CRM, CRM, Papras2010 Gozi v2.0, Gozi ISFB, ISFB, Pandemyia(*)-> 2010 Gozi Prinimalka -> Vawtrak/NeverquestIn 2006, Gozi v1.0 ('Gozi CRM' aka 'CRM') aka Papras was first observed.It was offered as a CaaS, known as 76Service. This first version of Gozi was developed by Nikita Kurmin, and he borrowed code from Ursnif aka Snifula, a spyware developed by Alexey Ivanov around 2000, and some other kits. Gozi v1.0 thus had a formgrabber module and often is classified as Ursnif aka Snifula.In September 2010, the source code of a particular Gozi CRM dll version was leaked, which led to Vawtrak/Neverquest (in combination with Pony) via Gozi Prinimalka (a slightly modified Gozi v1.0) and Gozi v2.0 (aka 'Gozi ISFB' aka 'ISFB' aka Pandemyia). This version came with a webinject module.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.gozi
NameDescriptionAttributionBlogpost URLsLink
Gozi, Ursnif2000 Ursnif aka Snifula2006 Gozi v1.0, Gozi CRM, CRM, Papras2010 Gozi v2.0, Gozi ISFB, ISFB, Pandemyia(*)-> 2010 Gozi Prinimalka -> Vawtrak/NeverquestIn 2006, Gozi v1.0 ('Gozi CRM' aka 'CRM') aka Papras was first observed.It was offered as a CaaS, known as 76Service. This first version of Gozi was developed by Nikita Kurmin, and he borrowed code from Ursnif aka Snifula, a spyware developed by Alexey Ivanov around 2000, and some other kits. Gozi v1.0 thus had a formgrabber module and often is classified as Ursnif aka Snifula.In September 2010, the source code of a particular Gozi CRM dll version was leaked, which led to Vawtrak/Neverquest (in combination with Pony) via Gozi Prinimalka (a slightly modified Gozi v1.0) and Gozi v2.0 (aka 'Gozi ISFB' aka 'ISFB' aka Pandemyia). This version came with a webinject module.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.gozi

Malware Configuration

Threatname: Ursnif

{"RSA Public Key": "jUQkVEiLy0yL6OhF/f//i5Qk0AAAAEyNRCRQSIvLSIv46C79//+LlCTYAAAATI2EJLgAAABIi8tMi+DoFP3//4uUJOAAAABMjYQksAAAAEiLy0iL6Oj6/P//SIvwTYX/dA1Ji8//FS0MAgCL2OsCM9tNhfZ0C0mLzv8VGQwCAOsCM8BIiw2+mgIAA8Mz0gOEJLAAAAADhCS4AAAAA0QkUANEJFQDRCRYRI2EAJ4AAAD/FeoLAgBIiYQksAAAAEiFwA+EDgEAAEiF/3QFD7cf6wIz20iF9kyNDcISAgBMjQV03QIATYvZTYvRSYvRTA9F3kiF7UmLyUwPRdVNheRMiVwkSEkPRdRNhe1MiVQkQEkPRc1NhfZIiVQkOEmLwYlcJDBIiUwkKEkPRcZNhf9MjTUe3QIATQ9Fz4G8JMAAAADwA8QTSI0V1d0CAE0PRMaBvCTAAAAA8AMoFEyNNe3cAgBND0TGTIu0JLAAAABIiUQkIEmLzv8VbZQCAEyLvCSgAAAASYvOSYsf/xXpCwIARTPJRI0EAEmL1kmLz/9TIEmLH0iNDT8SAgD/FckLAgBIjRUyEgIARTPJRI0EAEmLz/9TIEiLDX6ZAgBNi8Yz0v8V0woCAE2F7XQSSIsNZ5kCAE2LxTPS/xW8CgIASIX/dBJIiw1QmQIATIvHM9L/FaUKAgBN", "c2_domain": ["pornolab.net"], "dga_base_url": "www.php.net/license/3_0.txt", "dga_tld": "ru", "DGA_count": "5", "c2_tor_domain": "aaxvkah7dudzoloq.onion", "tor32_dll": "ardshinbank.at/key/x32.bin file://%appdata%/system32.dll", "tor64_dll": "ardshinbank.at/key/x64.bin file://%appdata%/system64.dll", "ip_check_url": ["curlmyip.net"], "server": "12", "serpent_key": "OvZz8XVH91INT7ek", "sleep_time": "300", "SetWaitableTimer_value(CRC_CONFIGTIMEOUT)": "360", "time_value": "30", "SetWaitableTimer_value(CRC_TASKTIMEOUT)": "120", "SetWaitableTimer_value(CRC_SENDTIMEOUT)": "300", "SetWaitableTimer_value(CRC_KNOCKERTIMEOUT)": "120", "not_use(CRC_BCTIMEOUT)": "10", "botnet": "2001", "SetWaitableTimer_value": "60"}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
0000000D.00000002.4491591462.0000018F767A0000.00000004.80000000.00040000.00000000.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
    0000000D.00000002.4491591462.0000018F767A0000.00000004.80000000.00040000.00000000.sdmpWindows_Trojan_Gozi_261f5ac5unknownunknown
    • 0x70:$a1: soft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%x
    • 0x50e:$a3: Content-Disposition: form-data; name="upload_file"; filename="%.4u.%lu"
    • 0x116:$a4: &tor=1
    • 0x11d:$a5: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT %u.%u%s)
    • 0x278:$a6: http://constitution.org/usdeclar.txt
    • 0x3fd:$a7: grabs=
    • 0x65:$a8: CHROME.DLL
    • 0x193:$a9: Software\AppDataLow\Software\Microsoft\
    0000000C.00000002.4499716991.000001D178783000.00000040.80000000.00040000.00000000.sdmpJoeSecurity_Ursnif_1Yara detected UrsnifJoe Security
      00000005.00000003.1698401383.0000000004AE9000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_Ursnif_1Yara detected UrsnifJoe Security
        00000009.00000002.1789075538.00000000008F3000.00000040.80000000.00040000.00000000.sdmpJoeSecurity_Ursnif_1Yara detected UrsnifJoe Security
          Click to see the 61 entries

          Unpacked PEs

          SourceRuleDescriptionAuthorStrings
          3.2.regsvr32.exe.34b0000.0.raw.unpackJoeSecurity_Ursnif_1Yara detected UrsnifJoe Security
            5.3.rundll32.exe.4b194c0.10.raw.unpackursnifUrsnif PayloadSekoia.io
            • 0x29e96:$crypto64_1: 41 8B 02 FF C1 41 33 C3 45 8B 1A 41 33 C0 D3 C8 41 89 02 49 83 C2 04 83 C2 FF 75 D9
            • 0x17b9c:$decrypt_config64: 44 8B D9 33 C0 45 33 C9 44 33 1D 69 49 02 00 4C 8B D2 48 85 D2 74 37 4C 8D 42 10 45 3B 0A 73 2E 45 39 58 F8 75 1C 41 F6 40 FC 01 74 12
            5.3.rundll32.exe.4b194c0.10.raw.unpackUrsnifUrsnif Payloadkevoreilly & enzo
            • 0x29e96:$crypto64_1: 41 8B 02 FF C1 41 33 C3 45 8B 1A 41 33 C0 D3 C8 41 89 02 49 83 C2 04 83 C2 FF 75 D9
            • 0x17b9c:$decrypt_config64: 44 8B D9 33 C0 45 33 C9 44 33 1D 69 49 02 00 4C 8B D2 48 85 D2 74 37 4C 8D 42 10 45 3B 0A 73 2E 45 39 58 F8 75 1C 41 F6 40 FC 01 74 12
            0.3.loaddll32.exe.2d694b0.2.unpackJoeSecurity_Ursnif_1Yara detected UrsnifJoe Security
              11.2.RuntimeBroker.exe.1ecfc6d3c58.1.unpackJoeSecurity_Ursnif_1Yara detected UrsnifJoe Security
                Click to see the 191 entries

                Sigma Signatures

                System Summary

                barindex
                Sigma detected: Suspect Svchost Activity
                Source: Process startedAuthor: David Burkett, @signalblur: Data: Command: C:\Windows\system32\svchost.exe, CommandLine: C:\Windows\system32\svchost.exe, CommandLine|base64offset|contains: , Image: C:\Windows\System32\svchost.exe, NewProcessName: C:\Windows\System32\svchost.exe, OriginalFileName: C:\Windows\System32\svchost.exe, ParentCommandLine: regsvr32.exe /s C:\Users\user\Desktop\atw3.dll, ParentImage: C:\Windows\SysWOW64\regsvr32.exe, ParentProcessId: 2924, ParentProcessName: regsvr32.exe, ProcessCommandLine: C:\Windows\system32\svchost.exe, ProcessId: 2344, ProcessName: svchost.exe
                Sigma detected: Conhost Spawned By Uncommon Parent Process
                Source: Process startedAuthor: Tim Rauch: Data: Command: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1, CommandLine: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1, CommandLine|base64offset|contains: }}, Image: C:\Windows\System32\conhost.exe, NewProcessName: C:\Windows\System32\conhost.exe, OriginalFileName: C:\Windows\System32\conhost.exe, ParentCommandLine: rundll32.exe "C:\Users\user\Desktop\atw3.dll",#1, ParentImage: C:\Windows\SysWOW64\rundll32.exe, ParentProcessId: 5020, ParentProcessName: rundll32.exe, ProcessCommandLine: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1, ProcessId: 2472, ProcessName: conhost.exe
                Sigma detected: CurrentVersion Autorun Keys Modification
                Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: rundll32 "C:\Users\user\AppData\Roaming\Microsoft\Avicprov\adsnrans.dll",DllRegisterServer, EventID: 13, EventType: SetValue, Image: C:\Windows\SysWOW64\rundll32.exe, ProcessId: 5020, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Defasext
                Sigma detected: Remote Thread Creation By Uncommon Source Image
                Source: Threat createdAuthor: Perez Diego (@darkquassar), oscd.community: Data: EventID: 8, SourceImage: C:\Windows\explorer.exe, SourceProcessId: 2580, StartAddress: 221C4640, TargetImage: C:\Windows\System32\RuntimeBroker.exe, TargetProcessId: 4872
                Sigma detected: Uncommon Svchost Parent Process
                Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: C:\Windows\system32\svchost.exe, CommandLine: C:\Windows\system32\svchost.exe, CommandLine|base64offset|contains: , Image: C:\Windows\System32\svchost.exe, NewProcessName: C:\Windows\System32\svchost.exe, OriginalFileName: C:\Windows\System32\svchost.exe, ParentCommandLine: regsvr32.exe /s C:\Users\user\Desktop\atw3.dll, ParentImage: C:\Windows\SysWOW64\regsvr32.exe, ParentProcessId: 2924, ParentProcessName: regsvr32.exe, ProcessCommandLine: C:\Windows\system32\svchost.exe, ProcessId: 2344, ProcessName: svchost.exe
                Sigma detected: Modification of IE Registry Settings
                Source: Registry Key setAuthor: frack113: Data: Details: 0, EventID: 13, EventType: SetValue, Image: C:\Windows\explorer.exe, ProcessId: 2580, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\EnableSPDY3_0

                Suricata Signatures

                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2024-12-27T00:55:06.266479+010020283713Unknown Traffic192.168.2.449733185.85.0.29443TCP
                2024-12-27T00:55:06.267697+010020283713Unknown Traffic192.168.2.449734185.85.0.29443TCP
                2024-12-27T00:55:06.272999+010020283713Unknown Traffic192.168.2.449735185.85.0.29443TCP
                2024-12-27T00:55:08.663954+010020283713Unknown Traffic192.168.2.449738185.85.0.29443TCP
                2024-12-27T00:55:10.184929+010020283713Unknown Traffic192.168.2.449739185.85.0.29443TCP
                2024-12-27T00:59:46.108893+010020283713Unknown Traffic192.168.2.449753185.85.0.29443TCP

                Joe Sandbox Signatures

                Click to jump to signature section

                Show All Signature Results

                AV Detection

                barindex
                Antivirus / Scanner detection for submitted sample
                Source: atw3.dllAvira: detected
                Antivirus detection for dropped file
                Source: C:\Users\user\AppData\Roaming\Microsoft\Avicprov\adsnrans.dllAvira: detection malicious, Label: HEUR/AGEN.1301198
                Found malware configuration
                Source: 0000000C.00000002.4499716991.000001D178783000.00000040.80000000.00040000.00000000.sdmpMalware Configuration Extractor: Ursnif {"RSA Public Key": "jUQkVEiLy0yL6OhF/f//i5Qk0AAAAEyNRCRQSIvLSIv46C79//+LlCTYAAAATI2EJLgAAABIi8tMi+DoFP3//4uUJOAAAABMjYQksAAAAEiLy0iL6Oj6/P//SIvwTYX/dA1Ji8//FS0MAgCL2OsCM9tNhfZ0C0mLzv8VGQwCAOsCM8BIiw2+mgIAA8Mz0gOEJLAAAAADhCS4AAAAA0QkUANEJFQDRCRYRI2EAJ4AAAD/FeoLAgBIiYQksAAAAEiFwA+EDgEAAEiF/3QFD7cf6wIz20iF9kyNDcISAgBMjQV03QIATYvZTYvRSYvRTA9F3kiF7UmLyUwPRdVNheRMiVwkSEkPRdRNhe1MiVQkQEkPRc1NhfZIiVQkOEmLwYlcJDBIiUwkKEkPRcZNhf9MjTUe3QIATQ9Fz4G8JMAAAADwA8QTSI0V1d0CAE0PRMaBvCTAAAAA8AMoFEyNNe3cAgBND0TGTIu0JLAAAABIiUQkIEmLzv8VbZQCAEyLvCSgAAAASYvOSYsf/xXpCwIARTPJRI0EAEmL1kmLz/9TIEmLH0iNDT8SAgD/FckLAgBIjRUyEgIARTPJRI0EAEmLz/9TIEiLDX6ZAgBNi8Yz0v8V0woCAE2F7XQSSIsNZ5kCAE2LxTPS/xW8CgIASIX/dBJIiw1QmQIATIvHM9L/FaUKAgBN", "c2_domain": ["pornolab.net"], "dga_base_url": "www.php.net/license/3_0.txt", "dga_tld": "ru", "DGA_count": "5", "c2_tor_domain": "aaxvkah7dudzoloq.onion", "tor32_dll": "ardshinbank.at/key/x32.bin file://%appdata%/system32.dll", "tor64_dll": "ardshinbank.at/key/x64.bin file://%appdata%/system64.dll", "ip_check_url": ["curlmyip.net"], "server": "12", "serpent_key": "OvZz8XVH91INT7ek", "sleep_time": "300", "SetWaitableTimer_value(CRC_CONFIGTIMEOUT)": "360", "time_value": "30", "SetWaitableTimer_value(CRC_TASKTIMEOUT)": "120", "SetWaitableTimer_value(CRC_SENDTIMEOUT)": "300", "SetWaitableTimer_value(CRC_KNOCKERTIMEOUT)": "120", "not_use(CRC_BCTIMEOUT)": "10", "botnet": "2001", "SetWaitableTimer_value": "60"}
                Multi AV Scanner detection for dropped file
                Source: C:\Users\user\AppData\Roaming\Microsoft\Avicprov\adsnrans.dllReversingLabs: Detection: 57%
                Multi AV Scanner detection for submitted file
                Source: atw3.dllReversingLabs: Detection: 57%
                Source: atw3.dllVirustotal: Detection: 68%Perma Link
                AI detected suspicious sample
                Source: Submited SampleIntegrated Neural Analysis Model: Matched 99.9% probability
                Machine Learning detection for dropped file
                Source: C:\Users\user\AppData\Roaming\Microsoft\Avicprov\adsnrans.dllJoe Sandbox ML: detected
                Machine Learning detection for sample
                Source: atw3.dllJoe Sandbox ML: detected
                Source: atw3.dllStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE, DLL
                Source: unknownHTTPS traffic detected: 185.85.0.29:443 -> 192.168.2.4:49733 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 185.85.0.29:443 -> 192.168.2.4:49734 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 185.85.0.29:443 -> 192.168.2.4:49735 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 185.85.0.29:443 -> 192.168.2.4:49738 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 185.85.0.29:443 -> 192.168.2.4:49739 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 185.85.0.29:443 -> 192.168.2.4:49753 version: TLS 1.2
                Source: Binary string: ntdll.pdb source: loaddll32.exe, 00000000.00000003.1736053407.0000000002E00000.00000004.00001000.00020000.00000000.sdmp, regsvr32.exe, 00000003.00000003.1713119224.0000000005830000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1714071911.0000000004AD0000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1706772809.0000000004DA0000.00000004.00001000.00020000.00000000.sdmp
                Source: Binary string: ntdll.pdbUGP source: loaddll32.exe, 00000000.00000003.1736053407.0000000002E00000.00000004.00001000.00020000.00000000.sdmp, regsvr32.exe, 00000003.00000003.1713119224.0000000005830000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1714071911.0000000004AD0000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1706772809.0000000004DA0000.00000004.00001000.00020000.00000000.sdmp
                Source: C:\Windows\explorer.exeCode function: 10_2_0FBFF5A8 memset,RegisterDeviceNotificationA,GetLastError,10_2_0FBFF5A8
                Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6CBF2FCE HeapAlloc,HeapAlloc,HeapAlloc,memset,CreateFileA,GetFileTime,CloseHandle,StrRChrA,lstrcatA,FindFirstFileA,FindFirstFileA,CompareFileTime,CompareFileTime,FindClose,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,StrChrA,memcpy,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,FindClose,HeapFree,HeapFree,0_2_6CBF2FCE
                Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6CBF5E30 VirtualAlloc,SHGetFolderPathW,wcslen,memset,memcpy,memcpy,AddFontResourceExW,RemoveFontResourceExW,memset,memcpy,FindFirstFileW,FindNextFileW,memset,memcpy,wcslen,memcpy,AddFontResourceExW,RemoveFontResourceExW,DefWindowProcW,RegisterClassExW,memset,CreateWindowExW,DestroyWindow,SetParent,SetWindowLongW,GetWindowLongW,SetWindowLongW,EnterCriticalSection,CreateThread,CreateThread,SetThreadAffinityMask,SetThreadAffinityMask,SetThreadAffinityMask,GetCurrentThread,SetThreadAffinityMask,SetThreadAffinityMask,GetCurrentThread,SetThreadPriority,SetThreadPriority,SetThreadPriority,GetCurrentThread,SetThreadAffinityMask,SetThreadAffinityMask,GetCurrentThread,SetThreadPriority,SetThreadPriority,SetThreadPriority,ResumeThread,ResumeThread,Sleep,LeaveCriticalSection,memset,AddFontResourceExW,EnterCriticalSection,GetWindowLongW,SetMenu,0_2_6CBF5E30
                Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_6CBF2FCE HeapAlloc,HeapAlloc,HeapAlloc,memset,CreateFileA,GetFileTime,CloseHandle,StrRChrA,lstrcatA,FindFirstFileA,FindFirstFileA,CompareFileTime,CompareFileTime,FindClose,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,StrChrA,memcpy,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,FindClose,HeapFree,HeapFree,3_2_6CBF2FCE
                Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_6CBF5E30 VirtualAlloc,SHGetFolderPathW,wcslen,memset,memcpy,memcpy,AddFontResourceExW,RemoveFontResourceExW,memset,memcpy,FindFirstFileW,FindNextFileW,memset,memcpy,wcslen,memcpy,AddFontResourceExW,RemoveFontResourceExW,DefWindowProcW,RegisterClassExW,memset,CreateWindowExW,DestroyWindow,SetParent,SetWindowLongW,GetWindowLongW,SetWindowLongW,EnterCriticalSection,CreateThread,CreateThread,SetThreadAffinityMask,SetThreadAffinityMask,SetThreadAffinityMask,GetCurrentThread,SetThreadAffinityMask,SetThreadAffinityMask,GetCurrentThread,SetThreadPriority,SetThreadPriority,SetThreadPriority,GetCurrentThread,SetThreadAffinityMask,SetThreadAffinityMask,GetCurrentThread,SetThreadPriority,SetThreadPriority,SetThreadPriority,ResumeThread,ResumeThread,Sleep,LeaveCriticalSection,memset,AddFontResourceExW,EnterCriticalSection,GetWindowLongW,SetMenu,3_2_6CBF5E30
                Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_6CBF2FCE HeapAlloc,HeapAlloc,HeapAlloc,memset,CreateFileA,GetFileTime,CloseHandle,StrRChrA,lstrcatA,FindFirstFileA,FindFirstFileA,CompareFileTime,CompareFileTime,FindClose,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,StrChrA,memcpy,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,FindClose,HeapFree,HeapFree,4_2_6CBF2FCE
                Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_6CBF5E30 VirtualAlloc,SHGetFolderPathW,wcslen,memset,memcpy,memcpy,AddFontResourceExW,RemoveFontResourceExW,memset,memcpy,FindFirstFileW,FindNextFileW,memset,memcpy,wcslen,memcpy,AddFontResourceExW,RemoveFontResourceExW,DefWindowProcW,RegisterClassExW,memset,CreateWindowExW,DestroyWindow,SetParent,SetWindowLongW,GetWindowLongW,SetWindowLongW,EnterCriticalSection,CreateThread,CreateThread,SetThreadAffinityMask,SetThreadAffinityMask,SetThreadAffinityMask,GetCurrentThread,SetThreadAffinityMask,SetThreadAffinityMask,GetCurrentThread,SetThreadPriority,SetThreadPriority,SetThreadPriority,GetCurrentThread,SetThreadAffinityMask,SetThreadAffinityMask,GetCurrentThread,SetThreadPriority,SetThreadPriority,SetThreadPriority,ResumeThread,ResumeThread,Sleep,LeaveCriticalSection,memset,AddFontResourceExW,EnterCriticalSection,GetWindowLongW,SetMenu,4_2_6CBF5E30
                Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_6CBF2FCE HeapAlloc,HeapAlloc,HeapAlloc,memset,CreateFileA,GetFileTime,CloseHandle,StrRChrA,lstrcatA,FindFirstFileA,FindFirstFileA,CompareFileTime,CompareFileTime,FindClose,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,StrChrA,memcpy,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,FindClose,HeapFree,HeapFree,5_2_6CBF2FCE
                Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_6CBF5E30 VirtualAlloc,SHGetFolderPathW,wcslen,memset,memcpy,memcpy,AddFontResourceExW,RemoveFontResourceExW,memset,memcpy,FindFirstFileW,FindNextFileW,memset,memcpy,wcslen,memcpy,AddFontResourceExW,RemoveFontResourceExW,DefWindowProcW,RegisterClassExW,memset,CreateWindowExW,DestroyWindow,SetParent,SetWindowLongW,GetWindowLongW,SetWindowLongW,EnterCriticalSection,CreateThread,CreateThread,SetThreadAffinityMask,SetThreadAffinityMask,SetThreadAffinityMask,GetCurrentThread,SetThreadAffinityMask,SetThreadAffinityMask,GetCurrentThread,SetThreadPriority,SetThreadPriority,SetThreadPriority,GetCurrentThread,SetThreadAffinityMask,SetThreadAffinityMask,GetCurrentThread,SetThreadPriority,SetThreadPriority,SetThreadPriority,ResumeThread,ResumeThread,Sleep,LeaveCriticalSection,memset,AddFontResourceExW,EnterCriticalSection,GetWindowLongW,SetMenu,5_2_6CBF5E30
                Source: C:\Windows\System32\svchost.exeCode function: 6_2_00B918B0 VirtualAlloc,wcslen,memset,memcpy,memcpy,memcpy,FindFirstFileW,FindNextFileW,memset,memcpy,wcslen,memcpy,memset,EnterCriticalSection,CreateThread,CreateThread,SetThreadAffinityMask,SetThreadAffinityMask,SetThreadAffinityMask,GetCurrentThread,SetThreadAffinityMask,SetThreadAffinityMask,GetCurrentThread,SetThreadPriority,SetThreadPriority,SetThreadPriority,GetCurrentThread,SetThreadAffinityMask,SetThreadAffinityMask,GetCurrentThread,SetThreadPriority,SetThreadPriority,SetThreadPriority,ResumeThread,ResumeThread,Sleep,LeaveCriticalSection,memset,EnterCriticalSection,6_2_00B918B0
                Source: C:\Windows\System32\svchost.exeCode function: 6_2_00B75ABC lstrlenW,HeapAlloc,HeapAlloc,HeapAlloc,FindFirstFileW,lstrlenW,HeapFree,HeapAlloc,RemoveDirectoryW,DeleteFileW,FindNextFileW,GetLastError,HeapFree,HeapFree,HeapFree,6_2_00B75ABC
                Source: C:\Windows\System32\svchost.exeCode function: 6_2_00B78234 HeapAlloc,HeapAlloc,memset,CreateFileA,GetFileTime,CloseHandle,StrRChrA,lstrcatA,FindFirstFileA,HeapFree,HeapFree,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,StrChrA,memcpy,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,FindClose,6_2_00B78234
                Source: C:\Windows\System32\svchost.exeCode function: 6_2_00B75668 HeapAlloc,lstrlenW,lstrlenW,HeapAlloc,memset,FindFirstFileW,lstrlenW,lstrlenW,HeapAlloc,memset,wcscpy,EnterCriticalSection,LeaveCriticalSection,FindNextFileW,WaitForSingleObject,FindClose,FindFirstFileW,lstrlenW,HeapFree,HeapAlloc,FindNextFileW,WaitForSingleObject,FindClose,HeapFree,HeapFree,HeapFree,6_2_00B75668
                Source: C:\Windows\System32\svchost.exeCode function: 7_2_002D18B0 VirtualAlloc,wcslen,memset,memcpy,memcpy,memcpy,FindFirstFileW,FindNextFileW,memset,memcpy,wcslen,memcpy,memset,EnterCriticalSection,CreateThread,CreateThread,SetThreadAffinityMask,SetThreadAffinityMask,SetThreadAffinityMask,GetCurrentThread,SetThreadAffinityMask,SetThreadAffinityMask,GetCurrentThread,SetThreadPriority,SetThreadPriority,SetThreadPriority,GetCurrentThread,SetThreadAffinityMask,SetThreadAffinityMask,GetCurrentThread,SetThreadPriority,SetThreadPriority,SetThreadPriority,ResumeThread,ResumeThread,Sleep,LeaveCriticalSection,memset,EnterCriticalSection,7_2_002D18B0
                Source: C:\Windows\System32\svchost.exeCode function: 7_2_002B8234 HeapAlloc,HeapAlloc,memset,CreateFileA,GetFileTime,CloseHandle,StrRChrA,lstrcatA,FindFirstFileA,HeapFree,HeapFree,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,StrChrA,memcpy,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,FindClose,7_2_002B8234
                Source: C:\Windows\System32\svchost.exeCode function: 7_2_002B5ABC lstrlenW,HeapAlloc,HeapAlloc,HeapAlloc,FindFirstFileW,lstrlenW,HeapFree,HeapAlloc,RemoveDirectoryW,DeleteFileW,FindNextFileW,GetLastError,HeapFree,HeapFree,HeapFree,7_2_002B5ABC
                Source: C:\Windows\System32\svchost.exeCode function: 7_2_002B5668 HeapAlloc,lstrlenW,lstrlenW,HeapAlloc,memset,FindFirstFileW,lstrlenW,lstrlenW,HeapAlloc,memset,wcscpy,EnterCriticalSection,LeaveCriticalSection,FindNextFileW,WaitForSingleObject,FindClose,FindFirstFileW,lstrlenW,HeapFree,HeapAlloc,FindNextFileW,WaitForSingleObject,FindClose,HeapFree,HeapFree,HeapFree,7_2_002B5668
                Source: C:\Windows\System32\svchost.exeCode function: 8_2_002218B0 VirtualAlloc,wcslen,memset,memcpy,memcpy,memcpy,FindFirstFileW,FindNextFileW,memset,memcpy,wcslen,memcpy,memset,EnterCriticalSection,CreateThread,CreateThread,SetThreadAffinityMask,SetThreadAffinityMask,SetThreadAffinityMask,GetCurrentThread,SetThreadAffinityMask,SetThreadAffinityMask,GetCurrentThread,SetThreadPriority,SetThreadPriority,SetThreadPriority,GetCurrentThread,SetThreadAffinityMask,SetThreadAffinityMask,GetCurrentThread,SetThreadPriority,SetThreadPriority,SetThreadPriority,ResumeThread,ResumeThread,Sleep,LeaveCriticalSection,memset,EnterCriticalSection,8_2_002218B0
                Source: C:\Windows\System32\svchost.exeCode function: 8_2_00208234 HeapAlloc,HeapAlloc,memset,CreateFileA,GetFileTime,CloseHandle,StrRChrA,lstrcatA,FindFirstFileA,HeapFree,HeapFree,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,StrChrA,memcpy,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,FindClose,8_2_00208234
                Source: C:\Windows\System32\svchost.exeCode function: 8_2_00205ABC lstrlenW,HeapAlloc,HeapAlloc,HeapAlloc,FindFirstFileW,lstrlenW,HeapFree,HeapAlloc,RemoveDirectoryW,DeleteFileW,FindNextFileW,GetLastError,HeapFree,HeapFree,HeapFree,8_2_00205ABC
                Source: C:\Windows\System32\svchost.exeCode function: 8_2_00205668 HeapAlloc,lstrlenW,lstrlenW,HeapAlloc,memset,FindFirstFileW,lstrlenW,lstrlenW,HeapAlloc,memset,wcscpy,EnterCriticalSection,LeaveCriticalSection,FindNextFileW,WaitForSingleObject,FindClose,FindFirstFileW,lstrlenW,HeapFree,HeapAlloc,FindNextFileW,WaitForSingleObject,FindClose,HeapFree,HeapFree,HeapFree,8_2_00205668
                Source: C:\Windows\System32\svchost.exeCode function: 9_2_008E18B0 VirtualAlloc,wcslen,memset,memcpy,memcpy,memcpy,FindFirstFileW,FindNextFileW,memset,memcpy,wcslen,memcpy,memset,EnterCriticalSection,CreateThread,CreateThread,SetThreadAffinityMask,SetThreadAffinityMask,SetThreadAffinityMask,GetCurrentThread,SetThreadAffinityMask,SetThreadAffinityMask,GetCurrentThread,SetThreadPriority,SetThreadPriority,SetThreadPriority,GetCurrentThread,SetThreadAffinityMask,SetThreadAffinityMask,GetCurrentThread,SetThreadPriority,SetThreadPriority,SetThreadPriority,ResumeThread,ResumeThread,Sleep,LeaveCriticalSection,memset,EnterCriticalSection,9_2_008E18B0
                Source: C:\Windows\System32\svchost.exeCode function: 9_2_008C5ABC lstrlenW,HeapAlloc,HeapAlloc,HeapAlloc,FindFirstFileW,lstrlenW,HeapFree,HeapAlloc,RemoveDirectoryW,DeleteFileW,FindNextFileW,GetLastError,HeapFree,HeapFree,HeapFree,9_2_008C5ABC
                Source: C:\Windows\System32\svchost.exeCode function: 9_2_008C8234 HeapAlloc,HeapAlloc,memset,CreateFileA,GetFileTime,CloseHandle,StrRChrA,lstrcatA,FindFirstFileA,HeapFree,HeapFree,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,StrChrA,memcpy,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,FindClose,9_2_008C8234
                Source: C:\Windows\System32\svchost.exeCode function: 9_2_008C5668 HeapAlloc,lstrlenW,lstrlenW,HeapAlloc,memset,FindFirstFileW,lstrlenW,lstrlenW,HeapAlloc,memset,wcscpy,EnterCriticalSection,LeaveCriticalSection,FindNextFileW,WaitForSingleObject,FindClose,FindFirstFileW,lstrlenW,HeapFree,HeapAlloc,FindNextFileW,WaitForSingleObject,FindClose,HeapFree,HeapFree,HeapFree,9_2_008C5668
                Source: C:\Windows\explorer.exeCode function: 10_2_0FBF5668 HeapAlloc,lstrlenW,lstrlenW,HeapAlloc,memset,PathCombineW,FindFirstFileW,lstrlenW,lstrlenW,HeapAlloc,memset,wcscpy,StrRChrW,PathCombineW,PathFindFileNameW,PathCombineW,EnterCriticalSection,LeaveCriticalSection,FindNextFileW,WaitForSingleObject,FindClose,PathCombineW,FindFirstFileW,lstrlenW,HeapFree,HeapAlloc,PathCombineW,FindNextFileW,WaitForSingleObject,FindClose,HeapFree,HeapFree,HeapFree,10_2_0FBF5668
                Source: C:\Windows\explorer.exeCode function: 10_2_0FBF8234 HeapAlloc,HeapAlloc,memset,CreateFileA,GetFileTime,CloseHandle,StrRChrA,lstrcatA,FindFirstFileA,HeapFree,HeapFree,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,StrChrA,memcpy,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,FindClose,10_2_0FBF8234
                Source: C:\Windows\explorer.exeCode function: 10_2_0FBF5ABC lstrlenW,HeapAlloc,HeapAlloc,HeapAlloc,PathCombineW,FindFirstFileW,lstrlenW,HeapFree,HeapAlloc,PathCombineW,RemoveDirectoryW,DeleteFileW,FindNextFileW,GetLastError,HeapFree,HeapFree,HeapFree,10_2_0FBF5ABC
                Source: C:\Windows\explorer.exeCode function: 10_2_0FC118B0 VirtualAlloc,wcslen,memset,memcpy,memcpy,memcpy,FindFirstFileW,FindNextFileW,memset,memcpy,wcslen,memcpy,memset,EnterCriticalSection,CreateThread,CreateThread,SetThreadAffinityMask,SetThreadAffinityMask,SetThreadAffinityMask,GetCurrentThread,SetThreadAffinityMask,SetThreadAffinityMask,GetCurrentThread,SetThreadPriority,SetThreadPriority,SetThreadPriority,GetCurrentThread,SetThreadAffinityMask,SetThreadAffinityMask,GetCurrentThread,SetThreadPriority,SetThreadPriority,SetThreadPriority,ResumeThread,ResumeThread,Sleep,LeaveCriticalSection,memset,EnterCriticalSection,10_2_0FC118B0
                Source: C:\Windows\explorer.exeCode function: 10_2_110418B0 VirtualAlloc,wcslen,memset,memcpy,memcpy,memcpy,FindFirstFileW,FindNextFileW,memset,memcpy,wcslen,memcpy,memset,EnterCriticalSection,CreateThread,CreateThread,SetThreadAffinityMask,SetThreadAffinityMask,SetThreadAffinityMask,GetCurrentThread,SetThreadAffinityMask,SetThreadAffinityMask,GetCurrentThread,SetThreadPriority,SetThreadPriority,SetThreadPriority,GetCurrentThread,SetThreadAffinityMask,SetThreadAffinityMask,GetCurrentThread,SetThreadPriority,SetThreadPriority,SetThreadPriority,ResumeThread,ResumeThread,Sleep,LeaveCriticalSection,memset,EnterCriticalSection,10_2_110418B0
                Source: C:\Windows\explorer.exeCode function: 10_2_11028234 HeapAlloc,HeapAlloc,memset,CreateFileA,GetFileTime,CloseHandle,StrRChrA,lstrcatA,FindFirstFileA,HeapFree,HeapFree,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,memcpy,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,FindClose,10_2_11028234
                Source: C:\Windows\explorer.exeCode function: 10_2_11025ABC lstrlenW,HeapAlloc,HeapAlloc,HeapAlloc,FindFirstFileW,lstrlenW,HeapFree,HeapAlloc,RemoveDirectoryW,DeleteFileW,FindNextFileW,GetLastError,HeapFree,HeapFree,HeapFree,10_2_11025ABC
                Source: C:\Windows\explorer.exeCode function: 10_2_11025668 HeapAlloc,lstrlenW,lstrlenW,HeapAlloc,memset,FindFirstFileW,lstrlenW,lstrlenW,HeapAlloc,memset,wcscpy,EnterCriticalSection,LeaveCriticalSection,FindNextFileW,WaitForSingleObject,FindClose,FindFirstFileW,lstrlenW,HeapFree,HeapAlloc,FindNextFileW,WaitForSingleObject,FindClose,HeapFree,HeapFree,HeapFree,10_2_11025668
                Source: C:\Windows\explorer.exeCode function: 10_2_111018B0 VirtualAlloc,wcslen,memset,memcpy,memcpy,memcpy,FindFirstFileW,FindNextFileW,memset,memcpy,wcslen,memcpy,memset,EnterCriticalSection,CreateThread,CreateThread,SetThreadAffinityMask,SetThreadAffinityMask,SetThreadAffinityMask,GetCurrentThread,SetThreadAffinityMask,SetThreadAffinityMask,GetCurrentThread,SetThreadPriority,SetThreadPriority,SetThreadPriority,GetCurrentThread,SetThreadAffinityMask,SetThreadAffinityMask,GetCurrentThread,SetThreadPriority,SetThreadPriority,SetThreadPriority,ResumeThread,ResumeThread,Sleep,LeaveCriticalSection,memset,EnterCriticalSection,10_2_111018B0
                Source: C:\Windows\explorer.exeCode function: 10_2_110E8234 HeapAlloc,HeapAlloc,memset,CreateFileA,GetFileTime,CloseHandle,StrRChrA,lstrcatA,FindFirstFileA,HeapFree,HeapFree,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,memcpy,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,FindClose,10_2_110E8234
                Source: C:\Windows\explorer.exeCode function: 10_2_110E5ABC lstrlenW,HeapAlloc,HeapAlloc,HeapAlloc,FindFirstFileW,lstrlenW,HeapFree,HeapAlloc,RemoveDirectoryW,DeleteFileW,FindNextFileW,GetLastError,HeapFree,HeapFree,HeapFree,10_2_110E5ABC
                Source: C:\Windows\explorer.exeCode function: 10_2_110E5668 HeapAlloc,lstrlenW,lstrlenW,HeapAlloc,memset,FindFirstFileW,lstrlenW,lstrlenW,HeapAlloc,memset,wcscpy,EnterCriticalSection,LeaveCriticalSection,FindNextFileW,WaitForSingleObject,FindClose,FindFirstFileW,lstrlenW,HeapFree,HeapAlloc,FindNextFileW,WaitForSingleObject,FindClose,HeapFree,HeapFree,HeapFree,10_2_110E5668
                Source: C:\Windows\System32\svchost.exeCode function: 6_2_00B6932C wcscpy,GetLogicalDriveStringsW,HeapAlloc,memset,GetLogicalDriveStringsW,WaitForSingleObject,GetDriveTypeW,lstrlenW,wcscpy,lstrlenW,HeapFree,HeapFree,HeapFree,6_2_00B6932C

                Networking

                barindex
                System process connects to network (likely due to code injection or exploit)
                Source: C:\Windows\explorer.exeNetwork Connect: 185.85.0.29 443Jump to behavior
                Found Tor onion address
                Source: svchost.exe, 00000006.00000002.1794583919.0000000000BA0000.00000004.80000000.00040000.00000000.sdmpString found in binary or memory: ADVAPI32.DLLCryptGetUserKeyKERNEL32.DLLLoadLibraryExWWS2_32.DLLWSARecvWSASendclosesocketrecvCHROME.DLLsoft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%xversion=%u&soft=1&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s&ip=%s&os=%s%u.%u_%u_%u_x%u&tor=1Mozilla/4.0 (compatible; MSIE 8.0; Windows NT %u.%u%s); Win64; x64http://https://file://USER.ID%lu.exe/upd %luSoftware\AppDataLow\Software\Microsoft\MainBlockTempClientIniKeysScrLastTaskLastConfigCrHookOpHookExec.onion/TorClientTorCrc%s %s HTTP/1.1
                Source: svchost.exe, 00000007.00000002.1765483170.00000000002E0000.00000004.80000000.00040000.00000000.sdmpString found in binary or memory: ADVAPI32.DLLCryptGetUserKeyKERNEL32.DLLLoadLibraryExWWS2_32.DLLWSARecvWSASendclosesocketrecvCHROME.DLLsoft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%xversion=%u&soft=1&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s&ip=%s&os=%s%u.%u_%u_%u_x%u&tor=1Mozilla/4.0 (compatible; MSIE 8.0; Windows NT %u.%u%s); Win64; x64http://https://file://USER.ID%lu.exe/upd %luSoftware\AppDataLow\Software\Microsoft\MainBlockTempClientIniKeysScrLastTaskLastConfigCrHookOpHookExec.onion/TorClientTorCrc%s %s HTTP/1.1
                Source: svchost.exe, 00000008.00000002.1799435534.0000000000230000.00000004.80000000.00040000.00000000.sdmpString found in binary or memory: ADVAPI32.DLLCryptGetUserKeyKERNEL32.DLLLoadLibraryExWWS2_32.DLLWSARecvWSASendclosesocketrecvCHROME.DLLsoft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%xversion=%u&soft=1&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s&ip=%s&os=%s%u.%u_%u_%u_x%u&tor=1Mozilla/4.0 (compatible; MSIE 8.0; Windows NT %u.%u%s); Win64; x64http://https://file://USER.ID%lu.exe/upd %luSoftware\AppDataLow\Software\Microsoft\MainBlockTempClientIniKeysScrLastTaskLastConfigCrHookOpHookExec.onion/TorClientTorCrc%s %s HTTP/1.1
                Source: svchost.exe, 00000009.00000002.1788993940.00000000008F0000.00000004.80000000.00040000.00000000.sdmpString found in binary or memory: ADVAPI32.DLLCryptGetUserKeyKERNEL32.DLLLoadLibraryExWWS2_32.DLLWSARecvWSASendclosesocketrecvCHROME.DLLsoft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%xversion=%u&soft=1&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s&ip=%s&os=%s%u.%u_%u_%u_x%u&tor=1Mozilla/4.0 (compatible; MSIE 8.0; Windows NT %u.%u%s); Win64; x64http://https://file://USER.ID%lu.exe/upd %luSoftware\AppDataLow\Software\Microsoft\MainBlockTempClientIniKeysScrLastTaskLastConfigCrHookOpHookExec.onion/TorClientTorCrc%s %s HTTP/1.1
                Source: explorer.exe, 0000000A.00000002.4584529450.0000000011110000.00000004.80000000.00040000.00000000.sdmpString found in binary or memory: ADVAPI32.DLLCryptGetUserKeyKERNEL32.DLLLoadLibraryExWWS2_32.DLLWSARecvWSASendclosesocketrecvCHROME.DLLsoft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%xversion=%u&soft=1&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s&ip=%s&os=%s%u.%u_%u_%u_x%u&tor=1Mozilla/4.0 (compatible; MSIE 8.0; Windows NT %u.%u%s); Win64; x64http://https://file://USER.ID%lu.exe/upd %luSoftware\AppDataLow\Software\Microsoft\MainBlockTempClientIniKeysScrLastTaskLastConfigCrHookOpHookExec.onion/TorClientTorCrc%s %s HTTP/1.1
                Source: RuntimeBroker.exe, 0000000B.00000002.4500037251.000001ECFC6D0000.00000004.80000000.00040000.00000000.sdmpString found in binary or memory: ADVAPI32.DLLCryptGetUserKeyKERNEL32.DLLLoadLibraryExWWS2_32.DLLWSARecvWSASendclosesocketrecvCHROME.DLLsoft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%xversion=%u&soft=1&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s&ip=%s&os=%s%u.%u_%u_%u_x%u&tor=1Mozilla/4.0 (compatible; MSIE 8.0; Windows NT %u.%u%s); Win64; x64http://https://file://USER.ID%lu.exe/upd %luSoftware\AppDataLow\Software\Microsoft\MainBlockTempClientIniKeysScrLastTaskLastConfigCrHookOpHookExec.onion/TorClientTorCrc%s %s HTTP/1.1
                Source: RuntimeBroker.exe, 0000000C.00000002.4499540202.000001D178780000.00000004.80000000.00040000.00000000.sdmpString found in binary or memory: ADVAPI32.DLLCryptGetUserKeyKERNEL32.DLLLoadLibraryExWWS2_32.DLLWSARecvWSASendclosesocketrecvCHROME.DLLsoft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%xversion=%u&soft=1&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s&ip=%s&os=%s%u.%u_%u_%u_x%u&tor=1Mozilla/4.0 (compatible; MSIE 8.0; Windows NT %u.%u%s); Win64; x64http://https://file://USER.ID%lu.exe/upd %luSoftware\AppDataLow\Software\Microsoft\MainBlockTempClientIniKeysScrLastTaskLastConfigCrHookOpHookExec.onion/TorClientTorCrc%s %s HTTP/1.1
                Source: rundll32.exe, 0000000D.00000002.4491591462.0000018F767A0000.00000004.80000000.00040000.00000000.sdmpString found in binary or memory: ADVAPI32.DLLCryptGetUserKeyKERNEL32.DLLLoadLibraryExWWS2_32.DLLWSARecvWSASendclosesocketrecvCHROME.DLLsoft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%xversion=%u&soft=1&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s&ip=%s&os=%s%u.%u_%u_%u_x%u&tor=1Mozilla/4.0 (compatible; MSIE 8.0; Windows NT %u.%u%s); Win64; x64http://https://file://USER.ID%lu.exe/upd %luSoftware\AppDataLow\Software\Microsoft\MainBlockTempClientIniKeysScrLastTaskLastConfigCrHookOpHookExec.onion/TorClientTorCrc%s %s HTTP/1.1
                Source: RuntimeBroker.exe, 00000010.00000002.4494674655.0000023B60320000.00000004.80000000.00040000.00000000.sdmpString found in binary or memory: ADVAPI32.DLLCryptGetUserKeyKERNEL32.DLLLoadLibraryExWWS2_32.DLLWSARecvWSASendclosesocketrecvCHROME.DLLsoft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%xversion=%u&soft=1&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s&ip=%s&os=%s%u.%u_%u_%u_x%u&tor=1Mozilla/4.0 (compatible; MSIE 8.0; Windows NT %u.%u%s); Win64; x64http://https://file://USER.ID%lu.exe/upd %luSoftware\AppDataLow\Software\Microsoft\MainBlockTempClientIniKeysScrLastTaskLastConfigCrHookOpHookExec.onion/TorClientTorCrc%s %s HTTP/1.1
                Source: global trafficHTTP traffic detected: GET /license/3_0.txt HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: www.php.net
                Source: global trafficHTTP traffic detected: GET /license/3_0.txt HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: www.php.net
                Source: global trafficHTTP traffic detected: GET /license/3_0.txt HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: www.php.net
                Source: global trafficHTTP traffic detected: GET /license/3_0.txt HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: www.php.net
                Source: global trafficHTTP traffic detected: GET /license/3_0.txt HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: www.php.net
                Source: global trafficHTTP traffic detected: GET /license/3_0.txt HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: www.php.net
                Source: global trafficHTTP traffic detected: GET /license/3_0.txt HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: www.php.net
                Source: global trafficHTTP traffic detected: GET /license/3_0.txt HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: www.php.net
                Source: global trafficHTTP traffic detected: GET /license/3_0.txt HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: www.php.net
                Source: global trafficHTTP traffic detected: GET /license/3_0.txt HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: www.php.net
                Source: global trafficHTTP traffic detected: GET /license/3_0.txt HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: www.php.net
                Source: global trafficHTTP traffic detected: GET /license/3_0.txt HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: www.php.net
                Source: global trafficHTTP traffic detected: GET /license/3_0.txt HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: www.php.net
                Source: global trafficHTTP traffic detected: GET /license/3_0.txt HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: www.php.net
                Source: Joe Sandbox ViewJA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1
                Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49734 -> 185.85.0.29:443
                Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49733 -> 185.85.0.29:443
                Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49738 -> 185.85.0.29:443
                Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49739 -> 185.85.0.29:443
                Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49753 -> 185.85.0.29:443
                Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49735 -> 185.85.0.29:443
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: global trafficHTTP traffic detected: GET /license/3_0.txt HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: www.php.net
                Source: global trafficHTTP traffic detected: GET /license/3_0.txt HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: www.php.net
                Source: global trafficHTTP traffic detected: GET /license/3_0.txt HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: www.php.net
                Source: global trafficHTTP traffic detected: GET /license/3_0.txt HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: www.php.net
                Source: global trafficHTTP traffic detected: GET /license/3_0.txt HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: www.php.net
                Source: global trafficHTTP traffic detected: GET /license/3_0.txt HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: www.php.net
                Source: global trafficHTTP traffic detected: GET /license/3_0.txt HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: www.php.net
                Source: global trafficHTTP traffic detected: GET /license/3_0.txt HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: www.php.net
                Source: global trafficHTTP traffic detected: GET /license/3_0.txt HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: www.php.net
                Source: global trafficHTTP traffic detected: GET /license/3_0.txt HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: www.php.net
                Source: global trafficHTTP traffic detected: GET /license/3_0.txt HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: www.php.net
                Source: global trafficHTTP traffic detected: GET /license/3_0.txt HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: www.php.net
                Source: global trafficHTTP traffic detected: GET /license/3_0.txt HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: www.php.net
                Source: global trafficHTTP traffic detected: GET /license/3_0.txt HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: www.php.net
                Source: global trafficDNS traffic detected: DNS query: www.php.net
                Source: global trafficDNS traffic detected: DNS query: ardshinbank.at
                Source: explorer.exe, 0000000A.00000000.1777038113.000000000C54A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.4578967664.000000000C54A000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://ardshinbank.at/W
                Source: explorer.exe, 0000000A.00000000.1770828071.000000000982D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.4565072197.000000000982D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3106178648.00000000079FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.1768729709.00000000079FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.4506551141.00000000079FB000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0
                Source: explorer.exe, 0000000A.00000002.4585045937.0000000011B2C000.00000004.00000001.00020000.00000000.sdmp, RuntimeBroker.exe, 0000000B.00000002.4500037251.000001ECFC6D0000.00000004.80000000.00040000.00000000.sdmp, RuntimeBroker.exe, 0000000C.00000002.4499540202.000001D178780000.00000004.80000000.00040000.00000000.sdmp, rundll32.exe, 0000000D.00000002.4491591462.0000018F767A0000.00000004.80000000.00040000.00000000.sdmp, RuntimeBroker.exe, 00000010.00000002.4494674655.0000023B60320000.00000004.80000000.00040000.00000000.sdmpString found in binary or memory: http://constitution.org/usdeclar.txt
                Source: svchost.exe, 00000006.00000002.1794583919.0000000000BA0000.00000004.80000000.00040000.00000000.sdmp, svchost.exe, 00000007.00000002.1765483170.00000000002E0000.00000004.80000000.00040000.00000000.sdmp, svchost.exe, 00000008.00000002.1799435534.0000000000230000.00000004.80000000.00040000.00000000.sdmp, svchost.exe, 00000009.00000002.1788993940.00000000008F0000.00000004.80000000.00040000.00000000.sdmp, explorer.exe, 0000000A.00000002.4584529450.0000000011110000.00000004.80000000.00040000.00000000.sdmp, RuntimeBroker.exe, 0000000B.00000002.4500037251.000001ECFC6D0000.00000004.80000000.00040000.00000000.sdmp, RuntimeBroker.exe, 0000000C.00000002.4499540202.000001D178780000.00000004.80000000.00040000.00000000.sdmp, rundll32.exe, 0000000D.00000002.4491591462.0000018F767A0000.00000004.80000000.00040000.00000000.sdmp, RuntimeBroker.exe, 00000010.00000002.4494674655.0000023B60320000.00000004.80000000.00040000.00000000.sdmpString found in binary or memory: http://constitution.org/usdeclar.txtC:
                Source: explorer.exe, 0000000A.00000000.1770828071.000000000982D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.4565072197.000000000982D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3106178648.00000000079FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.1768729709.00000000079FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.4506551141.00000000079FB000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl07
                Source: explorer.exe, 0000000A.00000000.1770828071.000000000982D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.4565072197.000000000982D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3106178648.00000000079FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.1768729709.00000000079FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.4506551141.00000000079FB000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootG2.crl0
                Source: svchost.exe, 00000006.00000002.1794583919.0000000000BA0000.00000004.80000000.00040000.00000000.sdmp, svchost.exe, 00000007.00000002.1765483170.00000000002E0000.00000004.80000000.00040000.00000000.sdmp, svchost.exe, 00000008.00000002.1799435534.0000000000230000.00000004.80000000.00040000.00000000.sdmp, svchost.exe, 00000009.00000002.1788993940.00000000008F0000.00000004.80000000.00040000.00000000.sdmp, explorer.exe, 0000000A.00000002.4584529450.0000000011110000.00000004.80000000.00040000.00000000.sdmp, RuntimeBroker.exe, 0000000B.00000002.4500037251.000001ECFC6D0000.00000004.80000000.00040000.00000000.sdmp, RuntimeBroker.exe, 0000000C.00000002.4499540202.000001D178780000.00000004.80000000.00040000.00000000.sdmp, rundll32.exe, 0000000D.00000002.4491591462.0000018F767A0000.00000004.80000000.00040000.00000000.sdmp, RuntimeBroker.exe, 00000010.00000002.4494674655.0000023B60320000.00000004.80000000.00040000.00000000.sdmpString found in binary or memory: http://https://file://USER.ID%lu.exe/upd
                Source: explorer.exe, 0000000A.00000000.1770828071.000000000982D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.4565072197.000000000982D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3106178648.00000000079FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.1768729709.00000000079FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.4506551141.00000000079FB000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0
                Source: explorer.exe, 0000000A.00000002.4503442805.00000000078AD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.1768729709.00000000078AD000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.comhttp://crl3.digicert.com/DigiCertGlobalRootG2.crlhttp://crl4.digicert.com/Di
                Source: explorer.exe, 0000000A.00000002.4537942603.0000000008720000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000000A.00000000.1772870579.0000000009B60000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000000A.00000000.1769772722.0000000007F40000.00000002.00000001.00040000.00000000.sdmp, RuntimeBroker.exe, 0000000B.00000000.1805839625.000001ECFC470000.00000002.00000001.00040000.00000000.sdmp, RuntimeBroker.exe, 0000000C.00000000.1833669471.000001D178850000.00000002.00000001.00040000.00000000.sdmp, RuntimeBroker.exe, 00000010.00000002.4498222206.0000023B609B0000.00000002.00000001.00040000.00000000.sdmpString found in binary or memory: http://schemas.micro
                Source: explorer.exe, 0000000A.00000003.3106178648.00000000079B5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.1768729709.00000000079B1000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.autoitscript.com/autoit3/J
                Source: svchost.exe, 00000006.00000002.1795659909.000001EE6FCC9000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000006.00000002.1795453454.000001EE6FC84000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000006.00000002.1795147368.000001EE6FC2F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000006.00000002.1795275730.000001EE6FC5E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000007.00000002.1766151576.000002715542F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000007.00000002.1766282559.0000027155460000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000007.00000002.1766639415.00000271554C2000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000007.00000002.1766449588.0000027155478000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.1800000998.000002390242F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.1800118673.000002390245E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.1800490342.00000239024BA000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.1800288306.0000023902482000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000009.00000002.1790479088.00000236FDA82000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000009.00000002.1790907478.00000236FDACF000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000009.00000002.1790194491.00000236FDA5E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000009.00000002.1789957584.00000236FDA31000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3104935163.000000000CB6D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3106148906.000000000CBFF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3105185061.000000000CB6E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3105964393.000000000C9C3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3107173949.000000000C9DE000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.php.net
                Source: svchost.exe, 00000006.00000002.1795659909.000001EE6FCC9000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000006.00000002.1795453454.000001EE6FC84000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000006.00000002.1795147368.000001EE6FC2F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000006.00000002.1795275730.000001EE6FC5E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000007.00000002.1766151576.000002715542F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000007.00000002.1766282559.0000027155460000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000007.00000002.1766639415.00000271554C2000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000007.00000002.1766449588.0000027155478000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.1800000998.000002390242F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.1799939841.0000023902425000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.1800118673.000002390245E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.1800490342.00000239024BA000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.1800288306.0000023902482000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000009.00000002.1790479088.00000236FDA82000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000009.00000002.1790907478.00000236FDACF000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000009.00000002.1790194491.00000236FDA5E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000009.00000002.1789957584.00000236FDA31000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3106148906.000000000CBFF000.00000004.00000001.00020000.00000000.sdmp, RuntimeBroker.exe, 0000000B.00000002.4491235090.000001ECFA213000.00000004.00000001.00020000.00000000.sdmp, RuntimeBroker.exe, 0000000B.00000002.4492189420.000001ECFA2A4000.00000004.00000001.00020000.00000000.sdmp, RuntimeBroker.exe, 0000000B.00000002.4493124013.000001ECFA2E0000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.php.net/
                Source: explorer.exe, 0000000A.00000000.1778286571.000000000CA42000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.php.net//
                Source: RuntimeBroker.exe, 0000000B.00000002.4492189420.000001ECFA2A4000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.php.net/er
                Source: svchost.exe, 00000009.00000002.1790194491.00000236FDA5E000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.1778286571.000000000CA42000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.1777038113.000000000C964000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3106375939.000000000C964000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.4580412188.000000000C964000.00000004.00000001.00020000.00000000.sdmp, RuntimeBroker.exe, 0000000B.00000002.4497033597.000001ECFBF43000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000002.4490166405.0000018F765BC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.php.net/license/3_0.txt
                Source: rundll32.exe, 0000000D.00000002.4490166405.0000018F765BC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.php.net/license/3_0.txtc
                Source: explorer.exe, 0000000A.00000000.1778286571.000000000CA42000.00000004.00000001.00020000.00000000.sdmp, RuntimeBroker.exe, 0000000B.00000002.4497033597.000001ECFBF43000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000002.4490166405.0000018F765BC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.php.net/license/3_0.txts
                Source: RuntimeBroker.exe, 0000000B.00000002.4497033597.000001ECFBF43000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.php.net/license/3_0.txtver
                Source: svchost.exe, 00000006.00000002.1795210701.000001EE6FC40000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000007.00000002.1766213035.0000027155441000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.1800059950.0000023902440000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000009.00000002.1790082787.00000236FDA40000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.1778334322.000000000CAF3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3105533064.000000000CAF6000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.4581566450.000000000CAFC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3105098265.000000000CAF3000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.php.net:80/license/3_0.txt
                Source: svchost.exe, 00000006.00000002.1795659909.000001EE6FCC9000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000006.00000002.1795453454.000001EE6FC84000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000006.00000002.1795147368.000001EE6FC2F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000006.00000002.1795275730.000001EE6FC5E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000007.00000002.1766151576.000002715542F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000007.00000002.1766282559.0000027155460000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000007.00000002.1766639415.00000271554C2000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000007.00000002.1766449588.0000027155478000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.1800000998.000002390242F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.1800118673.000002390245E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.1800490342.00000239024BA000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.1800288306.0000023902482000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000009.00000002.1790479088.00000236FDA82000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000009.00000002.1790907478.00000236FDACF000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000009.00000002.1790194491.00000236FDA5E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000009.00000002.1789957584.00000236FDA31000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3104935163.000000000CB6D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3106148906.000000000CBFF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3105185061.000000000CB6E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3105964393.000000000C9C3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3107173949.000000000C9DE000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.zend.com
                Source: explorer.exe, 0000000A.00000003.3106375939.000000000C893000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.1777038113.000000000C893000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://activity.windows.com/UserActivity.ReadWrite.CreatedByAppcrobat.exe
                Source: explorer.exe, 0000000A.00000003.3106178648.00000000079FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.1768729709.00000000079FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.4506551141.00000000079FB000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/Vh5j3k
                Source: explorer.exe, 0000000A.00000003.3106178648.00000000079FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.1768729709.00000000079FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.4506551141.00000000079FB000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/odirmr
                Source: explorer.exe, 0000000A.00000002.4578967664.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.1777038113.000000000C5AA000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://android.notify.windows.com/iOS
                Source: explorer.exe, 0000000A.00000002.4565072197.00000000097D4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.1770828071.00000000097D4000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://api.msn.com/
                Source: explorer.exe, 0000000A.00000002.4565072197.00000000097D4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.1770828071.00000000097D4000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://api.msn.com/q
                Source: explorer.exe, 0000000A.00000000.1766662216.0000000001240000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.4490368301.0000000001240000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.4497387889.0000000003700000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.1767679481.0000000003700000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://api.msn.com/v1/News/Feed/Windows?apikey=qrUeHGGYvVowZJuHA3XaH0uUvg1ZJ0GUZnXk3mxxPF&ocid=wind
                Source: explorer.exe, 0000000A.00000002.4565072197.00000000096DF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.1770828071.00000000096DF000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://api.msn.com/v1/news/Feed/Windows?&
                Source: explorer.exe, 0000000A.00000002.4503442805.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.1768729709.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://api.msn.com/v1/news/Feed/Windows?activityId=0CC40BF291614022B7DF6E2143E8A6AF&timeOut=5000&oc
                Source: explorer.exe, 0000000A.00000002.4503442805.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.4565072197.00000000097D4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.1768729709.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.1770828071.00000000097D4000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://api.msn.com:443/v1/news/Feed/Windows?
                Source: explorer.exe, 0000000A.00000002.4565072197.00000000096DF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.1770828071.00000000096DF000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://arc.msn.comi
                Source: explorer.exe, 0000000A.00000000.1768729709.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://assets.msn.com/staticsb/statics/latest/traffic/Notification/desktop/svg/RoadHazard.svg
                Source: explorer.exe, 0000000A.00000000.1768729709.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://assets.msn.com/weathermapdata/1/static/finance/1stparty/FinanceTaskbarIcons/Finance_Earnings
                Source: explorer.exe, 0000000A.00000000.1768729709.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://assets.msn.com/weathermapdata/1/static/weather/Icons/JyNGQgA=/Condition/AAehR3S.svg
                Source: explorer.exe, 0000000A.00000002.4503442805.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.1768729709.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://assets.msn.com/weathermapdata/1/static/weather/Icons/JyNGQgA=/Teaser/humidity.svg
                Source: explorer.exe, 0000000A.00000002.4583369028.0000000010C9E000.00000004.00000001.00020000.00000000.sdmp, prefs.js.10.drString found in binary or memory: https://bridge.lga1.admarketplace.net/ctp?version=16.0.0&key=1696332238301000001.2&ci=1696332238417.
                Source: explorer.exe, 0000000A.00000002.4583369028.0000000010C9E000.00000004.00000001.00020000.00000000.sdmp, prefs.js.10.drString found in binary or memory: https://bridge.lga1.ap01.net/ctp?version=16.0.0&key=1696332238301000001.1&ci=1696332238417.12791&cta
                Source: explorer.exe, 0000000A.00000002.4503442805.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.1768729709.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DV
                Source: explorer.exe, 0000000A.00000002.4503442805.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.1768729709.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DV-dark
                Source: explorer.exe, 0000000A.00000002.4503442805.00000000078AD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.1768729709.00000000078AD000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gHZu
                Source: explorer.exe, 0000000A.00000002.4503442805.00000000078AD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.1768729709.00000000078AD000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gHZu-dark
                Source: explorer.exe, 0000000A.00000002.4503442805.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.1768729709.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gMeu
                Source: explorer.exe, 0000000A.00000002.4503442805.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.1768729709.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gMeu-dark
                Source: explorer.exe, 0000000A.00000002.4503442805.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.1768729709.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gTUY
                Source: explorer.exe, 0000000A.00000002.4503442805.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.1768729709.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gTUY-dark
                Source: explorer.exe, 0000000A.00000002.4583369028.0000000010C9E000.00000004.00000001.00020000.00000000.sdmp, prefs.js.10.drString found in binary or memory: https://contile-images.services.mozilla.com/0TegrVVRalreHILhR2WvtD_CFzj13HCDcLqqpvXSOuY.10862.jpg
                Source: explorer.exe, 0000000A.00000002.4583369028.0000000010C9E000.00000004.00000001.00020000.00000000.sdmp, prefs.js.10.drString found in binary or memory: https://contile-images.services.mozilla.com/obgoOYObjIFea_bXuT6L4LbBJ8j425AD87S1HMD3BWg.9991.jpg
                Source: explorer.exe, 0000000A.00000003.3106682325.000000000C5E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.4579755975.000000000C5E6000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.1777038113.000000000C5AA000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://excel.office.com
                Source: explorer.exe, 0000000A.00000002.4503442805.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.1768729709.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA15Yat4.img
                Source: explorer.exe, 0000000A.00000002.4503442805.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.1768729709.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA1hlXIY.img
                Source: explorer.exe, 0000000A.00000002.4503442805.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.1768729709.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAKSoFp.img
                Source: explorer.exe, 0000000A.00000002.4503442805.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.1768729709.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAXaopi.img
                Source: explorer.exe, 0000000A.00000002.4503442805.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.1768729709.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAgi0nZ.img
                Source: explorer.exe, 0000000A.00000002.4503442805.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.1768729709.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBqlLky.img
                Source: explorer.exe, 0000000A.00000002.4503442805.00000000078AD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.1768729709.00000000078AD000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://img.s-msn.com/tenant/amp/entityid/AAbC0oi.img
                Source: prefs.js.10.drString found in binary or memory: https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4QqmfZfYfQfafZbXfpbWfpbX7ReNxR3UIG8zInwYIFIVs9eYi
                Source: svchost.exe, 00000006.00000002.1795659909.000001EE6FCC9000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000006.00000002.1795453454.000001EE6FC84000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000006.00000002.1795147368.000001EE6FC2F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000006.00000002.1795275730.000001EE6FC5E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000007.00000002.1766151576.000002715542F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000007.00000002.1766282559.0000027155460000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000007.00000002.1766639415.00000271554C2000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000007.00000002.1766449588.0000027155478000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.1800000998.000002390242F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.1800118673.000002390245E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.1800490342.00000239024BA000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.1800288306.0000023902482000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000009.00000002.1790479088.00000236FDA82000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000009.00000002.1790907478.00000236FDACF000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000009.00000002.1790194491.00000236FDA5E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000009.00000002.1789957584.00000236FDA31000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://opensource.org/licenses/PHP-3.0
                Source: explorer.exe, 0000000A.00000003.3106682325.000000000C5E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.4579755975.000000000C5E6000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.1777038113.000000000C5AA000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://outlook.com_
                Source: explorer.exe, 0000000A.00000003.3106682325.000000000C5E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.4579755975.000000000C5E6000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.1777038113.000000000C5AA000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://powerpoint.office.comcember
                Source: explorer.exe, 0000000A.00000002.4503442805.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.1768729709.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://simpleflying.com/how-do-you-become-an-air-traffic-controller/
                Source: explorer.exe, 0000000A.00000002.4503442805.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.1768729709.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://windows.msn.com:443/shell?osLocale=en-GB&chosenMarketReason=ImplicitNew
                Source: explorer.exe, 0000000A.00000002.4503442805.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.1768729709.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://windows.msn.com:443/shellv2?osLocale=en-GB&chosenMarketReason=ImplicitNew
                Source: explorer.exe, 0000000A.00000000.1777038113.000000000C557000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.4578967664.000000000C557000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://wns.windows.com/L
                Source: explorer.exe, 0000000A.00000003.3106682325.000000000C5E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.4579755975.000000000C5E6000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.1777038113.000000000C5AA000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://word.office.com
                Source: explorer.exe, 0000000A.00000002.4583369028.0000000010C9E000.00000004.00000001.00020000.00000000.sdmp, prefs.js.10.drString found in binary or memory: https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_7548d4575af019e4c148ccf1a78112802e66a0816a72fc94
                Source: explorer.exe, 0000000A.00000002.4583369028.0000000010C9E000.00000004.00000001.00020000.00000000.sdmp, prefs.js.10.drString found in binary or memory: https://www.expedia.com/?locale=en_US&siteid=1&semcid=US.UB.ADMARKETPLACE.GT-C-EN.HOTEL&SEMDTL=a1219
                Source: explorer.exe, 0000000A.00000002.4503442805.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.1768729709.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/lifestyle/lifestyle-buzz/biden-makes-decision-that-will-impact-more-than-1
                Source: explorer.exe, 0000000A.00000002.4503442805.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.1768729709.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/lifestyle/travel/i-ve-worked-at-a-campsite-for-5-years-these-are-the-15-mi
                Source: explorer.exe, 0000000A.00000002.4503442805.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.4503442805.00000000078AD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.1768729709.00000000078AD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.1768729709.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/money/personalfinance/13-states-that-don-t-tax-your-retirement-income/ar-A
                Source: explorer.exe, 0000000A.00000002.4503442805.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.1768729709.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/money/personalfinance/no-wonder-the-american-public-is-confused-if-you-re-
                Source: explorer.exe, 0000000A.00000002.4503442805.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.1768729709.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/news/politics/clarence-thomas-in-spotlight-as-supreme-court-delivers-blow-
                Source: explorer.exe, 0000000A.00000002.4503442805.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.1768729709.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/news/politics/exclusive-john-kelly-goes-on-the-record-to-confirm-several-d
                Source: explorer.exe, 0000000A.00000002.4503442805.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.1768729709.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/news/topic/breast%20cancer%20awareness%20month?ocid=winp1headerevent
                Source: explorer.exe, 0000000A.00000002.4503442805.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.1768729709.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/news/us/a-nationwide-emergency-alert-will-be-sent-to-all-u-s-cellphones-we
                Source: explorer.exe, 0000000A.00000002.4503442805.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.1768729709.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/news/us/metro-officials-still-investigating-friday-s-railcar-derailment/ar
                Source: explorer.exe, 0000000A.00000000.1768729709.00000000078AD000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/news/us/when-does-daylight-saving-time-end-2023-here-s-when-to-set-your-cl
                Source: explorer.exe, 0000000A.00000002.4503442805.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.1768729709.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/news/world/agostini-krausz-and-l-huillier-win-physics-nobel-for-looking-at
                Source: explorer.exe, 0000000A.00000002.4503442805.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.1768729709.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/weather/topstories/rest-of-hurricane-season-in-uncharted-waters-because-of
                Source: explorer.exe, 0000000A.00000002.4503442805.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.1768729709.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/weather/topstories/us-weather-super-el-nino-to-bring-more-flooding-and-win
                Source: explorer.exe, 0000000A.00000002.4503442805.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.1768729709.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com:443/en-us/feed
                Source: svchost.exe, 00000006.00000002.1795357235.000001EE6FC6B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000007.00000002.1766449588.000002715546D000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.1800200737.000002390246B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000009.00000002.1790194491.00000236FDA5E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000009.00000002.1790335410.00000236FDA6B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.php.net/
                Source: svchost.exe, 00000009.00000002.1790335410.00000236FDA6B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000009.00000002.1790194491.00000236FDA69000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3106682325.000000000C84D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3106375939.000000000C964000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.4580412188.000000000C964000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.php.net/license/3_0.txt
                Source: svchost.exe, 00000007.00000002.1766449588.0000027155478000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.php.net/license/3_0.txt-kv
                Source: explorer.exe, 0000000A.00000003.3106375939.000000000C964000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.4580412188.000000000C964000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.php.net/license/3_0.txtK
                Source: svchost.exe, 00000006.00000002.1795357235.000001EE6FC6B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000007.00000002.1766449588.000002715546D000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.1800200737.000002390246B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000009.00000002.1790194491.00000236FDA69000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.php.net/license/3_0.txtLocationETagAuthentication-InfoAgeAccept-RangesLast-ModifiedExpir
                Source: svchost.exe, 00000007.00000002.1766449588.000002715546D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.php.net/license/3_0.txtbe679
                Source: svchost.exe, 00000006.00000002.1795357235.000001EE6FC6B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.php.net/license/3_0.txtom
                Source: svchost.exe, 00000009.00000002.1790194491.00000236FDA69000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.php.net/license/3_0.txtz
                Source: svchost.exe, 00000006.00000002.1795659909.000001EE6FCC9000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000006.00000002.1795453454.000001EE6FC84000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000006.00000002.1795147368.000001EE6FC2F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000006.00000002.1795275730.000001EE6FC5E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000007.00000002.1766151576.000002715542F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000007.00000002.1766282559.0000027155460000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000007.00000002.1766639415.00000271554C2000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000007.00000002.1766449588.0000027155478000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.1800000998.000002390242F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.1800118673.000002390245E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.1800490342.00000239024BA000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.1800288306.0000023902482000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000009.00000002.1790479088.00000236FDA82000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000009.00000002.1790907478.00000236FDACF000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000009.00000002.1790194491.00000236FDA5E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000009.00000002.1789957584.00000236FDA31000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.php.net/license/3_01.txt
                Source: svchost.exe, 00000006.00000002.1795210701.000001EE6FC40000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.1800288306.0000023902482000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000009.00000002.1790082787.00000236FDA40000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3105533064.000000000CAF6000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.4581566450.000000000CAFC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3105098265.000000000CAF3000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.php.net:443/license/3_0.txt
                Source: svchost.exe, 00000007.00000002.1766213035.0000027155441000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.php.net:443/license/3_0.txtonic0Local
                Source: explorer.exe, 0000000A.00000002.4503442805.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.1768729709.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.rd.com/list/polite-habits-campers-dislike/
                Source: explorer.exe, 0000000A.00000002.4503442805.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.1768729709.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.rd.com/newsletter/?int_source=direct&int_medium=rd.com&int_campaign=nlrda_20221001_toppe
                Source: unknownNetwork traffic detected: HTTP traffic on port 49733 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49733
                Source: unknownNetwork traffic detected: HTTP traffic on port 49734 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49753
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49739
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49738
                Source: unknownNetwork traffic detected: HTTP traffic on port 49735 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49735
                Source: unknownNetwork traffic detected: HTTP traffic on port 49753 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49734
                Source: unknownNetwork traffic detected: HTTP traffic on port 49738 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 49739 -> 443
                Source: unknownHTTPS traffic detected: 185.85.0.29:443 -> 192.168.2.4:49733 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 185.85.0.29:443 -> 192.168.2.4:49734 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 185.85.0.29:443 -> 192.168.2.4:49735 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 185.85.0.29:443 -> 192.168.2.4:49738 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 185.85.0.29:443 -> 192.168.2.4:49739 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 185.85.0.29:443 -> 192.168.2.4:49753 version: TLS 1.2

                Key, Mouse, Clipboard, Microphone and Screen Capturing

                barindex
                Yara detected Ursnif
                Source: Yara matchFile source: 0000000D.00000002.4491591462.0000018F767A0000.00000004.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000006.00000002.1794583919.0000000000BA0000.00000004.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000A.00000002.4584529450.0000000011110000.00000004.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000A.00000002.4583903329.0000000011050000.00000004.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000010.00000002.4494674655.0000023B60320000.00000004.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000007.00000002.1765483170.00000000002E0000.00000004.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000B.00000002.4500037251.000001ECFC6D0000.00000004.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000008.00000002.1799435534.0000000000230000.00000004.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000009.00000002.1788993940.00000000008F0000.00000004.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000A.00000000.1784927308.000000000FC20000.00000004.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000A.00000002.4582957265.000000000FC20000.00000004.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000C.00000002.4499540202.000001D178780000.00000004.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: svchost.exe PID: 2344, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: svchost.exe PID: 2720, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: svchost.exe PID: 3760, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: svchost.exe PID: 6148, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: explorer.exe PID: 2580, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: RuntimeBroker.exe PID: 4872, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: RuntimeBroker.exe PID: 5092, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 1060, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: RuntimeBroker.exe PID: 5116, type: MEMORYSTR
                Source: Yara matchFile source: 3.2.regsvr32.exe.34b0000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.3.loaddll32.exe.2d694b0.2.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 11.2.RuntimeBroker.exe.1ecfc6d3c58.1.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 10.2.explorer.exe.fc23c58.1.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 4.2.rundll32.exe.3fa0000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 16.2.RuntimeBroker.exe.23b60323c58.2.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 10.2.explorer.exe.11053c58.5.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 5.3.rundll32.exe.4ae94b0.2.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 13.2.rundll32.exe.18f767a3c58.1.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 9.2.svchost.exe.8f3c50.2.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 5.2.rundll32.exe.42d0000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 8.2.svchost.exe.233c50.2.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 4.3.rundll32.exe.47494b0.12.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 12.2.RuntimeBroker.exe.1d178783c58.1.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 5.3.rundll32.exe.4ae94b0.11.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 3.3.regsvr32.exe.55d94b0.1.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 6.2.svchost.exe.ba3c50.1.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 10.2.explorer.exe.11113c58.8.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 4.3.rundll32.exe.47494b0.12.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 4.2.rundll32.exe.6cbf0000.1.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 10.0.explorer.exe.fc23c58.2.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.3.loaddll32.exe.2d694b0.10.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 7.2.svchost.exe.2e3c50.2.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 4.2.rundll32.exe.3fa0000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 16.2.RuntimeBroker.exe.23b60323c58.2.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.3.loaddll32.exe.2d694b0.10.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 4.3.rundll32.exe.47494b0.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 8.2.svchost.exe.233c50.2.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.loaddll32.exe.da0000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 5.2.rundll32.exe.42d0000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 3.2.regsvr32.exe.34b0000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.loaddll32.exe.da0000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 3.3.regsvr32.exe.55d94b0.1.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 5.2.rundll32.exe.6cbf0000.1.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 3.3.regsvr32.exe.55d94b0.12.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.3.loaddll32.exe.2d694b0.2.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 11.2.RuntimeBroker.exe.1ecfc6d3c58.1.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 12.2.RuntimeBroker.exe.1d178783c58.1.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 3.3.regsvr32.exe.55d94b0.12.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 10.0.explorer.exe.fc23c58.2.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 10.2.explorer.exe.fc23c58.1.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 4.3.rundll32.exe.47494b0.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 5.3.rundll32.exe.4ae94b0.11.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 10.2.explorer.exe.11113c58.8.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 3.2.regsvr32.exe.6cbf0000.1.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 5.3.rundll32.exe.4ae94b0.2.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 7.2.svchost.exe.2e3c50.2.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.loaddll32.exe.6cbf0000.1.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 10.2.explorer.exe.11053c58.5.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 13.2.rundll32.exe.18f767a3c58.1.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 6.2.svchost.exe.ba3c50.1.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 9.2.svchost.exe.8f3c50.2.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0000000C.00000002.4499716991.000001D178783000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000005.00000003.1698401383.0000000004AE9000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000009.00000002.1789075538.00000000008F3000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000004.00000002.1717418718.0000000003FA0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000005.00000002.1716335740.00000000042D0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000005.00000003.1714696706.0000000004AE9000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000003.00000003.1713752147.00000000055D9000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000003.00000002.1715716468.00000000034B0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000004.00000003.1701139079.0000000004749000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000006.00000002.1794641096.0000000000BA3000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.1740443411.0000000000DA0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000010.00000002.4494737876.0000023B60323000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000A.00000002.4584103095.0000000011053000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000B.00000002.4500307838.000001ECFC6D3000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000007.00000002.1765530141.00000000002E3000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000A.00000002.4583025983.000000000FC23000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000A.00000000.1785007984.000000000FC23000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000003.00000003.1697742809.00000000055D9000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.1734980952.0000000002D69000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000008.00000002.1799489416.0000000000233000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000004.00000003.1716382978.0000000004749000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000A.00000002.4584617538.0000000011113000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000D.00000002.4491795198.0000018F767A3000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.1739987325.0000000002D69000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: C:\Windows\explorer.exeCode function: 10_2_0FBFE6A8 memset,memset,memset,GetAncestor,GetKeyboardState,GetKeyboardLayout,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,ToUnicodeEx,HeapFree,10_2_0FBFE6A8

                E-Banking Fraud

                barindex
                Detected Gozi e-Banking trojan
                Source: C:\Windows\System32\loaddll32.exeCode function: HeapAlloc,HeapAlloc,HeapAlloc,memset,CreateFileA,GetFileTime,CloseHandle,StrRChrA,lstrcatA,FindFirstFileA,FindFirstFileA,CompareFileTime,CompareFileTime,FindClose,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,StrChrA,memcpy,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,FindClose,HeapFree,HeapFree, %systemroot%\system32\c_1252.nls0_2_6CBF2FCE
                Source: C:\Windows\SysWOW64\regsvr32.exeCode function: HeapAlloc,HeapAlloc,HeapAlloc,memset,CreateFileA,GetFileTime,CloseHandle,StrRChrA,lstrcatA,FindFirstFileA,FindFirstFileA,CompareFileTime,CompareFileTime,FindClose,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,StrChrA,memcpy,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,FindClose,HeapFree,HeapFree, %systemroot%\system32\c_1252.nls3_2_6CBF2FCE
                Source: C:\Windows\SysWOW64\rundll32.exeCode function: HeapAlloc,HeapAlloc,HeapAlloc,memset,CreateFileA,GetFileTime,CloseHandle,StrRChrA,lstrcatA,FindFirstFileA,FindFirstFileA,CompareFileTime,CompareFileTime,FindClose,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,StrChrA,memcpy,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,FindClose,HeapFree,HeapFree, %systemroot%\system32\c_1252.nls4_2_6CBF2FCE
                Source: C:\Windows\SysWOW64\rundll32.exeCode function: HeapAlloc,HeapAlloc,HeapAlloc,memset,CreateFileA,GetFileTime,CloseHandle,StrRChrA,lstrcatA,FindFirstFileA,FindFirstFileA,CompareFileTime,CompareFileTime,FindClose,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,StrChrA,memcpy,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,FindClose,HeapFree,HeapFree, %systemroot%\system32\c_1252.nls5_2_6CBF2FCE
                Source: C:\Windows\System32\svchost.exeCode function: HeapAlloc,HeapAlloc,memset,CreateFileA,GetFileTime,CloseHandle,StrRChrA,lstrcatA,FindFirstFileA,HeapFree,HeapFree,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,StrChrA,memcpy,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,FindClose, %systemroot%\system32\c_1252.nls6_2_00B78234
                Source: C:\Windows\System32\svchost.exeCode function: lstrlenA,HeapAlloc,mbstowcs,lstrcatW,HeapFree,HeapAlloc,lstrcatW,HeapFree,CreateDirectoryW,lstrlenW,lstrlenW,lstrlenW,HeapAlloc,lstrcpyW,lstrcatW,CreateDirectoryW,lstrcatW,lstrcatW,CreateDirectoryW,lstrcatW,lstrcatW,CopyFileW,HeapFree,DeleteFileW,HeapFree,HeapFree, \cookie.ff6_2_00B61FFC
                Source: C:\Windows\System32\svchost.exeCode function: lstrlenA,HeapAlloc,mbstowcs,lstrcatW,HeapFree,HeapAlloc,lstrcatW,HeapFree,CreateDirectoryW,lstrlenW,lstrlenW,lstrlenW,HeapAlloc,lstrcpyW,lstrcatW,CreateDirectoryW,lstrcatW,lstrcatW,CreateDirectoryW,lstrcatW,lstrcatW,CopyFileW,HeapFree,DeleteFileW,HeapFree,HeapFree, \cookie.ie6_2_00B61FFC
                Source: C:\Windows\System32\svchost.exeCode function: HeapAlloc,HeapAlloc,memset,CreateFileA,GetFileTime,CloseHandle,StrRChrA,lstrcatA,FindFirstFileA,HeapFree,HeapFree,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,StrChrA,memcpy,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,FindClose, %systemroot%\system32\c_1252.nls7_2_002B8234
                Source: C:\Windows\System32\svchost.exeCode function: lstrlenA,HeapAlloc,mbstowcs,lstrcatW,HeapFree,HeapAlloc,lstrcatW,HeapFree,CreateDirectoryW,lstrlenW,lstrlenW,lstrlenW,HeapAlloc,lstrcpyW,lstrcatW,CreateDirectoryW,lstrcatW,lstrcatW,CreateDirectoryW,lstrcatW,lstrcatW,CopyFileW,HeapFree,DeleteFileW,HeapFree,HeapFree, \cookie.ff7_2_002A1FFC
                Source: C:\Windows\System32\svchost.exeCode function: lstrlenA,HeapAlloc,mbstowcs,lstrcatW,HeapFree,HeapAlloc,lstrcatW,HeapFree,CreateDirectoryW,lstrlenW,lstrlenW,lstrlenW,HeapAlloc,lstrcpyW,lstrcatW,CreateDirectoryW,lstrcatW,lstrcatW,CreateDirectoryW,lstrcatW,lstrcatW,CopyFileW,HeapFree,DeleteFileW,HeapFree,HeapFree, \cookie.ie7_2_002A1FFC
                Source: C:\Windows\System32\svchost.exeCode function: HeapAlloc,HeapAlloc,memset,CreateFileA,GetFileTime,CloseHandle,StrRChrA,lstrcatA,FindFirstFileA,HeapFree,HeapFree,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,StrChrA,memcpy,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,FindClose, %systemroot%\system32\c_1252.nls8_2_00208234
                Source: C:\Windows\System32\svchost.exeCode function: lstrlenA,HeapAlloc,mbstowcs,lstrcatW,HeapFree,HeapAlloc,lstrcatW,HeapFree,CreateDirectoryW,lstrlenW,lstrlenW,lstrlenW,HeapAlloc,lstrcpyW,lstrcatW,CreateDirectoryW,lstrcatW,lstrcatW,CreateDirectoryW,lstrcatW,lstrcatW,CopyFileW,HeapFree,DeleteFileW,HeapFree,HeapFree, \cookie.ff8_2_001F1FFC
                Source: C:\Windows\System32\svchost.exeCode function: lstrlenA,HeapAlloc,mbstowcs,lstrcatW,HeapFree,HeapAlloc,lstrcatW,HeapFree,CreateDirectoryW,lstrlenW,lstrlenW,lstrlenW,HeapAlloc,lstrcpyW,lstrcatW,CreateDirectoryW,lstrcatW,lstrcatW,CreateDirectoryW,lstrcatW,lstrcatW,CopyFileW,HeapFree,DeleteFileW,HeapFree,HeapFree, \cookie.ie8_2_001F1FFC
                Source: C:\Windows\System32\svchost.exeCode function: HeapAlloc,HeapAlloc,memset,CreateFileA,GetFileTime,CloseHandle,StrRChrA,lstrcatA,FindFirstFileA,HeapFree,HeapFree,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,StrChrA,memcpy,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,FindClose, %systemroot%\system32\c_1252.nls9_2_008C8234
                Source: C:\Windows\System32\svchost.exeCode function: lstrlenA,HeapAlloc,mbstowcs,lstrcatW,HeapFree,HeapAlloc,lstrcatW,HeapFree,CreateDirectoryW,lstrlenW,lstrlenW,lstrlenW,HeapAlloc,lstrcpyW,lstrcatW,CreateDirectoryW,lstrcatW,lstrcatW,CreateDirectoryW,lstrcatW,lstrcatW,CopyFileW,HeapFree,DeleteFileW,HeapFree,HeapFree, \cookie.ff9_2_008B1FFC
                Source: C:\Windows\System32\svchost.exeCode function: lstrlenA,HeapAlloc,mbstowcs,lstrcatW,HeapFree,HeapAlloc,lstrcatW,HeapFree,CreateDirectoryW,lstrlenW,lstrlenW,lstrlenW,HeapAlloc,lstrcpyW,lstrcatW,CreateDirectoryW,lstrcatW,lstrcatW,CreateDirectoryW,lstrcatW,lstrcatW,CopyFileW,HeapFree,DeleteFileW,HeapFree,HeapFree, \cookie.ie9_2_008B1FFC
                Source: C:\Windows\explorer.exeCode function: HeapAlloc,HeapAlloc,memset,CreateFileA,GetFileTime,CloseHandle,StrRChrA,lstrcatA,FindFirstFileA,HeapFree,HeapFree,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,StrChrA,memcpy,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,FindClose, %systemroot%\system32\c_1252.nls10_2_0FBF8234
                Source: C:\Windows\explorer.exeCode function: lstrlenA,HeapAlloc,mbstowcs,lstrcatW,HeapFree,HeapAlloc,lstrcatW,HeapFree,CreateDirectoryW,lstrlenW,lstrlenW,lstrlenW,HeapAlloc,lstrcpyW,lstrcatW,CreateDirectoryW,lstrcatW,StrChrW,lstrcatW,CreateDirectoryW,lstrcatW,StrChrW,lstrcatW,CopyFileW,HeapFree,DeleteFileW,HeapFree,HeapFree, \cookie.ff10_2_0FBE1FFC
                Source: C:\Windows\explorer.exeCode function: lstrlenA,HeapAlloc,mbstowcs,lstrcatW,HeapFree,HeapAlloc,lstrcatW,HeapFree,CreateDirectoryW,lstrlenW,lstrlenW,lstrlenW,HeapAlloc,lstrcpyW,lstrcatW,CreateDirectoryW,lstrcatW,StrChrW,lstrcatW,CreateDirectoryW,lstrcatW,StrChrW,lstrcatW,CopyFileW,HeapFree,DeleteFileW,HeapFree,HeapFree, \cookie.ie10_2_0FBE1FFC
                Source: C:\Windows\explorer.exeCode function: HeapAlloc,HeapAlloc,memset,CreateFileA,GetFileTime,CloseHandle,StrRChrA,lstrcatA,FindFirstFileA,HeapFree,HeapFree,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,memcpy,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,FindClose, %systemroot%\system32\c_1252.nls10_2_11028234
                Source: C:\Windows\explorer.exeCode function: lstrlenA,HeapAlloc,mbstowcs,lstrcatW,HeapFree,HeapAlloc,lstrcatW,HeapFree,CreateDirectoryW,lstrlenW,lstrlenW,lstrlenW,HeapAlloc,lstrcpyW,lstrcatW,CreateDirectoryW,lstrcatW,lstrcatW,CreateDirectoryW,lstrcatW,lstrcatW,CopyFileW,HeapFree,DeleteFileW,HeapFree,HeapFree, \cookie.ff10_2_11011FFC
                Source: C:\Windows\explorer.exeCode function: lstrlenA,HeapAlloc,mbstowcs,lstrcatW,HeapFree,HeapAlloc,lstrcatW,HeapFree,CreateDirectoryW,lstrlenW,lstrlenW,lstrlenW,HeapAlloc,lstrcpyW,lstrcatW,CreateDirectoryW,lstrcatW,lstrcatW,CreateDirectoryW,lstrcatW,lstrcatW,CopyFileW,HeapFree,DeleteFileW,HeapFree,HeapFree, \cookie.ie10_2_11011FFC
                Source: C:\Windows\explorer.exeCode function: HeapAlloc,HeapAlloc,memset,CreateFileA,GetFileTime,CloseHandle,StrRChrA,lstrcatA,FindFirstFileA,HeapFree,HeapFree,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,memcpy,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,FindClose, %systemroot%\system32\c_1252.nls10_2_110E8234
                Source: C:\Windows\explorer.exeCode function: lstrlenA,HeapAlloc,mbstowcs,lstrcatW,HeapFree,HeapAlloc,lstrcatW,HeapFree,CreateDirectoryW,lstrlenW,lstrlenW,lstrlenW,HeapAlloc,lstrcpyW,lstrcatW,CreateDirectoryW,lstrcatW,lstrcatW,CreateDirectoryW,lstrcatW,lstrcatW,CopyFileW,HeapFree,DeleteFileW,HeapFree,HeapFree, \cookie.ff10_2_110D1FFC
                Source: C:\Windows\explorer.exeCode function: lstrlenA,HeapAlloc,mbstowcs,lstrcatW,HeapFree,HeapAlloc,lstrcatW,HeapFree,CreateDirectoryW,lstrlenW,lstrlenW,lstrlenW,HeapAlloc,lstrcpyW,lstrcatW,CreateDirectoryW,lstrcatW,lstrcatW,CreateDirectoryW,lstrcatW,lstrcatW,CopyFileW,HeapFree,DeleteFileW,HeapFree,HeapFree, \cookie.ie10_2_110D1FFC
                Yara detected Ursnif
                Source: Yara matchFile source: 0000000D.00000002.4491591462.0000018F767A0000.00000004.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000006.00000002.1794583919.0000000000BA0000.00000004.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000A.00000002.4584529450.0000000011110000.00000004.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000A.00000002.4583903329.0000000011050000.00000004.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000010.00000002.4494674655.0000023B60320000.00000004.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000007.00000002.1765483170.00000000002E0000.00000004.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000B.00000002.4500037251.000001ECFC6D0000.00000004.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000008.00000002.1799435534.0000000000230000.00000004.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000009.00000002.1788993940.00000000008F0000.00000004.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000A.00000000.1784927308.000000000FC20000.00000004.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000A.00000002.4582957265.000000000FC20000.00000004.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000C.00000002.4499540202.000001D178780000.00000004.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: svchost.exe PID: 2344, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: svchost.exe PID: 2720, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: svchost.exe PID: 3760, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: svchost.exe PID: 6148, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: explorer.exe PID: 2580, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: RuntimeBroker.exe PID: 4872, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: RuntimeBroker.exe PID: 5092, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 1060, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: RuntimeBroker.exe PID: 5116, type: MEMORYSTR
                Source: Yara matchFile source: 3.2.regsvr32.exe.34b0000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.3.loaddll32.exe.2d694b0.2.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 11.2.RuntimeBroker.exe.1ecfc6d3c58.1.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 10.2.explorer.exe.fc23c58.1.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 4.2.rundll32.exe.3fa0000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 16.2.RuntimeBroker.exe.23b60323c58.2.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 10.2.explorer.exe.11053c58.5.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 5.3.rundll32.exe.4ae94b0.2.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 13.2.rundll32.exe.18f767a3c58.1.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 9.2.svchost.exe.8f3c50.2.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 5.2.rundll32.exe.42d0000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 8.2.svchost.exe.233c50.2.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 4.3.rundll32.exe.47494b0.12.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 12.2.RuntimeBroker.exe.1d178783c58.1.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 5.3.rundll32.exe.4ae94b0.11.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 3.3.regsvr32.exe.55d94b0.1.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 6.2.svchost.exe.ba3c50.1.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 10.2.explorer.exe.11113c58.8.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 4.3.rundll32.exe.47494b0.12.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 4.2.rundll32.exe.6cbf0000.1.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 10.0.explorer.exe.fc23c58.2.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.3.loaddll32.exe.2d694b0.10.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 7.2.svchost.exe.2e3c50.2.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 4.2.rundll32.exe.3fa0000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 16.2.RuntimeBroker.exe.23b60323c58.2.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.3.loaddll32.exe.2d694b0.10.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 4.3.rundll32.exe.47494b0.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 8.2.svchost.exe.233c50.2.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.loaddll32.exe.da0000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 5.2.rundll32.exe.42d0000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 3.2.regsvr32.exe.34b0000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.loaddll32.exe.da0000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 3.3.regsvr32.exe.55d94b0.1.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 5.2.rundll32.exe.6cbf0000.1.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 3.3.regsvr32.exe.55d94b0.12.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.3.loaddll32.exe.2d694b0.2.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 11.2.RuntimeBroker.exe.1ecfc6d3c58.1.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 12.2.RuntimeBroker.exe.1d178783c58.1.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 3.3.regsvr32.exe.55d94b0.12.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 10.0.explorer.exe.fc23c58.2.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 10.2.explorer.exe.fc23c58.1.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 4.3.rundll32.exe.47494b0.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 5.3.rundll32.exe.4ae94b0.11.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 10.2.explorer.exe.11113c58.8.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 3.2.regsvr32.exe.6cbf0000.1.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 5.3.rundll32.exe.4ae94b0.2.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 7.2.svchost.exe.2e3c50.2.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.loaddll32.exe.6cbf0000.1.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 10.2.explorer.exe.11053c58.5.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 13.2.rundll32.exe.18f767a3c58.1.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 6.2.svchost.exe.ba3c50.1.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 9.2.svchost.exe.8f3c50.2.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0000000C.00000002.4499716991.000001D178783000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000005.00000003.1698401383.0000000004AE9000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000009.00000002.1789075538.00000000008F3000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000004.00000002.1717418718.0000000003FA0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000005.00000002.1716335740.00000000042D0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000005.00000003.1714696706.0000000004AE9000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000003.00000003.1713752147.00000000055D9000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000003.00000002.1715716468.00000000034B0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000004.00000003.1701139079.0000000004749000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000006.00000002.1794641096.0000000000BA3000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.1740443411.0000000000DA0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000010.00000002.4494737876.0000023B60323000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000A.00000002.4584103095.0000000011053000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000B.00000002.4500307838.000001ECFC6D3000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000007.00000002.1765530141.00000000002E3000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000A.00000002.4583025983.000000000FC23000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000A.00000000.1785007984.000000000FC23000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000003.00000003.1697742809.00000000055D9000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.1734980952.0000000002D69000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000008.00000002.1799489416.0000000000233000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000004.00000003.1716382978.0000000004749000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000A.00000002.4584617538.0000000011113000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000D.00000002.4491795198.0000018F767A3000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.1739987325.0000000002D69000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Disables SPDY (HTTP compression, likely to perform web injects)
                Source: C:\Windows\explorer.exeRegistry key value created / modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings EnableSPDY3_0 0Jump to behavior

                System Summary

                barindex
                Malicious sample detected (through community Yara rule)
                Source: 5.3.rundll32.exe.4b194c0.10.raw.unpack, type: UNPACKEDPEMatched rule: Ursnif Payload Author: Sekoia.io
                Source: 5.3.rundll32.exe.4b194c0.10.raw.unpack, type: UNPACKEDPEMatched rule: Ursnif Payload Author: kevoreilly & enzo
                Source: 4.3.rundll32.exe.47794c0.10.raw.unpack, type: UNPACKEDPEMatched rule: Ursnif Payload Author: Sekoia.io
                Source: 4.3.rundll32.exe.47794c0.10.raw.unpack, type: UNPACKEDPEMatched rule: Ursnif Payload Author: kevoreilly & enzo
                Source: 11.2.RuntimeBroker.exe.1ecfc703c58.2.raw.unpack, type: UNPACKEDPEMatched rule: Ursnif Payload Author: Sekoia.io
                Source: 11.2.RuntimeBroker.exe.1ecfc703c58.2.raw.unpack, type: UNPACKEDPEMatched rule: Ursnif Payload Author: kevoreilly & enzo
                Source: 10.0.explorer.exe.fbe0000.0.unpack, type: UNPACKEDPEMatched rule: Ursnif Payload Author: Sekoia.io
                Source: 10.0.explorer.exe.fbe0000.0.unpack, type: UNPACKEDPEMatched rule: Ursnif Payload Author: kevoreilly & enzo
                Source: 5.3.rundll32.exe.4ae94b0.2.raw.unpack, type: UNPACKEDPEMatched rule: Ursnif Payload Author: Sekoia.io
                Source: 5.3.rundll32.exe.4ae94b0.2.raw.unpack, type: UNPACKEDPEMatched rule: Ursnif Payload Author: kevoreilly & enzo
                Source: 8.2.svchost.exe.263c50.1.unpack, type: UNPACKEDPEMatched rule: Ursnif Payload Author: Sekoia.io
                Source: 8.2.svchost.exe.263c50.1.unpack, type: UNPACKEDPEMatched rule: Ursnif Payload Author: kevoreilly & enzo
                Source: 10.2.explorer.exe.11143c58.7.unpack, type: UNPACKEDPEMatched rule: Ursnif Payload Author: Sekoia.io
                Source: 10.2.explorer.exe.11143c58.7.unpack, type: UNPACKEDPEMatched rule: Ursnif Payload Author: kevoreilly & enzo
                Source: 3.3.regsvr32.exe.56094c0.11.raw.unpack, type: UNPACKEDPEMatched rule: Ursnif Payload Author: Sekoia.io
                Source: 3.3.regsvr32.exe.56094c0.11.raw.unpack, type: UNPACKEDPEMatched rule: Ursnif Payload Author: kevoreilly & enzo
                Source: 3.3.regsvr32.exe.56094c0.0.raw.unpack, type: UNPACKEDPEMatched rule: Ursnif Payload Author: Sekoia.io
                Source: 3.3.regsvr32.exe.56094c0.0.raw.unpack, type: UNPACKEDPEMatched rule: Ursnif Payload Author: kevoreilly & enzo
                Source: 8.2.svchost.exe.233c50.2.raw.unpack, type: UNPACKEDPEMatched rule: Ursnif Payload Author: Sekoia.io
                Source: 8.2.svchost.exe.233c50.2.raw.unpack, type: UNPACKEDPEMatched rule: Ursnif Payload Author: kevoreilly & enzo
                Source: 10.2.explorer.exe.fbe0000.0.unpack, type: UNPACKEDPEMatched rule: Ursnif Payload Author: Sekoia.io
                Source: 10.2.explorer.exe.fbe0000.0.unpack, type: UNPACKEDPEMatched rule: Ursnif Payload Author: kevoreilly & enzo
                Source: 3.3.regsvr32.exe.56094c0.11.unpack, type: UNPACKEDPEMatched rule: Ursnif Payload Author: Sekoia.io
                Source: 3.3.regsvr32.exe.56094c0.11.unpack, type: UNPACKEDPEMatched rule: Ursnif Payload Author: kevoreilly & enzo
                Source: 5.3.rundll32.exe.4b194c0.10.unpack, type: UNPACKEDPEMatched rule: Ursnif Payload Author: Sekoia.io
                Source: 5.3.rundll32.exe.4b194c0.10.unpack, type: UNPACKEDPEMatched rule: Ursnif Payload Author: kevoreilly & enzo
                Source: 0.3.loaddll32.exe.2d994c0.12.raw.unpack, type: UNPACKEDPEMatched rule: Ursnif Payload Author: Sekoia.io
                Source: 0.3.loaddll32.exe.2d994c0.12.raw.unpack, type: UNPACKEDPEMatched rule: Ursnif Payload Author: kevoreilly & enzo
                Source: 0.3.loaddll32.exe.2d994c0.1.unpack, type: UNPACKEDPEMatched rule: Ursnif Payload Author: Sekoia.io
                Source: 0.3.loaddll32.exe.2d994c0.1.unpack, type: UNPACKEDPEMatched rule: Ursnif Payload Author: kevoreilly & enzo
                Source: 4.3.rundll32.exe.47494b0.12.raw.unpack, type: UNPACKEDPEMatched rule: Ursnif Payload Author: Sekoia.io
                Source: 4.3.rundll32.exe.47494b0.12.raw.unpack, type: UNPACKEDPEMatched rule: Ursnif Payload Author: kevoreilly & enzo
                Source: 12.2.RuntimeBroker.exe.1d178783c58.1.raw.unpack, type: UNPACKEDPEMatched rule: Ursnif Payload Author: Sekoia.io
                Source: 12.2.RuntimeBroker.exe.1d178783c58.1.raw.unpack, type: UNPACKEDPEMatched rule: Ursnif Payload Author: kevoreilly & enzo
                Source: 8.2.svchost.exe.263c50.1.raw.unpack, type: UNPACKEDPEMatched rule: Ursnif Payload Author: Sekoia.io
                Source: 8.2.svchost.exe.263c50.1.raw.unpack, type: UNPACKEDPEMatched rule: Ursnif Payload Author: kevoreilly & enzo
                Source: 6.2.svchost.exe.b60000.0.unpack, type: UNPACKEDPEMatched rule: Ursnif Payload Author: Sekoia.io
                Source: 6.2.svchost.exe.b60000.0.unpack, type: UNPACKEDPEMatched rule: Ursnif Payload Author: kevoreilly & enzo
                Source: 10.2.explorer.exe.11143c58.7.raw.unpack, type: UNPACKEDPEMatched rule: Ursnif Payload Author: Sekoia.io
                Source: 10.2.explorer.exe.11143c58.7.raw.unpack, type: UNPACKEDPEMatched rule: Ursnif Payload Author: kevoreilly & enzo
                Source: 10.2.explorer.exe.110d0000.6.unpack, type: UNPACKEDPEMatched rule: Ursnif Payload Author: Sekoia.io
                Source: 10.2.explorer.exe.110d0000.6.unpack, type: UNPACKEDPEMatched rule: Ursnif Payload Author: kevoreilly & enzo
                Source: 10.0.explorer.exe.fc53c58.1.unpack, type: UNPACKEDPEMatched rule: Ursnif Payload Author: Sekoia.io
                Source: 10.0.explorer.exe.fc53c58.1.unpack, type: UNPACKEDPEMatched rule: Ursnif Payload Author: kevoreilly & enzo
                Source: 7.2.svchost.exe.2a0000.0.unpack, type: UNPACKEDPEMatched rule: Ursnif Payload Author: Sekoia.io
                Source: 7.2.svchost.exe.2a0000.0.unpack, type: UNPACKEDPEMatched rule: Ursnif Payload Author: kevoreilly & enzo
                Source: 16.2.RuntimeBroker.exe.23b60353c58.1.unpack, type: UNPACKEDPEMatched rule: Ursnif Payload Author: Sekoia.io
                Source: 16.2.RuntimeBroker.exe.23b60353c58.1.unpack, type: UNPACKEDPEMatched rule: Ursnif Payload Author: kevoreilly & enzo
                Source: 13.2.rundll32.exe.18f767d3c58.2.raw.unpack, type: UNPACKEDPEMatched rule: Ursnif Payload Author: Sekoia.io
                Source: 13.2.rundll32.exe.18f767d3c58.2.raw.unpack, type: UNPACKEDPEMatched rule: Ursnif Payload Author: kevoreilly & enzo
                Source: 7.2.svchost.exe.2e3c50.2.raw.unpack, type: UNPACKEDPEMatched rule: Ursnif Payload Author: Sekoia.io
                Source: 7.2.svchost.exe.2e3c50.2.raw.unpack, type: UNPACKEDPEMatched rule: Ursnif Payload Author: kevoreilly & enzo
                Source: 4.3.rundll32.exe.47794c0.1.unpack, type: UNPACKEDPEMatched rule: Ursnif Payload Author: Sekoia.io
                Source: 4.3.rundll32.exe.47794c0.1.unpack, type: UNPACKEDPEMatched rule: Ursnif Payload Author: kevoreilly & enzo
                Source: 10.0.explorer.exe.fc53c58.1.raw.unpack, type: UNPACKEDPEMatched rule: Ursnif Payload Author: Sekoia.io
                Source: 10.0.explorer.exe.fc53c58.1.raw.unpack, type: UNPACKEDPEMatched rule: Ursnif Payload Author: kevoreilly & enzo
                Source: 16.2.RuntimeBroker.exe.23b60323c58.2.raw.unpack, type: UNPACKEDPEMatched rule: Ursnif Payload Author: Sekoia.io
                Source: 16.2.RuntimeBroker.exe.23b60323c58.2.raw.unpack, type: UNPACKEDPEMatched rule: Ursnif Payload Author: kevoreilly & enzo
                Source: 11.2.RuntimeBroker.exe.1ecfc703c58.2.unpack, type: UNPACKEDPEMatched rule: Ursnif Payload Author: Sekoia.io
                Source: 11.2.RuntimeBroker.exe.1ecfc703c58.2.unpack, type: UNPACKEDPEMatched rule: Ursnif Payload Author: kevoreilly & enzo
                Source: 7.2.svchost.exe.313c50.1.unpack, type: UNPACKEDPEMatched rule: Ursnif Payload Author: Sekoia.io
                Source: 7.2.svchost.exe.313c50.1.unpack, type: UNPACKEDPEMatched rule: Ursnif Payload Author: kevoreilly & enzo
                Source: 0.3.loaddll32.exe.2d694b0.10.raw.unpack, type: UNPACKEDPEMatched rule: Ursnif Payload Author: Sekoia.io
                Source: 0.3.loaddll32.exe.2d694b0.10.raw.unpack, type: UNPACKEDPEMatched rule: Ursnif Payload Author: kevoreilly & enzo
                Source: 4.3.rundll32.exe.47794c0.10.unpack, type: UNPACKEDPEMatched rule: Ursnif Payload Author: Sekoia.io
                Source: 4.3.rundll32.exe.47794c0.10.unpack, type: UNPACKEDPEMatched rule: Ursnif Payload Author: kevoreilly & enzo
                Source: 10.2.explorer.exe.fc53c58.2.raw.unpack, type: UNPACKEDPEMatched rule: Ursnif Payload Author: Sekoia.io
                Source: 10.2.explorer.exe.fc53c58.2.raw.unpack, type: UNPACKEDPEMatched rule: Ursnif Payload Author: kevoreilly & enzo
                Source: 10.2.explorer.exe.11083c58.4.raw.unpack, type: UNPACKEDPEMatched rule: Ursnif Payload Author: Sekoia.io
                Source: 10.2.explorer.exe.11083c58.4.raw.unpack, type: UNPACKEDPEMatched rule: Ursnif Payload Author: kevoreilly & enzo
                Source: 4.3.rundll32.exe.47494b0.0.raw.unpack, type: UNPACKEDPEMatched rule: Ursnif Payload Author: Sekoia.io
                Source: 4.3.rundll32.exe.47494b0.0.raw.unpack, type: UNPACKEDPEMatched rule: Ursnif Payload Author: kevoreilly & enzo
                Source: 13.2.rundll32.exe.18f76760000.0.unpack, type: UNPACKEDPEMatched rule: Ursnif Payload Author: Sekoia.io
                Source: 13.2.rundll32.exe.18f76760000.0.unpack, type: UNPACKEDPEMatched rule: Ursnif Payload Author: kevoreilly & enzo
                Source: 8.2.svchost.exe.1f0000.0.unpack, type: UNPACKEDPEMatched rule: Ursnif Payload Author: Sekoia.io
                Source: 8.2.svchost.exe.1f0000.0.unpack, type: UNPACKEDPEMatched rule: Ursnif Payload Author: kevoreilly & enzo
                Source: 11.2.RuntimeBroker.exe.1ecfc690000.0.unpack, type: UNPACKEDPEMatched rule: Ursnif Payload Author: Sekoia.io
                Source: 11.2.RuntimeBroker.exe.1ecfc690000.0.unpack, type: UNPACKEDPEMatched rule: Ursnif Payload Author: kevoreilly & enzo
                Source: 3.3.regsvr32.exe.55d94b0.1.raw.unpack, type: UNPACKEDPEMatched rule: Ursnif Payload Author: Sekoia.io
                Source: 3.3.regsvr32.exe.55d94b0.1.raw.unpack, type: UNPACKEDPEMatched rule: Ursnif Payload Author: kevoreilly & enzo
                Source: 12.2.RuntimeBroker.exe.1d1787b3c58.2.raw.unpack, type: UNPACKEDPEMatched rule: Ursnif Payload Author: Sekoia.io
                Source: 12.2.RuntimeBroker.exe.1d1787b3c58.2.raw.unpack, type: UNPACKEDPEMatched rule: Ursnif Payload Author: kevoreilly & enzo
                Source: 12.2.RuntimeBroker.exe.1d1787b3c58.2.unpack, type: UNPACKEDPEMatched rule: Ursnif Payload Author: Sekoia.io
                Source: 12.2.RuntimeBroker.exe.1d1787b3c58.2.unpack, type: UNPACKEDPEMatched rule: Ursnif Payload Author: kevoreilly & enzo
                Source: 10.2.explorer.exe.11083c58.4.unpack, type: UNPACKEDPEMatched rule: Ursnif Payload Author: Sekoia.io
                Source: 10.2.explorer.exe.11083c58.4.unpack, type: UNPACKEDPEMatched rule: Ursnif Payload Author: kevoreilly & enzo
                Source: 0.3.loaddll32.exe.2d994c0.12.unpack, type: UNPACKEDPEMatched rule: Ursnif Payload Author: Sekoia.io
                Source: 0.3.loaddll32.exe.2d994c0.12.unpack, type: UNPACKEDPEMatched rule: Ursnif Payload Author: kevoreilly & enzo
                Source: 0.3.loaddll32.exe.2d694b0.2.raw.unpack, type: UNPACKEDPEMatched rule: Ursnif Payload Author: Sekoia.io
                Source: 0.3.loaddll32.exe.2d694b0.2.raw.unpack, type: UNPACKEDPEMatched rule: Ursnif Payload Author: kevoreilly & enzo
                Source: 13.2.rundll32.exe.18f767d3c58.2.unpack, type: UNPACKEDPEMatched rule: Ursnif Payload Author: Sekoia.io
                Source: 13.2.rundll32.exe.18f767d3c58.2.unpack, type: UNPACKEDPEMatched rule: Ursnif Payload Author: kevoreilly & enzo
                Source: 11.2.RuntimeBroker.exe.1ecfc6d3c58.1.raw.unpack, type: UNPACKEDPEMatched rule: Ursnif Payload Author: Sekoia.io
                Source: 11.2.RuntimeBroker.exe.1ecfc6d3c58.1.raw.unpack, type: UNPACKEDPEMatched rule: Ursnif Payload Author: kevoreilly & enzo
                Source: 0.3.loaddll32.exe.2d994c0.1.raw.unpack, type: UNPACKEDPEMatched rule: Ursnif Payload Author: Sekoia.io
                Source: 0.3.loaddll32.exe.2d994c0.1.raw.unpack, type: UNPACKEDPEMatched rule: Ursnif Payload Author: kevoreilly & enzo
                Source: 6.2.svchost.exe.bd3c50.2.raw.unpack, type: UNPACKEDPEMatched rule: Ursnif Payload Author: Sekoia.io
                Source: 6.2.svchost.exe.bd3c50.2.raw.unpack, type: UNPACKEDPEMatched rule: Ursnif Payload Author: kevoreilly & enzo
                Source: 3.3.regsvr32.exe.55d94b0.12.raw.unpack, type: UNPACKEDPEMatched rule: Ursnif Payload Author: Sekoia.io
                Source: 3.3.regsvr32.exe.55d94b0.12.raw.unpack, type: UNPACKEDPEMatched rule: Ursnif Payload Author: kevoreilly & enzo
                Source: 7.2.svchost.exe.313c50.1.raw.unpack, type: UNPACKEDPEMatched rule: Ursnif Payload Author: Sekoia.io
                Source: 7.2.svchost.exe.313c50.1.raw.unpack, type: UNPACKEDPEMatched rule: Ursnif Payload Author: kevoreilly & enzo
                Source: 10.0.explorer.exe.fc23c58.2.raw.unpack, type: UNPACKEDPEMatched rule: Ursnif Payload Author: Sekoia.io
                Source: 10.0.explorer.exe.fc23c58.2.raw.unpack, type: UNPACKEDPEMatched rule: Ursnif Payload Author: kevoreilly & enzo
                Source: 10.2.explorer.exe.fc23c58.1.raw.unpack, type: UNPACKEDPEMatched rule: Ursnif Payload Author: Sekoia.io
                Source: 10.2.explorer.exe.fc23c58.1.raw.unpack, type: UNPACKEDPEMatched rule: Ursnif Payload Author: kevoreilly & enzo
                Source: 16.2.RuntimeBroker.exe.23b602e0000.0.unpack, type: UNPACKEDPEMatched rule: Ursnif Payload Author: Sekoia.io
                Source: 16.2.RuntimeBroker.exe.23b602e0000.0.unpack, type: UNPACKEDPEMatched rule: Ursnif Payload Author: kevoreilly & enzo
                Source: 10.2.explorer.exe.fc53c58.2.unpack, type: UNPACKEDPEMatched rule: Ursnif Payload Author: Sekoia.io
                Source: 10.2.explorer.exe.fc53c58.2.unpack, type: UNPACKEDPEMatched rule: Ursnif Payload Author: kevoreilly & enzo
                Source: 4.3.rundll32.exe.47794c0.1.raw.unpack, type: UNPACKEDPEMatched rule: Ursnif Payload Author: Sekoia.io
                Source: 4.3.rundll32.exe.47794c0.1.raw.unpack, type: UNPACKEDPEMatched rule: Ursnif Payload Author: kevoreilly & enzo
                Source: 5.3.rundll32.exe.4ae94b0.11.raw.unpack, type: UNPACKEDPEMatched rule: Ursnif Payload Author: Sekoia.io
                Source: 5.3.rundll32.exe.4ae94b0.11.raw.unpack, type: UNPACKEDPEMatched rule: Ursnif Payload Author: kevoreilly & enzo
                Source: 10.2.explorer.exe.11113c58.8.raw.unpack, type: UNPACKEDPEMatched rule: Ursnif Payload Author: Sekoia.io
                Source: 10.2.explorer.exe.11113c58.8.raw.unpack, type: UNPACKEDPEMatched rule: Ursnif Payload Author: kevoreilly & enzo
                Source: 6.2.svchost.exe.bd3c50.2.unpack, type: UNPACKEDPEMatched rule: Ursnif Payload Author: Sekoia.io
                Source: 6.2.svchost.exe.bd3c50.2.unpack, type: UNPACKEDPEMatched rule: Ursnif Payload Author: kevoreilly & enzo
                Source: 10.2.explorer.exe.11010000.3.unpack, type: UNPACKEDPEMatched rule: Ursnif Payload Author: Sekoia.io
                Source: 10.2.explorer.exe.11010000.3.unpack, type: UNPACKEDPEMatched rule: Ursnif Payload Author: kevoreilly & enzo
                Source: 5.3.rundll32.exe.4b194c0.1.unpack, type: UNPACKEDPEMatched rule: Ursnif Payload Author: Sekoia.io
                Source: 5.3.rundll32.exe.4b194c0.1.unpack, type: UNPACKEDPEMatched rule: Ursnif Payload Author: kevoreilly & enzo
                Source: 3.3.regsvr32.exe.56094c0.0.unpack, type: UNPACKEDPEMatched rule: Ursnif Payload Author: Sekoia.io
                Source: 3.3.regsvr32.exe.56094c0.0.unpack, type: UNPACKEDPEMatched rule: Ursnif Payload Author: kevoreilly & enzo
                Source: 12.2.RuntimeBroker.exe.1d178740000.0.unpack, type: UNPACKEDPEMatched rule: Ursnif Payload Author: Sekoia.io
                Source: 12.2.RuntimeBroker.exe.1d178740000.0.unpack, type: UNPACKEDPEMatched rule: Ursnif Payload Author: kevoreilly & enzo
                Source: 10.2.explorer.exe.11053c58.5.raw.unpack, type: UNPACKEDPEMatched rule: Ursnif Payload Author: Sekoia.io
                Source: 10.2.explorer.exe.11053c58.5.raw.unpack, type: UNPACKEDPEMatched rule: Ursnif Payload Author: kevoreilly & enzo
                Source: 13.2.rundll32.exe.18f767a3c58.1.raw.unpack, type: UNPACKEDPEMatched rule: Ursnif Payload Author: Sekoia.io
                Source: 13.2.rundll32.exe.18f767a3c58.1.raw.unpack, type: UNPACKEDPEMatched rule: Ursnif Payload Author: kevoreilly & enzo
                Source: 6.2.svchost.exe.ba3c50.1.raw.unpack, type: UNPACKEDPEMatched rule: Ursnif Payload Author: Sekoia.io
                Source: 6.2.svchost.exe.ba3c50.1.raw.unpack, type: UNPACKEDPEMatched rule: Ursnif Payload Author: kevoreilly & enzo
                Source: 9.2.svchost.exe.923c50.1.unpack, type: UNPACKEDPEMatched rule: Ursnif Payload Author: Sekoia.io
                Source: 9.2.svchost.exe.923c50.1.unpack, type: UNPACKEDPEMatched rule: Ursnif Payload Author: kevoreilly & enzo
                Source: 5.3.rundll32.exe.4b194c0.1.raw.unpack, type: UNPACKEDPEMatched rule: Ursnif Payload Author: Sekoia.io
                Source: 5.3.rundll32.exe.4b194c0.1.raw.unpack, type: UNPACKEDPEMatched rule: Ursnif Payload Author: kevoreilly & enzo
                Source: 9.2.svchost.exe.8b0000.0.unpack, type: UNPACKEDPEMatched rule: Ursnif Payload Author: Sekoia.io
                Source: 9.2.svchost.exe.8b0000.0.unpack, type: UNPACKEDPEMatched rule: Ursnif Payload Author: kevoreilly & enzo
                Source: 9.2.svchost.exe.923c50.1.raw.unpack, type: UNPACKEDPEMatched rule: Ursnif Payload Author: Sekoia.io
                Source: 9.2.svchost.exe.923c50.1.raw.unpack, type: UNPACKEDPEMatched rule: Ursnif Payload Author: kevoreilly & enzo
                Source: 16.2.RuntimeBroker.exe.23b60353c58.1.raw.unpack, type: UNPACKEDPEMatched rule: Ursnif Payload Author: Sekoia.io
                Source: 16.2.RuntimeBroker.exe.23b60353c58.1.raw.unpack, type: UNPACKEDPEMatched rule: Ursnif Payload Author: kevoreilly & enzo
                Source: 9.2.svchost.exe.8f3c50.2.raw.unpack, type: UNPACKEDPEMatched rule: Ursnif Payload Author: Sekoia.io
                Source: 9.2.svchost.exe.8f3c50.2.raw.unpack, type: UNPACKEDPEMatched rule: Ursnif Payload Author: kevoreilly & enzo
                Source: 0000000D.00000002.4491591462.0000018F767A0000.00000004.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Gozi_261f5ac5 Author: unknown
                Source: 00000006.00000002.1794583919.0000000000BA0000.00000004.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Gozi_261f5ac5 Author: unknown
                Source: 0000000A.00000002.4584529450.0000000011110000.00000004.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Gozi_261f5ac5 Author: unknown
                Source: 0000000A.00000002.4583903329.0000000011050000.00000004.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Gozi_261f5ac5 Author: unknown
                Source: 00000010.00000002.4494674655.0000023B60320000.00000004.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Gozi_261f5ac5 Author: unknown
                Source: 00000007.00000002.1765483170.00000000002E0000.00000004.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Gozi_261f5ac5 Author: unknown
                Source: 0000000B.00000002.4500037251.000001ECFC6D0000.00000004.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Gozi_261f5ac5 Author: unknown
                Source: 00000008.00000002.1799435534.0000000000230000.00000004.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Gozi_261f5ac5 Author: unknown
                Source: 00000009.00000002.1788993940.00000000008F0000.00000004.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Gozi_261f5ac5 Author: unknown
                Source: 0000000A.00000000.1784927308.000000000FC20000.00000004.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Gozi_261f5ac5 Author: unknown
                Source: 0000000A.00000002.4582957265.000000000FC20000.00000004.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Gozi_261f5ac5 Author: unknown
                Source: 0000000C.00000002.4499540202.000001D178780000.00000004.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Gozi_261f5ac5 Author: unknown
                Source: Process Memory Space: svchost.exe PID: 2344, type: MEMORYSTRMatched rule: Windows_Trojan_Gozi_261f5ac5 Author: unknown
                Source: Process Memory Space: svchost.exe PID: 2720, type: MEMORYSTRMatched rule: Windows_Trojan_Gozi_261f5ac5 Author: unknown
                Source: Process Memory Space: svchost.exe PID: 3760, type: MEMORYSTRMatched rule: Windows_Trojan_Gozi_261f5ac5 Author: unknown
                Source: Process Memory Space: svchost.exe PID: 6148, type: MEMORYSTRMatched rule: Windows_Trojan_Gozi_261f5ac5 Author: unknown
                Source: Process Memory Space: explorer.exe PID: 2580, type: MEMORYSTRMatched rule: Windows_Trojan_Gozi_261f5ac5 Author: unknown
                Source: Process Memory Space: RuntimeBroker.exe PID: 4872, type: MEMORYSTRMatched rule: Windows_Trojan_Gozi_261f5ac5 Author: unknown
                Source: Process Memory Space: RuntimeBroker.exe PID: 5092, type: MEMORYSTRMatched rule: Windows_Trojan_Gozi_261f5ac5 Author: unknown
                Source: Process Memory Space: rundll32.exe PID: 1060, type: MEMORYSTRMatched rule: Windows_Trojan_Gozi_261f5ac5 Author: unknown
                Source: Process Memory Space: RuntimeBroker.exe PID: 5116, type: MEMORYSTRMatched rule: Windows_Trojan_Gozi_261f5ac5 Author: unknown
                Found PHP interpreter
                Source: svchost.exe, 00000006.00000002.1795659909.000001EE6FCC9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: Copyright (c) 1999 - 2006 The PHP Group. All rights reserved.
                Source: svchost.exe, 00000006.00000002.1795659909.000001EE6FCC9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: 5. The PHP Group may publish revised and/or new versions of the
                Source: svchost.exe, 00000006.00000002.1795659909.000001EE6FCC9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: published by the PHP Group. No one other than the PHP Group has
                Source: svchost.exe, 00000006.00000002.1795659909.000001EE6FCC9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: individuals on behalf of the PHP Group.
                Source: svchost.exe, 00000006.00000002.1795659909.000001EE6FCC9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: The PHP Group can be contacted via Email at group@php.net.
                Source: svchost.exe, 00000006.00000002.1795659909.000001EE6FCC9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: For more information on the PHP Group and the PHP project,
                Source: svchost.exe, 00000006.00000002.1795453454.000001EE6FC84000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: Copyright (c) 1999 - 2006 The PHP Group. All rights reserved.
                Source: svchost.exe, 00000006.00000002.1795453454.000001EE6FC84000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: 5. The PHP Group may publish revised and/or new versions of the
                Source: svchost.exe, 00000006.00000002.1795453454.000001EE6FC84000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: published by the PHP Group. No one other than the PHP Group has
                Source: svchost.exe, 00000006.00000002.1795453454.000001EE6FC84000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: individuals on behalf of the PHP Group.
                Source: svchost.exe, 00000006.00000002.1795453454.000001EE6FC84000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: The PHP Group can be contacted via Email at group@php.net.
                Source: svchost.exe, 00000006.00000002.1795453454.000001EE6FC84000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: For more information on the PHP Group and the PHP project,
                Source: svchost.exe, 00000006.00000002.1795147368.000001EE6FC2F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: Copyright (c) 1999 - 2006 The PHP Group. All rights reserved.
                Source: svchost.exe, 00000006.00000002.1795147368.000001EE6FC2F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: 5. The PHP Group may publish revised and/or new versions of the
                Source: svchost.exe, 00000006.00000002.1795147368.000001EE6FC2F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: published by the PHP Group. No one other than the PHP Group has
                Source: svchost.exe, 00000006.00000002.1795147368.000001EE6FC2F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: individuals on behalf of the PHP Group.
                Source: svchost.exe, 00000006.00000002.1795147368.000001EE6FC2F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: The PHP Group can be contacted via Email at group@php.net.
                Source: svchost.exe, 00000006.00000002.1795147368.000001EE6FC2F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: For more information on the PHP Group and the PHP project,
                Source: svchost.exe, 00000006.00000002.1795275730.000001EE6FC5E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: Copyright (c) 1999 - 2006 The PHP Group. All rights reserved.
                Source: svchost.exe, 00000006.00000002.1795275730.000001EE6FC5E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: 5. The PHP Group may publish revised and/or new versions of the
                Source: svchost.exe, 00000006.00000002.1795275730.000001EE6FC5E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: published by the PHP Group. No one other than the PHP Group has
                Source: svchost.exe, 00000006.00000002.1795275730.000001EE6FC5E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: individuals on behalf of the PHP Group.
                Source: svchost.exe, 00000006.00000002.1795275730.000001EE6FC5E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: The PHP Group can be contacted via Email at group@php.net.
                Source: svchost.exe, 00000006.00000002.1795275730.000001EE6FC5E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: For more information on the PHP Group and the PHP project,
                Source: svchost.exe, 00000007.00000002.1766151576.000002715542F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: Copyright (c) 1999 - 2006 The PHP Group. All rights reserved.
                Source: svchost.exe, 00000007.00000002.1766151576.000002715542F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: 5. The PHP Group may publish revised and/or new versions of the
                Source: svchost.exe, 00000007.00000002.1766151576.000002715542F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: published by the PHP Group. No one other than the PHP Group has
                Source: svchost.exe, 00000007.00000002.1766151576.000002715542F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: individuals on behalf of the PHP Group.
                Source: svchost.exe, 00000007.00000002.1766151576.000002715542F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: The PHP Group can be contacted via Email at group@php.net.
                Source: svchost.exe, 00000007.00000002.1766151576.000002715542F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: For more information on the PHP Group and the PHP project,
                Source: svchost.exe, 00000007.00000002.1766282559.0000027155460000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: Copyright (c) 1999 - 2006 The PHP Group. All rights reserved.
                Source: svchost.exe, 00000007.00000002.1766282559.0000027155460000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: 5. The PHP Group may publish revised and/or new versions of the
                Source: svchost.exe, 00000007.00000002.1766282559.0000027155460000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: published by the PHP Group. No one other than the PHP Group has
                Source: svchost.exe, 00000007.00000002.1766282559.0000027155460000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: individuals on behalf of the PHP Group.
                Source: svchost.exe, 00000007.00000002.1766282559.0000027155460000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: The PHP Group can be contacted via Email at group@php.net.
                Source: svchost.exe, 00000007.00000002.1766282559.0000027155460000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: For more information on the PHP Group and the PHP project,
                Source: svchost.exe, 00000007.00000002.1766639415.00000271554C2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: Copyright (c) 1999 - 2006 The PHP Group. All rights reserved.
                Source: svchost.exe, 00000007.00000002.1766639415.00000271554C2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: 5. The PHP Group may publish revised and/or new versions of the
                Source: svchost.exe, 00000007.00000002.1766639415.00000271554C2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: published by the PHP Group. No one other than the PHP Group has
                Source: svchost.exe, 00000007.00000002.1766639415.00000271554C2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: individuals on behalf of the PHP Group.
                Source: svchost.exe, 00000007.00000002.1766639415.00000271554C2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: The PHP Group can be contacted via Email at group@php.net.
                Source: svchost.exe, 00000007.00000002.1766639415.00000271554C2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: For more information on the PHP Group and the PHP project,
                Source: svchost.exe, 00000007.00000002.1766449588.0000027155478000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: Copyright (c) 1999 - 2006 The PHP Group. All rights reserved.
                Source: svchost.exe, 00000007.00000002.1766449588.0000027155478000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: 5. The PHP Group may publish revised and/or new versions of the
                Source: svchost.exe, 00000007.00000002.1766449588.0000027155478000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: published by the PHP Group. No one other than the PHP Group has
                Source: svchost.exe, 00000007.00000002.1766449588.0000027155478000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: individuals on behalf of the PHP Group.
                Source: svchost.exe, 00000007.00000002.1766449588.0000027155478000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: The PHP Group can be contacted via Email at group@php.net.
                Source: svchost.exe, 00000007.00000002.1766449588.0000027155478000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: For more information on the PHP Group and the PHP project,
                Source: svchost.exe, 00000008.00000002.1800000998.000002390242F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: Copyright (c) 1999 - 2006 The PHP Group. All rights reserved.
                Source: svchost.exe, 00000008.00000002.1800000998.000002390242F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: 5. The PHP Group may publish revised and/or new versions of the
                Source: svchost.exe, 00000008.00000002.1800000998.000002390242F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: published by the PHP Group. No one other than the PHP Group has
                Source: svchost.exe, 00000008.00000002.1800000998.000002390242F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: individuals on behalf of the PHP Group.
                Source: svchost.exe, 00000008.00000002.1800000998.000002390242F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: The PHP Group can be contacted via Email at group@php.net.
                Source: svchost.exe, 00000008.00000002.1800000998.000002390242F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: For more information on the PHP Group and the PHP project,
                Source: svchost.exe, 00000008.00000002.1800118673.000002390245E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: Copyright (c) 1999 - 2006 The PHP Group. All rights reserved.
                Source: svchost.exe, 00000008.00000002.1800118673.000002390245E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: 5. The PHP Group may publish revised and/or new versions of the
                Source: svchost.exe, 00000008.00000002.1800118673.000002390245E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: published by the PHP Group. No one other than the PHP Group has
                Source: svchost.exe, 00000008.00000002.1800118673.000002390245E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: individuals on behalf of the PHP Group.
                Source: svchost.exe, 00000008.00000002.1800118673.000002390245E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: The PHP Group can be contacted via Email at group@php.net.
                Source: svchost.exe, 00000008.00000002.1800118673.000002390245E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: For more information on the PHP Group and the PHP project,
                Source: svchost.exe, 00000008.00000002.1800490342.00000239024BA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: Copyright (c) 1999 - 2006 The PHP Group. All rights reserved.
                Source: svchost.exe, 00000008.00000002.1800490342.00000239024BA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: 5. The PHP Group may publish revised and/or new versions of the
                Source: svchost.exe, 00000008.00000002.1800490342.00000239024BA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: published by the PHP Group. No one other than the PHP Group has
                Source: svchost.exe, 00000008.00000002.1800490342.00000239024BA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: individuals on behalf of the PHP Group.
                Source: svchost.exe, 00000008.00000002.1800490342.00000239024BA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: The PHP Group can be contacted via Email at group@php.net.
                Source: svchost.exe, 00000008.00000002.1800490342.00000239024BA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: For more information on the PHP Group and the PHP project,
                Source: svchost.exe, 00000008.00000002.1800288306.0000023902482000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: Copyright (c) 1999 - 2006 The PHP Group. All rights reserved.
                Source: svchost.exe, 00000008.00000002.1800288306.0000023902482000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: 5. The PHP Group may publish revised and/or new versions of the
                Source: svchost.exe, 00000008.00000002.1800288306.0000023902482000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: published by the PHP Group. No one other than the PHP Group has
                Source: svchost.exe, 00000008.00000002.1800288306.0000023902482000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: individuals on behalf of the PHP Group.
                Source: svchost.exe, 00000008.00000002.1800288306.0000023902482000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: The PHP Group can be contacted via Email at group@php.net.
                Source: svchost.exe, 00000008.00000002.1800288306.0000023902482000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: For more information on the PHP Group and the PHP project,
                Source: svchost.exe, 00000009.00000002.1790479088.00000236FDA82000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: Copyright (c) 1999 - 2006 The PHP Group. All rights reserved.
                Source: svchost.exe, 00000009.00000002.1790479088.00000236FDA82000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: 5. The PHP Group may publish revised and/or new versions of the
                Source: svchost.exe, 00000009.00000002.1790479088.00000236FDA82000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: published by the PHP Group. No one other than the PHP Group has
                Source: svchost.exe, 00000009.00000002.1790479088.00000236FDA82000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: individuals on behalf of the PHP Group.
                Source: svchost.exe, 00000009.00000002.1790479088.00000236FDA82000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: The PHP Group can be contacted via Email at group@php.net.
                Source: svchost.exe, 00000009.00000002.1790479088.00000236FDA82000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: For more information on the PHP Group and the PHP project,
                Source: svchost.exe, 00000009.00000002.1790907478.00000236FDACF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: Copyright (c) 1999 - 2006 The PHP Group. All rights reserved.
                Source: svchost.exe, 00000009.00000002.1790907478.00000236FDACF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: 5. The PHP Group may publish revised and/or new versions of the
                Source: svchost.exe, 00000009.00000002.1790907478.00000236FDACF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: published by the PHP Group. No one other than the PHP Group has
                Source: svchost.exe, 00000009.00000002.1790907478.00000236FDACF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: individuals on behalf of the PHP Group.
                Source: svchost.exe, 00000009.00000002.1790907478.00000236FDACF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: The PHP Group can be contacted via Email at group@php.net.
                Source: svchost.exe, 00000009.00000002.1790907478.00000236FDACF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: For more information on the PHP Group and the PHP project,
                Source: svchost.exe, 00000009.00000002.1790194491.00000236FDA5E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: Copyright (c) 1999 - 2006 The PHP Group. All rights reserved.
                Source: svchost.exe, 00000009.00000002.1790194491.00000236FDA5E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: 5. The PHP Group may publish revised and/or new versions of the
                Source: svchost.exe, 00000009.00000002.1790194491.00000236FDA5E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: published by the PHP Group. No one other than the PHP Group has
                Source: svchost.exe, 00000009.00000002.1790194491.00000236FDA5E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: individuals on behalf of the PHP Group.
                Source: svchost.exe, 00000009.00000002.1790194491.00000236FDA5E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: The PHP Group can be contacted via Email at group@php.net.
                Source: svchost.exe, 00000009.00000002.1790194491.00000236FDA5E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: For more information on the PHP Group and the PHP project,
                Source: svchost.exe, 00000009.00000002.1789957584.00000236FDA31000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: Copyright (c) 1999 - 2006 The PHP Group. All rights reserved.
                Source: svchost.exe, 00000009.00000002.1789957584.00000236FDA31000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: 5. The PHP Group may publish revised and/or new versions of the
                Source: svchost.exe, 00000009.00000002.1789957584.00000236FDA31000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: published by the PHP Group. No one other than the PHP Group has
                Source: svchost.exe, 00000009.00000002.1789957584.00000236FDA31000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: individuals on behalf of the PHP Group.
                Source: svchost.exe, 00000009.00000002.1789957584.00000236FDA31000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: The PHP Group can be contacted via Email at group@php.net.
                Source: svchost.exe, 00000009.00000002.1789957584.00000236FDA31000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: For more information on the PHP Group and the PHP project,
                Source: explorer.exe, 0000000A.00000003.1765831970.0000000010C81000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: nse version file this the original php license version which applies only very old versions php software such versions and earlier the php license version open source initiative approved license available https opensource org licenses php this license has been superseded the php license version available https www php net license txt all new works using the php license should use the php license version the php license version copyright the php group all rights reserved redistribution and use source and binary forms with without modification permitted provided that the following conditions are met redistributions source code must retain the above copyright notice this list conditions and the following disclaimer redistributions binary form must reproduce the above copyright notice this list conditions and the following disclaimer the documentation and other materials provided with the distribution the name php must not used endorse promote products derived from this software without prior written permission for written permission please contact group php net products derived from this software may not called php nor may php appear their name without prior written permission from group php net you may indicate that your software works conjunction with php saying foo for php instead calling php foo phpfoo the php group may publish revised and new versions the license from time time each version will given distinguishing version number once covered code has been published under particular version the license you may always continue use under the terms that version you may also choose use such covered code under the terms any subsequent version the license published the php group one other than the php group has the right modify the terms applicable covered code created under this license redistributions any form whatsoever must retain the following acknowledgment this product includes php freely available from http www php net this software provided the php development team and any expressed implied warranties including but not limited the implied warranties merchantability and fitness for particular purpose are disclaimed event shall the php development team its contributors liable for any direct indirect incidental special exemplary consequential damages including but not limited procurement substitute goods services loss use data profits business interruption however caused and any theory liability whether contract strict liability tort including negligence otherwise arising any way out the use this software even advised the possibility such damage this software consists voluntary contributions made many individuals behalf the php group the php group can contacted via email group php net for more information the php group and the php project please see http www php net this product includes the zend engine freely available http www zend com
                Source: explorer.exe, 0000000A.00000003.3104935163.000000000CB6D000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: individuals on behalf of the PHP Group.
                Source: explorer.exe, 0000000A.00000003.3104935163.000000000CB6D000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: The PHP Group can be contacted via Email at group@php.net.
                Source: explorer.exe, 0000000A.00000003.3104935163.000000000CB6D000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: For more information on the PHP Group and the PHP project,
                Source: explorer.exe, 0000000A.00000003.3106148906.000000000CBFF000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: 5. The PHP Group may publish revised and/or new versions of the
                Source: explorer.exe, 0000000A.00000003.3106148906.000000000CBFF000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: published by the PHP Group. No one other than the PHP Group has
                Source: explorer.exe, 0000000A.00000003.3106148906.000000000CBFF000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: individuals on behalf of the PHP Group.
                Source: explorer.exe, 0000000A.00000003.3106148906.000000000CBFF000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: The PHP Group can be contacted via Email at group@php.net.
                Source: explorer.exe, 0000000A.00000003.3106148906.000000000CBFF000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: For more information on the PHP Group and the PHP project,
                Source: explorer.exe, 0000000A.00000003.3105185061.000000000CB6E000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: individuals on behalf of the PHP Group.
                Source: explorer.exe, 0000000A.00000003.3105185061.000000000CB6E000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: The PHP Group can be contacted via Email at group@php.net.
                Source: explorer.exe, 0000000A.00000003.3105185061.000000000CB6E000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: For more information on the PHP Group and the PHP project,
                Source: explorer.exe, 0000000A.00000003.3105964393.000000000C9C3000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: individuals on behalf of the PHP Group.
                Source: explorer.exe, 0000000A.00000003.3105964393.000000000C9C3000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: The PHP Group can be contacted via Email at group@php.net.
                Source: explorer.exe, 0000000A.00000003.3105964393.000000000C9C3000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: For more information on the PHP Group and the PHP project,
                Source: explorer.exe, 0000000A.00000003.3107173949.000000000C9DE000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: individuals on behalf of the PHP Group.
                Source: explorer.exe, 0000000A.00000003.3107173949.000000000C9DE000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: The PHP Group can be contacted via Email at group@php.net.
                Source: explorer.exe, 0000000A.00000003.3107173949.000000000C9DE000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: For more information on the PHP Group and the PHP project,
                Source: explorer.exe, 0000000A.00000000.1785178822.0000000010C81000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: nse version file this the original php license version which applies only very old versions php software such versions and earlier the php license version open source initiative approved license available https opensource org licenses php this license has been superseded the php license version available https www php net license txt all new works using the php license should use the php license version the php license version copyright the php group all rights reserved redistribution and use source and binary forms with without modification permitted provided that the following conditions are met redistributions source code must retain the above copyright notice this list conditions and the following disclaimer redistributions binary form must reproduce the above copyright notice this list conditions and the following disclaimer the documentation and other materials provided with the distribution the name php must not used endorse promote products derived from this software without prior written permission for written permission please contact group php net products derived from this software may not called php nor may php appear their name without prior written permission from group php net you may indicate that your software works conjunction with php saying foo for php instead calling php foo phpfoo the php group may publish revised and new versions the license from time time each version will given distinguishing version number once covered code has been published under particular version the license you may always continue use under the terms that version you may also choose use such covered code under the terms any subsequent version the license published the php group one other than the php group has the right modify the terms applicable covered code created under this license redistributions any form whatsoever must retain the following acknowledgment this product includes php freely available from http www php net this software provided the php development team and any ex
                Source: explorer.exe, 0000000A.00000003.3106064374.000000000CB98000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: individuals on behalf of the PHP Group.
                Source: explorer.exe, 0000000A.00000003.3106064374.000000000CB98000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: The PHP Group can be contacted via Email at group@php.net.
                Source: explorer.exe, 0000000A.00000003.3106064374.000000000CB98000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: For more information on the PHP Group and the PHP project,
                Source: explorer.exe, 0000000A.00000002.4580954126.000000000C9DF000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: individuals on behalf of the PHP Group.
                Source: explorer.exe, 0000000A.00000002.4580954126.000000000C9DF000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: The PHP Group can be contacted via Email at group@php.net.
                Source: explorer.exe, 0000000A.00000002.4580954126.000000000C9DF000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: For more information on the PHP Group and the PHP project,
                Source: explorer.exe, 0000000A.00000003.3106030732.000000000CB80000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: individuals on behalf of the PHP Group.
                Source: explorer.exe, 0000000A.00000003.3106030732.000000000CB80000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: The PHP Group can be contacted via Email at group@php.net.
                Source: explorer.exe, 0000000A.00000003.3106030732.000000000CB80000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: For more information on the PHP Group and the PHP project,
                Source: explorer.exe, 0000000A.00000003.1765910221.0000000010C83000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: pressed implied warranties including but not limited the implied warranties merchantability and fitness for particular purpose are disclaimed event shall the php development team its contributors liable for any direct indirect incidental special exemplary consequential damages including but not limited procurement substitute goods services loss use data profits business interruption however caused and any theory liability whether contract strict liability tort including negligence otherwise arising any way out the use this software even advised the possibility such damage this software consists voluntary contributions made many individuals behalf the php group the php group can contacted via email group php net for more information the php group and the php project please see http www php net this product includes the zend engine freely available http www zend com
                Source: explorer.exe, 0000000A.00000002.4582010100.000000000CC00000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: individuals on behalf of the PHP Group.
                Source: explorer.exe, 0000000A.00000002.4582010100.000000000CC00000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: The PHP Group can be contacted via Email at group@php.net.
                Source: explorer.exe, 0000000A.00000002.4582010100.000000000CC00000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: For more information on the PHP Group and the PHP project,
                Source: RuntimeBroker.exe, 0000000B.00000002.4501425197.000001ECFC902000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: nse version file this the original php license version which applies only very old versions php software such versions and earlier the php license version open source initiative approved license available https opensource org licenses php this license has been superseded the php license version available https www php net license txt all new works using the php license should use the php license version the php license version copyright the php group all rights reserved redistribution and use source and binary forms with without modification permitted provided that the following conditions are met redistributions source code must retain the above copyright notice this list conditions and the following disclaimer redistributions binary form must reproduce the above copyright notice this list conditions and the following disclaimer the documentation and other materials provided with the distribution the name php must not used endorse promote products derived from this software without prior written permission for written permission please contact group php net products derived from this software may not called php nor may php appear their name without prior written permission from group php net you may indicate that your software works conjunction with php saying foo for php instead calling php foo phpfoo the php group may publish revised and new versions the license from time time each version will given distinguishing version number once covered code has been published under particular version the license you may always continue use under the terms that version you may also choose use such covered code under the terms any subsequent version the license published the php group one other than the php group has the right modify the terms applicable covered code created under this license redistributions any form whatsoever must retain the following acknowledgment this product includes php freely available from http www php net this software provided the php development team and any expressed implied warranties including but not limited the implied warranties merchantability and fitness for particular purpose are disclaimed event shall the php development team its contributors liable for any direct indirect incidental special exemplary consequential damages including but not limited procurement substitute goods services loss use data profits business interruption however caused and any theory liability whether contract strict liability tort including negligence otherwise arising any way out the use this software even advised the possibility such damage this software consists voluntary contributions made many individuals behalf the php group the php group can contacted via email group php net for more information the php group and the php project please see http www php net this product includes the zend engine freely available http www zend com
                Source: RuntimeBroker.exe, 0000000C.00000002.4501102292.000001D17A102000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: nse version file this the original php license version which applies only very old versions php software such versions and earlier the php license version open source initiative approved license available https opensource org licenses php this license has been superseded the php license version available https www php net license txt all new works using the php license should use the php license version the php license version copyright the php group all rights reserved redistribution and use source and binary forms with without modification permitted provided that the following conditions are met redistributions source code must retain the above copyright notice this list conditions and the following disclaimer redistributions binary form must reproduce the above copyright notice this list conditions and the following disclaimer the documentation and other materials provided with the distribution the name php must not used endorse promote products derived from this software without prior written permission for written permission please contact group php net products derived from this software may not called php nor may php appear their name without prior written permission from group php net you may indicate that your software works conjunction with php saying foo for php instead calling php foo phpfoo the php group may publish revised and new versions the license from time time each version will given distinguishing version number once covered code has been published under particular version the license you may always continue use under the terms that version you may also choose use such covered code under the terms any subsequent version the license published the php group one other than the php group has the right modify the terms applicable covered code created under this license redistributions any form whatsoever must retain the following acknowledgment this product includes php freely available from http www php net this software provided the php development team and any expressed implied warranties including but not limited the implied warranties merchantability and fitness for particular purpose are disclaimed event shall the php development team its contributors liable for any direct indirect incidental special exemplary consequential damages including but not limited procurement substitute goods services loss use data profits business interruption however caused and any theory liability whether contract strict liability tort including negligence otherwise arising any way out the use this software even advised the possibility such damage this software consists voluntary contributions made many individuals behalf the php group the php group can contacted via email group php net for more information the php group and the php project please see http www php net this product includes the zend engine freely available http www zend com
                Source: rundll32.exe, 0000000D.00000003.1914549413.0000018F76DCC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: nse version file this the original php license version which applies only very old versions php software such versions and earlier the php license version open source initiative approved license available https opensource org licenses php this license has been superseded the php license version available https www php net license txt all new works using the php license should use the php license version the php license version copyright the php group all rights reserved redistribution and use source and binary forms with without modification permitted provided that the following conditions are met redistributions source code must retain the above copyright notice this list conditions and the following disclaimer redistributions binary form must reproduce the above copyright notice this list conditions and the following disclaimer the documentation and other materials provided with the distribution the name php must not used endorse promote products derived from this software without prior written permission for written permission please contact group php net products derived from this software may not called php nor may php appear their name without prior written permission from group php net you may indicate that your software works conjunction with php saying foo for php instead calling php foo phpfoo the php group may publish revised and new versions the license from time time each version will given distinguishing version number once covered code has been published under particular version the license you may always continue use under the terms that version you may also choose use such covered code under the terms any subsequent version the license published the php group one other than the php group has the right modify the terms applicable covered code created under this license redistributions any form whatsoever must retain the following acknowledgment this product includes php freely available from http www php net this software provided the php development team and any expressed implied warranties including but not limited the implied warranties merchantability and fitness for particular purpose are disclaimed event shall the php development team its contributors liable for any direct indirect incidental special exemplary consequential damages including but not limited procurement substitute goods services loss use data profits business interruption however caused and any theory liability whether contract strict liability tort including negligence otherwise arising any way out the use this software even advised the possibility such damage this software consists voluntary contributions made many individuals behalf the php group the php group can contacted via email group php net for more information the php group and the php project please see http www php net this product includes the zend engine freely available http www zend com
                Source: rundll32.exe, 0000000D.00000003.1914549413.0000018F76DCC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: nse version file this the original php license version which applies only very old versions php software such versions and earlier the php license version open source initiative approved license available https opensource org licenses php this license has been superseded the php license version available https www php net license txt all new works using the php license should use the php license version the php license version copyright the php group all rights reserved redistribution and use source and binary forms with without modification permitted provided that the following conditions are met redistributions source code must retain the above copyright notice this list conditions and the following disclaimer redistributions binary form must reproduce the above copyright notice this list conditions and the following disclaimer the documentation and other materials provided with the distribution the name php must not used endorse promote products derived from this software without prior written permission for written permission please contact group php net products derived from this software may not called php nor may php appear their name without prior written permission from group php net you may indicate that your software works conjunction with php saying foo for php instead calling php foo phpfoo the php group may publish revised and new versions the license from time time each version will given distinguishing version number once covered code has been published under particular version the license you may always continue use under the terms that version you may also choose use such covered code under the terms any subsequent version the license published the php group one other than the php group has the right modify the terms applicable covered code created under this license redistributions any form whatsoever must retain the following acknowledgment this product includes php freely available from http www php net this software provided the php development team and any expressed implied warranties including but not limited the implied warranties merchantability and fitness for particular purpose are disclaimed event shall the php development team its contributors liable for any direct indirect incidental special exemplary consequential damages including but not limited procurement substitute goods services loss use data profits business interruption however caused and any theory liability whether contract strict liability tort including negligence otherwise arising any way out the use this software even advised the possibility such damage this software consists voluntary contributions made many individuals behalf the php group the php group can contacted via email group php net for more information the php group and the php project please see http www php net this product includes the zend engine freely available http www zend com JJl
                Source: rundll32.exe, 0000000D.00000002.4492271535.0000018F76DCC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: nse version file this the original php license version which applies only very old versions php software such versions and earlier the php license version open source initiative approved license available https opensource org licenses php this license has been superseded the php license version available https www php net license txt all new works using the php license should use the php license version the php license version copyright the php group all rights reserved redistribution and use source and binary forms with without modification permitted provided that the following conditions are met redistributions source code must retain the above copyright notice this list conditions and the following disclaimer redistributions binary form must reproduce the above copyright notice this list conditions and the following disclaimer the documentation and other materials provided with the distribution the name php must not used endorse promote products derived from this software without prior written permission for written permission please contact group php net products derived from this software may not called php nor may php appear their name without prior written permission from group php net you may indicate that your software works conjunction with php saying foo for php instead calling php foo phpfoo the php group may publish revised and new versions the license from time time each version will given distinguishing version number once covered code has been published under particular version the license you may always continue use under the terms that version you may also choose use such covered code under the terms any subsequent version the license published the php group one other than the php group has the right modify the terms applicable covered code created under this license redistributions any form whatsoever must retain the following acknowledgment this product includes php freely available from http www php net this software provided the php development team and any expressed implied warranties including but not limited the implied warranties merchantability and fitness for particular purpose are disclaimed event shall the php development team its contributors liable for any direct indirect incidental special exemplary consequential damages including but not limited procurement substitute goods services loss use data profits business interruption however caused and any theory liability whether contract strict liability tort including negligence otherwise arising any way out the use this software even advised the possibility such damage this software consists voluntary contributions made many individuals behalf the php group the php group can contacted via email group php net for more information the php group and the php project please see http www php net this product includes the zend engine freely available http www zend com
                Source: rundll32.exe, 0000000D.00000002.4492271535.0000018F76DCC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: nse version file this the original php license version which applies only very old versions php software such versions and earlier the php license version open source initiative approved license available https opensource org licenses php this license has been superseded the php license version available https www php net license txt all new works using the php license should use the php license version the php license version copyright the php group all rights reserved redistribution and use source and binary forms with without modification permitted provided that the following conditions are met redistributions source code must retain the above copyright notice this list conditions and the following disclaimer redistributions binary form must reproduce the above copyright notice this list conditions and the following disclaimer the documentation and other materials provided with the distribution the name php must not used endorse promote products derived from this software without prior written permission for written permission please contact group php net products derived from this software may not called php nor may php appear their name without prior written permission from group php net you may indicate that your software works conjunction with php saying foo for php instead calling php foo phpfoo the php group may publish revised and new versions the license from time time each version will given distinguishing version number once covered code has been published under particular version the license you may always continue use under the terms that version you may also choose use such covered code under the terms any subsequent version the license published the php group one other than the php group has the right modify the terms applicable covered code created under this license redistributions any form whatsoever must retain the following acknowledgment this product includes php freely available from http www php net this software provided the php development team and any expressed implied warranties including but not limited the implied warranties merchantability and fitness for particular purpose are disclaimed event shall the php development team its contributors liable for any direct indirect incidental special exemplary consequential damages including but not limited procurement substitute goods services loss use data profits business interruption however caused and any theory liability whether contract strict liability tort including negligence otherwise arising any way out the use this software even advised the possibility such damage this software consists voluntary contributions made many individuals behalf the php group the php group can contacted via email group php net for more information the php group and the php project please see http www php net this product includes the zend engine freely available http www zend com JJl
                Source: RuntimeBroker.exe, 00000010.00000002.4507599757.0000023B61102000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: nse version file this the original php license version which applies only very old versions php software such versions and earlier the php license version open source initiative approved license available https opensource org licenses php this license has been superseded the php license version available https www php net license txt all new works using the php license should use the php license version the php license version copyright the php group all rights reserved redistribution and use source and binary forms with without modification permitted provided that the following conditions are met redistributions source code must retain the above copyright notice this list conditions and the following disclaimer redistributions binary form must reproduce the above copyright notice this list conditions and the following disclaimer the documentation and other materials provided with the distribution the name php must not used endorse promote products derived from this software without prior written permission for written permission please contact group php net products derived from this software may not called php nor may php appear their name without prior written permission from group php net you may indicate that your software works conjunction with php saying foo for php instead calling php foo phpfoo the php group may publish revised and new versions the license from time time each version will given distinguishing version number once covered code has been published under particular version the license you may always continue use under the terms that version you may also choose use such covered code under the terms any subsequent version the license published the php group one other than the php group has the right modify the terms applicable covered code created under this license redistributions any form whatsoever must retain the following acknowledgment this product includes php freely available from http www php net this software provided the php development team and any expressed implied warranties including but not limited the implied warranties merchantability and fitness for particular purpose are disclaimed event shall the php development team its contributors liable for any direct indirect incidental special exemplary consequential damages including but not limited procurement substitute goods services loss use data profits business interruption however caused and any theory liability whether contract strict liability tort including negligence otherwise arising any way out the use this software even advised the possibility such damage this software consists voluntary contributions made many individuals behalf the php group the php group can contacted via email group php net for more information the php group and the php project please see http www php net this product includes the zend engine freely available http www zend com
                PE file has a writeable .text section
                Source: atw3.dllStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                Source: adsnrans.dll.5.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                Source: C:\Windows\explorer.exeProcess Stats: CPU usage > 49%
                Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6CBF2492 GetProcAddress,NtWow64QueryInformationProcess64,StrRChrA,0_2_6CBF2492
                Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6CBF2286 NtWow64QueryInformationProcess64,GetProcAddress,NtWow64QueryInformationProcess64,0_2_6CBF2286
                Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6CBF4B80 NtWriteVirtualMemory,0_2_6CBF4B80
                Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6CBF2DF1 NtWriteVirtualMemory,VirtualProtectEx,NtWriteVirtualMemory,RtlNtStatusToDosError,SetLastError,0_2_6CBF2DF1
                Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6CBF3ED3 memcpy,memcpy,memcpy,NtUnmapViewOfSection,RtlNtStatusToDosError,CloseHandle,0_2_6CBF3ED3
                Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6CBF1ACC ZwOpenProcess,ZwOpenProcessToken,ZwQueryInformationToken,ZwQueryInformationToken,ZwQueryInformationToken,memcpy,ZwClose,ZwClose,0_2_6CBF1ACC
                Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6CBF2E32 NtAllocateVirtualMemory,NtAllocateVirtualMemory,RtlNtStatusToDosError,SetLastError,0_2_6CBF2E32
                Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6CBF241D NtWow64ReadVirtualMemory64,GetProcAddress,NtWow64ReadVirtualMemory64,0_2_6CBF241D
                Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6CBF2D19 NtQuerySystemInformation,RtlNtStatusToDosError,0_2_6CBF2D19
                Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6CBF4904 NtMapViewOfSection,RtlNtStatusToDosError,0_2_6CBF4904
                Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6CBF4943 NtCreateSection,memset,RtlNtStatusToDosError,ZwClose,0_2_6CBF4943
                Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6CBF2DB0 NtReadVirtualMemory,RtlNtStatusToDosError,SetLastError,0_2_6CBF2DB0
                Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6CBF2D8F NtGetContextThread,RtlNtStatusToDosError,0_2_6CBF2D8F
                Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6CBF2885 memset,memcpy,NtSetContextThread,RtlNtStatusToDosError,GetLastError,0_2_6CBF2885
                Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6CBF2E82 GetModuleHandleA,GetModuleHandleA,GetModuleHandleA,NtGetContextThread,NtGetContextThread,0_2_6CBF2E82
                Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6CBF2C25 memset,ZwQueryInformationProcess,0_2_6CBF2C25
                Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6CBF755D NtQueryVirtualMemory,0_2_6CBF755D
                Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00810000 NtProtectVirtualMemory,NtAllocateVirtualMemory,NtProtectVirtualMemory,0_2_00810000
                Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_6CBF2492 GetProcAddress,NtWow64QueryInformationProcess64,StrRChrA,3_2_6CBF2492
                Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_6CBF2286 NtWow64QueryInformationProcess64,GetProcAddress,NtWow64QueryInformationProcess64,3_2_6CBF2286
                Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_6CBF4B80 NtProtectVirtualMemory,3_2_6CBF4B80
                Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_6CBF2DF1 NtWriteVirtualMemory,VirtualProtectEx,NtWriteVirtualMemory,RtlNtStatusToDosError,SetLastError,3_2_6CBF2DF1
                Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_6CBF3ED3 memcpy,memcpy,memcpy,NtUnmapViewOfSection,RtlNtStatusToDosError,CloseHandle,3_2_6CBF3ED3
                Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_6CBF1ACC ZwOpenProcess,ZwOpenProcessToken,ZwQueryInformationToken,ZwQueryInformationToken,ZwQueryInformationToken,memcpy,ZwClose,ZwClose,3_2_6CBF1ACC
                Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_6CBF2E32 NtAllocateVirtualMemory,NtAllocateVirtualMemory,RtlNtStatusToDosError,SetLastError,3_2_6CBF2E32
                Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_6CBF241D NtWow64ReadVirtualMemory64,GetProcAddress,NtWow64ReadVirtualMemory64,3_2_6CBF241D
                Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_6CBF2D19 NtQuerySystemInformation,RtlNtStatusToDosError,3_2_6CBF2D19
                Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_6CBF4904 NtMapViewOfSection,RtlNtStatusToDosError,3_2_6CBF4904
                Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_6CBF4943 NtCreateSection,memset,RtlNtStatusToDosError,ZwClose,3_2_6CBF4943
                Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_6CBF2DB0 NtReadVirtualMemory,RtlNtStatusToDosError,SetLastError,3_2_6CBF2DB0
                Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_6CBF2D8F NtGetContextThread,RtlNtStatusToDosError,3_2_6CBF2D8F
                Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_6CBF2885 memset,memcpy,NtSetContextThread,RtlNtStatusToDosError,GetLastError,3_2_6CBF2885
                Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_6CBF2E82 GetModuleHandleA,GetModuleHandleA,GetModuleHandleA,NtGetContextThread,NtGetContextThread,3_2_6CBF2E82
                Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_6CBF2C25 memset,ZwQueryInformationProcess,3_2_6CBF2C25
                Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_6CBF755D NtQueryVirtualMemory,3_2_6CBF755D
                Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_03460000 NtProtectVirtualMemory,NtAllocateVirtualMemory,3_2_03460000
                Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_6CBF2492 GetProcAddress,NtWow64QueryInformationProcess64,StrRChrA,4_2_6CBF2492
                Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_6CBF2286 NtWow64QueryInformationProcess64,GetProcAddress,NtWow64QueryInformationProcess64,4_2_6CBF2286
                Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_6CBF4B80 NtWriteVirtualMemory,4_2_6CBF4B80
                Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_6CBF2DF1 NtWriteVirtualMemory,VirtualProtectEx,NtWriteVirtualMemory,RtlNtStatusToDosError,SetLastError,4_2_6CBF2DF1
                Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_6CBF3ED3 memcpy,memcpy,memcpy,NtUnmapViewOfSection,RtlNtStatusToDosError,CloseHandle,4_2_6CBF3ED3
                Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_6CBF1ACC ZwOpenProcess,ZwOpenProcessToken,ZwQueryInformationToken,ZwQueryInformationToken,ZwQueryInformationToken,memcpy,ZwClose,ZwClose,4_2_6CBF1ACC
                Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_6CBF2E32 NtAllocateVirtualMemory,NtAllocateVirtualMemory,RtlNtStatusToDosError,SetLastError,4_2_6CBF2E32
                Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_6CBF241D NtWow64ReadVirtualMemory64,GetProcAddress,NtWow64ReadVirtualMemory64,4_2_6CBF241D
                Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_6CBF2D19 NtQuerySystemInformation,RtlNtStatusToDosError,4_2_6CBF2D19
                Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_6CBF4904 NtMapViewOfSection,RtlNtStatusToDosError,4_2_6CBF4904
                Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_6CBF4943 NtCreateSection,memset,RtlNtStatusToDosError,ZwClose,4_2_6CBF4943
                Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_6CBF2DB0 NtReadVirtualMemory,RtlNtStatusToDosError,SetLastError,4_2_6CBF2DB0
                Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_6CBF2D8F NtGetContextThread,RtlNtStatusToDosError,4_2_6CBF2D8F
                Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_6CBF2885 memset,memcpy,NtSetContextThread,RtlNtStatusToDosError,GetLastError,4_2_6CBF2885
                Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_6CBF2E82 GetModuleHandleA,GetModuleHandleA,GetModuleHandleA,NtGetContextThread,NtGetContextThread,4_2_6CBF2E82
                Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_6CBF2C25 memset,ZwQueryInformationProcess,4_2_6CBF2C25
                Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_6CBF755D NtQueryVirtualMemory,4_2_6CBF755D
                Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_03F50000 NtProtectVirtualMemory,NtAllocateVirtualMemory,NtProtectVirtualMemory,4_2_03F50000
                Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_6CBF2492 GetProcAddress,NtWow64QueryInformationProcess64,StrRChrA,5_2_6CBF2492
                Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_6CBF2286 NtWow64QueryInformationProcess64,GetProcAddress,NtWow64QueryInformationProcess64,5_2_6CBF2286
                Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_6CBF4B80 NtProtectVirtualMemory,5_2_6CBF4B80
                Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_6CBF2DF1 NtWriteVirtualMemory,VirtualProtectEx,NtWriteVirtualMemory,RtlNtStatusToDosError,SetLastError,5_2_6CBF2DF1
                Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_6CBF3ED3 memcpy,memcpy,memcpy,NtUnmapViewOfSection,RtlNtStatusToDosError,CloseHandle,5_2_6CBF3ED3
                Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_6CBF1ACC ZwOpenProcess,ZwOpenProcessToken,ZwQueryInformationToken,ZwQueryInformationToken,ZwQueryInformationToken,memcpy,ZwClose,ZwClose,5_2_6CBF1ACC
                Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_6CBF2E32 NtAllocateVirtualMemory,NtAllocateVirtualMemory,RtlNtStatusToDosError,SetLastError,5_2_6CBF2E32
                Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_6CBF241D NtWow64ReadVirtualMemory64,GetProcAddress,NtWow64ReadVirtualMemory64,5_2_6CBF241D
                Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_6CBF2D19 NtQuerySystemInformation,RtlNtStatusToDosError,5_2_6CBF2D19
                Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_6CBF4904 NtMapViewOfSection,RtlNtStatusToDosError,5_2_6CBF4904
                Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_6CBF4943 NtCreateSection,memset,RtlNtStatusToDosError,ZwClose,5_2_6CBF4943
                Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_6CBF2DB0 NtReadVirtualMemory,RtlNtStatusToDosError,SetLastError,5_2_6CBF2DB0
                Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_6CBF2D8F NtGetContextThread,RtlNtStatusToDosError,5_2_6CBF2D8F
                Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_6CBF2885 memset,memcpy,NtSetContextThread,RtlNtStatusToDosError,GetLastError,5_2_6CBF2885
                Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_6CBF2E82 GetModuleHandleA,GetModuleHandleA,GetModuleHandleA,NtGetContextThread,NtGetContextThread,5_2_6CBF2E82
                Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_6CBF2C25 memset,ZwQueryInformationProcess,5_2_6CBF2C25
                Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_6CBF755D NtQueryVirtualMemory,5_2_6CBF755D
                Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_02A40000 NtProtectVirtualMemory,NtAllocateVirtualMemory,NtProtectVirtualMemory,5_2_02A40000
                Source: C:\Windows\System32\svchost.exeCode function: 6_2_00B7D1CC memset,VirtualProtectEx,ResumeThread,WaitForSingleObject,SuspendThread,NtGetContextThread,RtlNtStatusToDosError,VirtualProtectEx,GetLastError,ResumeThread,6_2_00B7D1CC
                Source: C:\Windows\System32\svchost.exeCode function: 6_2_00B7724C NtQueryInformationProcess,6_2_00B7724C
                Source: C:\Windows\System32\svchost.exeCode function: 6_2_00B78BF4 memset,ZwOpenProcess,ZwOpenProcessToken,ZwQueryInformationToken,HeapAlloc,ZwQueryInformationToken,HeapFree,ZwClose,ZwClose,6_2_00B78BF4
                Source: C:\Windows\System32\svchost.exeCode function: 6_2_00B7CB7C memset,NtCreateSection,memset,RtlNtStatusToDosError,memcpy,memcpy,memcpy,memcpy,memcpy,GetModuleHandleA,memcpy,memcpy,HeapAlloc,memset,HeapFree,NtUnmapViewOfSection,RtlNtStatusToDosError,CloseHandle,6_2_00B7CB7C
                Source: C:\Windows\System32\svchost.exeCode function: 6_2_00B7DDCC NtMapViewOfSection,RtlNtStatusToDosError,6_2_00B7DDCC
                Source: C:\Windows\System32\svchost.exeCode function: 6_2_00B77540 memset,NtGetContextThread,RtlNtStatusToDosError,memcpy,NtSetContextThread,NtSetContextThread,RtlNtStatusToDosError,GetLastError,6_2_00B77540
                Source: C:\Windows\System32\svchost.exeCode function: 6_2_00B77EB8 NtWriteVirtualMemory,NtWriteVirtualMemory,RtlNtStatusToDosError,SetLastError,6_2_00B77EB8
                Source: C:\Windows\System32\svchost.exeCode function: 6_2_00B71688 InitializeCriticalSection,HeapAlloc,memset,InitializeCriticalSection,CreateMutexExA,GetLastError,CloseHandle,HeapAlloc,InitializeCriticalSection,InitializeCriticalSection,GetVersion,GetModuleHandleA,HeapAlloc,GetUserNameA,HeapAlloc,GetUserNameA,memcpy,GetModuleHandleA,GetModuleHandleA,GetSystemTimeAsFileTime,HeapFree,GetModuleHandleA,CreateThread,CloseHandle,GetLastError,GetShellWindow,GetWindowThreadProcessId,ZwQueryInformationProcess,OpenProcess,NtSuspendProcess,RtlNtStatusToDosError,NtResumeProcess,RtlNtStatusToDosError,CloseHandle,GetLastError,ExitProcess,HeapAlloc,CreateThread,CreateStreamOnHGlobal,CreateEventA,CreateThread,GetLastError,LoadLibraryA,CreateNamedPipeA,CreateThread,GetLastError,CloseHandle,GetLastError,StrChrA,HeapFree,HeapAlloc,wsprintfA,CreateThread,6_2_00B71688
                Source: C:\Windows\System32\svchost.exeCode function: 6_2_00B72830 NtUnmapViewOfSection,RtlNtStatusToDosError,HeapFree,6_2_00B72830
                Source: C:\Windows\System32\svchost.exeCode function: 6_2_00B7C994 HeapAlloc,memset,ZwQueryInformationProcess,HeapFree,6_2_00B7C994
                Source: C:\Windows\System32\svchost.exeCode function: 6_2_00B772B8 ZwQueryInformationProcess,HeapAlloc,HeapAlloc,StrRChrA,HeapFree,HeapFree,6_2_00B772B8
                Source: C:\Windows\System32\svchost.exeCode function: 6_2_00B77DC0 HeapFree,HeapAlloc,NtQuerySystemInformation,RtlNtStatusToDosError,6_2_00B77DC0
                Source: C:\Windows\System32\svchost.exeCode function: 6_2_00B68DCC ZwQueryKey,lstrlenW,HeapAlloc,ZwQueryKey,lstrcpyW,HeapFree,HeapFree,6_2_00B68DCC
                Source: C:\Windows\System32\svchost.exeCode function: 6_2_00B77E6C NtReadVirtualMemory,NtReadVirtualMemory,RtlNtStatusToDosError,SetLastError,6_2_00B77E6C
                Source: C:\Windows\System32\svchost.exeCode function: 6_2_00B77F04 NtAllocateVirtualMemory,RtlNtStatusToDosError,SetLastError,6_2_00B77F04
                Source: C:\Windows\System32\svchost.exeCode function: 7_2_002BD1CC memset,VirtualProtectEx,ResumeThread,WaitForSingleObject,SuspendThread,NtGetContextThread,RtlNtStatusToDosError,VirtualProtectEx,GetLastError,ResumeThread,7_2_002BD1CC
                Source: C:\Windows\System32\svchost.exeCode function: 7_2_002B724C NtQueryInformationProcess,7_2_002B724C
                Source: C:\Windows\System32\svchost.exeCode function: 7_2_002BCB7C memset,NtCreateSection,memset,RtlNtStatusToDosError,memcpy,memcpy,memcpy,memcpy,memcpy,GetModuleHandleA,memcpy,memcpy,HeapAlloc,memset,HeapFree,NtUnmapViewOfSection,RtlNtStatusToDosError,CloseHandle,7_2_002BCB7C
                Source: C:\Windows\System32\svchost.exeCode function: 7_2_002B8BF4 memset,ZwOpenProcess,ZwOpenProcessToken,ZwQueryInformationToken,HeapAlloc,ZwQueryInformationToken,HeapFree,ZwClose,ZwClose,7_2_002B8BF4
                Source: C:\Windows\System32\svchost.exeCode function: 7_2_002B7540 memset,NtGetContextThread,RtlNtStatusToDosError,memcpy,NtSetContextThread,NtSetContextThread,RtlNtStatusToDosError,GetLastError,7_2_002B7540
                Source: C:\Windows\System32\svchost.exeCode function: 7_2_002BDDCC NtMapViewOfSection,RtlNtStatusToDosError,7_2_002BDDCC
                Source: C:\Windows\System32\svchost.exeCode function: 7_2_002B7EB8 NtWriteVirtualMemory,NtWriteVirtualMemory,RtlNtStatusToDosError,SetLastError,7_2_002B7EB8
                Source: C:\Windows\System32\svchost.exeCode function: 7_2_002B1688 InitializeCriticalSection,HeapAlloc,memset,InitializeCriticalSection,CreateMutexExA,GetLastError,CloseHandle,HeapAlloc,InitializeCriticalSection,InitializeCriticalSection,GetVersion,GetModuleHandleA,HeapAlloc,GetUserNameA,HeapAlloc,GetUserNameA,memcpy,GetModuleHandleA,GetModuleHandleA,GetSystemTimeAsFileTime,HeapFree,GetModuleHandleA,CreateThread,CloseHandle,GetLastError,GetShellWindow,GetWindowThreadProcessId,ZwQueryInformationProcess,OpenProcess,NtSuspendProcess,RtlNtStatusToDosError,NtResumeProcess,RtlNtStatusToDosError,CloseHandle,GetLastError,ExitProcess,HeapAlloc,CreateThread,CreateStreamOnHGlobal,CreateEventA,CreateThread,GetLastError,LoadLibraryA,CreateNamedPipeA,CreateThread,GetLastError,CloseHandle,GetLastError,StrChrA,HeapFree,HeapAlloc,wsprintfA,CreateThread,7_2_002B1688
                Source: C:\Windows\System32\svchost.exeCode function: 7_2_002B2830 NtUnmapViewOfSection,RtlNtStatusToDosError,HeapFree,7_2_002B2830
                Source: C:\Windows\System32\svchost.exeCode function: 7_2_002BC994 HeapAlloc,memset,ZwQueryInformationProcess,HeapFree,7_2_002BC994
                Source: C:\Windows\System32\svchost.exeCode function: 7_2_002B72B8 ZwQueryInformationProcess,HeapAlloc,HeapAlloc,StrRChrA,HeapFree,HeapFree,7_2_002B72B8
                Source: C:\Windows\System32\svchost.exeCode function: 7_2_002A8DCC ZwQueryKey,lstrlenW,HeapAlloc,ZwQueryKey,lstrcpyW,HeapFree,HeapFree,7_2_002A8DCC
                Source: C:\Windows\System32\svchost.exeCode function: 7_2_002B7DC0 HeapFree,HeapAlloc,NtQuerySystemInformation,RtlNtStatusToDosError,7_2_002B7DC0
                Source: C:\Windows\System32\svchost.exeCode function: 7_2_002B7E6C NtReadVirtualMemory,NtReadVirtualMemory,RtlNtStatusToDosError,SetLastError,7_2_002B7E6C
                Source: C:\Windows\System32\svchost.exeCode function: 7_2_002B7F04 NtAllocateVirtualMemory,RtlNtStatusToDosError,SetLastError,7_2_002B7F04
                Source: C:\Windows\System32\svchost.exeCode function: 8_2_0020D1CC memset,VirtualProtectEx,ResumeThread,WaitForSingleObject,SuspendThread,NtGetContextThread,RtlNtStatusToDosError,VirtualProtectEx,GetLastError,ResumeThread,8_2_0020D1CC
                Source: C:\Windows\System32\svchost.exeCode function: 8_2_0020724C NtQueryInformationProcess,8_2_0020724C
                Source: C:\Windows\System32\svchost.exeCode function: 8_2_00208BF4 memset,ZwOpenProcess,ZwOpenProcessToken,ZwQueryInformationToken,HeapAlloc,ZwQueryInformationToken,HeapFree,ZwClose,ZwClose,8_2_00208BF4
                Source: C:\Windows\System32\svchost.exeCode function: 8_2_00207EB8 NtWriteVirtualMemory,NtWriteVirtualMemory,RtlNtStatusToDosError,SetLastError,8_2_00207EB8
                Source: C:\Windows\System32\svchost.exeCode function: 8_2_00201688 InitializeCriticalSection,HeapAlloc,memset,InitializeCriticalSection,CreateMutexExA,GetLastError,CloseHandle,HeapAlloc,InitializeCriticalSection,InitializeCriticalSection,GetVersion,GetModuleHandleA,HeapAlloc,GetUserNameA,HeapAlloc,GetUserNameA,memcpy,GetModuleHandleA,GetModuleHandleA,GetSystemTimeAsFileTime,HeapFree,GetModuleHandleA,CreateThread,CloseHandle,GetLastError,GetShellWindow,GetWindowThreadProcessId,ZwQueryInformationProcess,OpenProcess,NtSuspendProcess,RtlNtStatusToDosError,NtResumeProcess,RtlNtStatusToDosError,CloseHandle,GetLastError,ExitProcess,HeapAlloc,CreateThread,CreateStreamOnHGlobal,CreateEventA,CreateThread,GetLastError,LoadLibraryA,CreateNamedPipeA,CreateThread,GetLastError,CloseHandle,GetLastError,StrChrA,HeapFree,HeapAlloc,wsprintfA,CreateThread,8_2_00201688
                Source: C:\Windows\System32\svchost.exeCode function: 8_2_00202830 NtUnmapViewOfSection,RtlNtStatusToDosError,HeapFree,8_2_00202830
                Source: C:\Windows\System32\svchost.exeCode function: 8_2_0020C994 HeapAlloc,memset,ZwQueryInformationProcess,HeapFree,8_2_0020C994
                Source: C:\Windows\System32\svchost.exeCode function: 8_2_002072B8 ZwQueryInformationProcess,HeapAlloc,HeapAlloc,StrRChrA,HeapFree,HeapFree,8_2_002072B8
                Source: C:\Windows\System32\svchost.exeCode function: 8_2_0020CB7C memset,NtCreateSection,memset,RtlNtStatusToDosError,memcpy,memcpy,memcpy,memcpy,memcpy,GetModuleHandleA,memcpy,memcpy,HeapAlloc,memset,HeapFree,NtUnmapViewOfSection,RtlNtStatusToDosError,CloseHandle,8_2_0020CB7C
                Source: C:\Windows\System32\svchost.exeCode function: 8_2_00207540 memset,NtGetContextThread,RtlNtStatusToDosError,memcpy,NtSetContextThread,RtlNtStatusToDosError,GetLastError,8_2_00207540
                Source: C:\Windows\System32\svchost.exeCode function: 8_2_001F8DCC ZwQueryKey,lstrlenW,HeapAlloc,ZwQueryKey,lstrcpyW,HeapFree,HeapFree,8_2_001F8DCC
                Source: C:\Windows\System32\svchost.exeCode function: 8_2_00207DC0 HeapFree,HeapAlloc,NtQuerySystemInformation,RtlNtStatusToDosError,8_2_00207DC0
                Source: C:\Windows\System32\svchost.exeCode function: 8_2_0020DDCC NtMapViewOfSection,RtlNtStatusToDosError,8_2_0020DDCC
                Source: C:\Windows\System32\svchost.exeCode function: 8_2_00207E6C NtReadVirtualMemory,NtReadVirtualMemory,RtlNtStatusToDosError,SetLastError,8_2_00207E6C
                Source: C:\Windows\System32\svchost.exeCode function: 8_2_00207F04 NtAllocateVirtualMemory,RtlNtStatusToDosError,SetLastError,8_2_00207F04
                Source: C:\Windows\System32\svchost.exeCode function: 9_2_008CD1CC memset,VirtualProtectEx,ResumeThread,WaitForSingleObject,SuspendThread,NtGetContextThread,RtlNtStatusToDosError,VirtualProtectEx,GetLastError,ResumeThread,9_2_008CD1CC
                Source: C:\Windows\System32\svchost.exeCode function: 9_2_008C724C NtQueryInformationProcess,9_2_008C724C
                Source: C:\Windows\System32\svchost.exeCode function: 9_2_008C8BF4 memset,ZwOpenProcess,ZwOpenProcessToken,ZwQueryInformationToken,HeapAlloc,ZwQueryInformationToken,HeapFree,ZwClose,ZwClose,9_2_008C8BF4
                Source: C:\Windows\System32\svchost.exeCode function: 9_2_008CCB7C memset,NtCreateSection,memset,RtlNtStatusToDosError,memcpy,memcpy,memcpy,memcpy,memcpy,GetModuleHandleA,memcpy,memcpy,HeapAlloc,memset,HeapFree,NtUnmapViewOfSection,RtlNtStatusToDosError,CloseHandle,9_2_008CCB7C
                Source: C:\Windows\System32\svchost.exeCode function: 9_2_008CDDCC NtMapViewOfSection,RtlNtStatusToDosError,9_2_008CDDCC
                Source: C:\Windows\System32\svchost.exeCode function: 9_2_008C7540 memset,NtGetContextThread,RtlNtStatusToDosError,memcpy,NtSetContextThread,NtSetContextThread,RtlNtStatusToDosError,GetLastError,9_2_008C7540
                Source: C:\Windows\System32\svchost.exeCode function: 9_2_008C1688 InitializeCriticalSection,HeapAlloc,memset,InitializeCriticalSection,CreateMutexExA,GetLastError,CloseHandle,HeapAlloc,InitializeCriticalSection,InitializeCriticalSection,GetVersion,GetModuleHandleA,HeapAlloc,GetUserNameA,HeapAlloc,GetUserNameA,memcpy,GetModuleHandleA,GetModuleHandleA,GetSystemTimeAsFileTime,HeapFree,GetModuleHandleA,CreateThread,CloseHandle,GetLastError,GetShellWindow,GetWindowThreadProcessId,ZwQueryInformationProcess,OpenProcess,NtSuspendProcess,RtlNtStatusToDosError,NtResumeProcess,RtlNtStatusToDosError,CloseHandle,GetLastError,ExitProcess,HeapAlloc,CreateThread,CreateStreamOnHGlobal,CreateEventA,CreateThread,GetLastError,LoadLibraryA,CreateNamedPipeA,CreateThread,GetLastError,CloseHandle,GetLastError,StrChrA,HeapFree,HeapAlloc,wsprintfA,CreateThread,9_2_008C1688
                Source: C:\Windows\System32\svchost.exeCode function: 9_2_008C7EB8 NtWriteVirtualMemory,NtWriteVirtualMemory,RtlNtStatusToDosError,SetLastError,9_2_008C7EB8
                Source: C:\Windows\System32\svchost.exeCode function: 9_2_008C2830 NtUnmapViewOfSection,RtlNtStatusToDosError,HeapFree,9_2_008C2830
                Source: C:\Windows\System32\svchost.exeCode function: 9_2_008CC994 HeapAlloc,memset,ZwQueryInformationProcess,HeapFree,9_2_008CC994
                Source: C:\Windows\System32\svchost.exeCode function: 9_2_008C72B8 ZwQueryInformationProcess,HeapAlloc,HeapAlloc,StrRChrA,HeapFree,HeapFree,9_2_008C72B8
                Source: C:\Windows\System32\svchost.exeCode function: 9_2_008B8DCC ZwQueryKey,lstrlenW,HeapAlloc,ZwQueryKey,lstrcpyW,HeapFree,HeapFree,9_2_008B8DCC
                Source: C:\Windows\System32\svchost.exeCode function: 9_2_008C7DC0 HeapFree,HeapAlloc,NtQuerySystemInformation,RtlNtStatusToDosError,9_2_008C7DC0
                Source: C:\Windows\System32\svchost.exeCode function: 9_2_008C7E6C NtReadVirtualMemory,NtReadVirtualMemory,RtlNtStatusToDosError,SetLastError,9_2_008C7E6C
                Source: C:\Windows\System32\svchost.exeCode function: 9_2_008C7F04 NtAllocateVirtualMemory,RtlNtStatusToDosError,SetLastError,9_2_008C7F04
                Source: C:\Windows\explorer.exeCode function: 10_2_0FBF7F04 NtAllocateVirtualMemory,NtAllocateVirtualMemory,RtlNtStatusToDosError,SetLastError,10_2_0FBF7F04
                Source: C:\Windows\explorer.exeCode function: 10_2_0FBF7EB8 NtWriteVirtualMemory,NtWriteVirtualMemory,RtlNtStatusToDosError,SetLastError,10_2_0FBF7EB8
                Source: C:\Windows\explorer.exeCode function: 10_2_0FBF1688 InitializeCriticalSection,HeapAlloc,memset,InitializeCriticalSection,CreateMutexExA,GetLastError,CloseHandle,HeapAlloc,InitializeCriticalSection,InitializeCriticalSection,GetVersion,GetModuleHandleA,HeapAlloc,GetUserNameA,HeapAlloc,GetUserNameA,memcpy,GetModuleHandleA,GetModuleHandleA,GetSystemTimeAsFileTime,HeapFree,GetModuleHandleA,CreateThread,CloseHandle,GetLastError,GetWindowThreadProcessId,ZwQueryInformationProcess,OpenProcess,NtSuspendProcess,RtlNtStatusToDosError,NtResumeProcess,RtlNtStatusToDosError,CloseHandle,GetLastError,ExitProcess,HeapAlloc,CreateThread,CreateStreamOnHGlobal,CreateEventA,CreateThread,GetLastError,LoadLibraryA,CreateNamedPipeA,CreateThread,GetLastError,CloseHandle,GetLastError,PathFindFileNameA,StrChrA,HeapFree,HeapAlloc,wsprintfA,CreateThread,10_2_0FBF1688
                Source: C:\Windows\explorer.exeCode function: 10_2_0FBFEEC8 GetWindowLongPtrA,SetWindowLongPtrA,NtdllDefWindowProc_A,10_2_0FBFEEC8
                Source: C:\Windows\explorer.exeCode function: 10_2_0FBF7E6C NtReadVirtualMemory,NtReadVirtualMemory,RtlNtStatusToDosError,SetLastError,10_2_0FBF7E6C
                Source: C:\Windows\explorer.exeCode function: 10_2_0FBE8DCC StrCmpIW,ZwQueryKey,lstrlenW,HeapAlloc,ZwQueryKey,lstrcpyW,HeapFree,StrStrIW,HeapFree,RegGetValueW,10_2_0FBE8DCC
                Source: C:\Windows\explorer.exeCode function: 10_2_0FBFDDCC NtMapViewOfSection,RtlNtStatusToDosError,10_2_0FBFDDCC
                Source: C:\Windows\explorer.exeCode function: 10_2_0FBF7DC0 HeapFree,HeapAlloc,NtQuerySystemInformation,RtlNtStatusToDosError,10_2_0FBF7DC0
                Source: C:\Windows\explorer.exeCode function: 10_2_0FBF7540 memset,NtGetContextThread,RtlNtStatusToDosError,memcpy,NtSetContextThread,NtSetContextThread,RtlNtStatusToDosError,GetLastError,10_2_0FBF7540
                Source: C:\Windows\explorer.exeCode function: 10_2_0FBF8BF4 memset,ZwOpenProcess,ZwOpenProcessToken,ZwQueryInformationToken,HeapAlloc,ZwQueryInformationToken,HeapFree,NtClose,NtClose,10_2_0FBF8BF4
                Source: C:\Windows\explorer.exeCode function: 10_2_0FBFCB7C memset,NtCreateSection,memset,RtlNtStatusToDosError,memcpy,memcpy,memcpy,memcpy,memcpy,GetModuleHandleA,memcpy,memcpy,HeapAlloc,memset,HeapFree,NtUnmapViewOfSection,RtlNtStatusToDosError,CloseHandle,10_2_0FBFCB7C
                Source: C:\Windows\explorer.exeCode function: 10_2_0FBF724C NtQueryInformationProcess,10_2_0FBF724C
                Source: C:\Windows\explorer.exeCode function: 10_2_0FBFC994 HeapAlloc,memset,NtQueryInformationProcess,HeapFree,10_2_0FBFC994
                Source: C:\Windows\explorer.exeCode function: 10_2_0FBFD1CC memset,VirtualProtectEx,ResumeThread,WaitForSingleObject,SuspendThread,NtGetContextThread,RtlNtStatusToDosError,VirtualProtectEx,GetLastError,ResumeThread,10_2_0FBFD1CC
                Source: C:\Windows\explorer.exeCode function: 10_2_0FBF72B8 ZwQueryInformationProcess,HeapAlloc,HeapAlloc,StrRChrA,HeapFree,HeapFree,10_2_0FBF72B8
                Source: C:\Windows\explorer.exeCode function: 10_2_0FBF2830 NtUnmapViewOfSection,RtlNtStatusToDosError,HeapFree,10_2_0FBF2830
                Source: C:\Windows\explorer.exeCode function: 10_2_11028BF4 memset,ZwOpenProcess,ZwOpenProcessToken,ZwQueryInformationToken,HeapAlloc,ZwQueryInformationToken,HeapFree,ZwClose,ZwClose,10_2_11028BF4
                Source: C:\Windows\explorer.exeCode function: 10_2_11021688 InitializeCriticalSection,HeapAlloc,memset,InitializeCriticalSection,CreateMutexExA,GetLastError,CloseHandle,HeapAlloc,InitializeCriticalSection,InitializeCriticalSection,GetVersion,GetModuleHandleA,HeapAlloc,HeapAlloc,memcpy,GetModuleHandleA,GetModuleHandleA,GetSystemTimeAsFileTime,HeapFree,GetModuleHandleA,CreateThread,CloseHandle,GetLastError,ZwQueryInformationProcess,OpenProcess,NtSuspendProcess,RtlNtStatusToDosError,NtResumeProcess,RtlNtStatusToDosError,CloseHandle,GetLastError,ExitProcess,HeapAlloc,CreateThread,CreateEventA,CreateThread,GetLastError,LoadLibraryA,CreateNamedPipeA,CreateThread,GetLastError,CloseHandle,GetLastError,HeapFree,HeapAlloc,wsprintfA,CreateThread,10_2_11021688
                Source: C:\Windows\explorer.exeCode function: 10_2_1102C994 HeapAlloc,memset,ZwQueryInformationProcess,HeapFree,10_2_1102C994
                Source: C:\Windows\explorer.exeCode function: 10_2_11022830 NtUnmapViewOfSection,RtlNtStatusToDosError,HeapFree,10_2_11022830
                Source: C:\Windows\explorer.exeCode function: 10_2_1102CB7C memset,NtCreateSection,memset,RtlNtStatusToDosError,memcpy,memcpy,memcpy,memcpy,memcpy,GetModuleHandleA,memcpy,memcpy,HeapAlloc,memset,HeapFree,NtUnmapViewOfSection,RtlNtStatusToDosError,CloseHandle,10_2_1102CB7C
                Source: C:\Windows\explorer.exeCode function: 10_2_1102724C ZwQueryInformationProcess,10_2_1102724C
                Source: C:\Windows\explorer.exeCode function: 10_2_110272B8 ZwQueryInformationProcess,HeapAlloc,HeapAlloc,StrRChrA,HeapFree,HeapFree,10_2_110272B8
                Source: C:\Windows\explorer.exeCode function: 10_2_11027DC0 HeapFree,HeapAlloc,NtQuerySystemInformation,RtlNtStatusToDosError,10_2_11027DC0
                Source: C:\Windows\explorer.exeCode function: 10_2_11018DCC ZwQueryKey,lstrlenW,HeapAlloc,ZwQueryKey,lstrcpyW,HeapFree,HeapFree,10_2_11018DCC
                Source: C:\Windows\explorer.exeCode function: 10_2_1102DDCC NtMapViewOfSection,RtlNtStatusToDosError,10_2_1102DDCC
                Source: C:\Windows\explorer.exeCode function: 10_2_110E8BF4 memset,ZwOpenProcess,ZwOpenProcessToken,ZwQueryInformationToken,HeapAlloc,ZwQueryInformationToken,HeapFree,ZwClose,ZwClose,10_2_110E8BF4
                Source: C:\Windows\explorer.exeCode function: 10_2_110E1688 InitializeCriticalSection,HeapAlloc,memset,InitializeCriticalSection,CreateMutexExA,GetLastError,CloseHandle,HeapAlloc,InitializeCriticalSection,InitializeCriticalSection,GetVersion,GetModuleHandleA,HeapAlloc,HeapAlloc,memcpy,GetModuleHandleA,GetModuleHandleA,GetSystemTimeAsFileTime,HeapFree,GetModuleHandleA,CreateThread,CloseHandle,GetLastError,ZwQueryInformationProcess,OpenProcess,NtSuspendProcess,RtlNtStatusToDosError,NtResumeProcess,RtlNtStatusToDosError,CloseHandle,GetLastError,ExitProcess,HeapAlloc,CreateThread,CreateEventA,CreateThread,GetLastError,LoadLibraryA,CreateNamedPipeA,CreateThread,GetLastError,CloseHandle,GetLastError,HeapFree,HeapAlloc,wsprintfA,CreateThread,10_2_110E1688
                Source: C:\Windows\explorer.exeCode function: 10_2_110EC994 HeapAlloc,memset,ZwQueryInformationProcess,HeapFree,10_2_110EC994
                Source: C:\Windows\explorer.exeCode function: 10_2_110E2830 NtUnmapViewOfSection,RtlNtStatusToDosError,HeapFree,10_2_110E2830
                Source: C:\Windows\explorer.exeCode function: 10_2_110ECB7C memset,NtCreateSection,memset,RtlNtStatusToDosError,memcpy,memcpy,memcpy,memcpy,memcpy,GetModuleHandleA,memcpy,memcpy,HeapAlloc,memset,HeapFree,NtUnmapViewOfSection,RtlNtStatusToDosError,CloseHandle,10_2_110ECB7C
                Source: C:\Windows\explorer.exeCode function: 10_2_110E724C ZwQueryInformationProcess,10_2_110E724C
                Source: C:\Windows\explorer.exeCode function: 10_2_110E72B8 ZwQueryInformationProcess,HeapAlloc,HeapAlloc,StrRChrA,HeapFree,HeapFree,10_2_110E72B8
                Source: C:\Windows\explorer.exeCode function: 10_2_110D8DCC ZwQueryKey,lstrlenW,HeapAlloc,ZwQueryKey,lstrcpyW,HeapFree,HeapFree,10_2_110D8DCC
                Source: C:\Windows\explorer.exeCode function: 10_2_110EDDCC NtMapViewOfSection,RtlNtStatusToDosError,10_2_110EDDCC
                Source: C:\Windows\explorer.exeCode function: 10_2_110E7DC0 HeapFree,HeapAlloc,NtQuerySystemInformation,RtlNtStatusToDosError,10_2_110E7DC0
                Source: C:\Windows\explorer.exeCode function: 10_2_0FC23048 NtProtectVirtualMemory,NtProtectVirtualMemory,10_2_0FC23048
                Source: C:\Windows\explorer.exeCode function: 10_2_0FC23154 NtProtectVirtualMemory,NtProtectVirtualMemory,10_2_0FC23154
                Source: C:\Windows\explorer.exeCode function: 10_2_11053001 NtProtectVirtualMemory,NtProtectVirtualMemory,10_2_11053001
                Source: C:\Windows\explorer.exeCode function: 10_2_11053154 NtProtectVirtualMemory,NtProtectVirtualMemory,10_2_11053154
                Source: C:\Windows\explorer.exeCode function: 10_2_11113001 NtProtectVirtualMemory,NtProtectVirtualMemory,10_2_11113001
                Source: C:\Windows\explorer.exeCode function: 10_2_11113154 NtProtectVirtualMemory,NtProtectVirtualMemory,10_2_11113154
                Source: C:\Windows\System32\svchost.exeCode function: 6_2_00B7D880 CreateProcessAsUserW,6_2_00B7D880
                Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6CBF733C0_2_6CBF733C
                Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_008100000_2_00810000
                Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00810DD20_2_00810DD2
                Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_008100050_2_00810005
                Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_008109C50_2_008109C5
                Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_6CBF733C3_2_6CBF733C
                Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_034600003_2_03460000
                Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_034609C53_2_034609C5
                Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_03460DD23_2_03460DD2
                Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_034600053_2_03460005
                Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_6CBF733C4_2_6CBF733C
                Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_03F50DD24_2_03F50DD2
                Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_03F500004_2_03F50000
                Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_03F509C54_2_03F509C5
                Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_03F500054_2_03F50005
                Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_6CBF733C5_2_6CBF733C
                Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_02A400005_2_02A40000
                Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_02A40DD25_2_02A40DD2
                Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_02A400055_2_02A40005
                Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_02A409C55_2_02A409C5
                Source: C:\Windows\System32\svchost.exeCode function: 6_2_00B613E46_2_00B613E4
                Source: C:\Windows\System32\svchost.exeCode function: 6_2_00B7CB7C6_2_00B7CB7C
                Source: C:\Windows\System32\svchost.exeCode function: 6_2_00B7B5906_2_00B7B590
                Source: C:\Windows\System32\svchost.exeCode function: 6_2_00B716886_2_00B71688
                Source: C:\Windows\System32\svchost.exeCode function: 6_2_00B918B06_2_00B918B0
                Source: C:\Windows\System32\svchost.exeCode function: 6_2_00B728A06_2_00B728A0
                Source: C:\Windows\System32\svchost.exeCode function: 6_2_00B7A0286_2_00B7A028
                Source: C:\Windows\System32\svchost.exeCode function: 6_2_00B7F0186_2_00B7F018
                Source: C:\Windows\System32\svchost.exeCode function: 6_2_00B610006_2_00B61000
                Source: C:\Windows\System32\svchost.exeCode function: 6_2_00B848046_2_00B84804
                Source: C:\Windows\System32\svchost.exeCode function: 6_2_00B820706_2_00B82070
                Source: C:\Windows\System32\svchost.exeCode function: 6_2_00B7006C6_2_00B7006C
                Source: C:\Windows\System32\svchost.exeCode function: 6_2_00B851A46_2_00B851A4
                Source: C:\Windows\System32\svchost.exeCode function: 6_2_00B8119C6_2_00B8119C
                Source: C:\Windows\System32\svchost.exeCode function: 6_2_00B839C86_2_00B839C8
                Source: C:\Windows\System32\svchost.exeCode function: 6_2_00B6B1106_2_00B6B110
                Source: C:\Windows\System32\svchost.exeCode function: 6_2_00B749686_2_00B74968
                Source: C:\Windows\System32\svchost.exeCode function: 6_2_00B80A8C6_2_00B80A8C
                Source: C:\Windows\System32\svchost.exeCode function: 6_2_00B73ADC6_2_00B73ADC
                Source: C:\Windows\System32\svchost.exeCode function: 6_2_00B7B2C46_2_00B7B2C4
                Source: C:\Windows\System32\svchost.exeCode function: 6_2_00B782346_2_00B78234
                Source: C:\Windows\System32\svchost.exeCode function: 6_2_00B6CA006_2_00B6CA00
                Source: C:\Windows\System32\svchost.exeCode function: 6_2_00B802546_2_00B80254
                Source: C:\Windows\System32\svchost.exeCode function: 6_2_00B733AC6_2_00B733AC
                Source: C:\Windows\System32\svchost.exeCode function: 6_2_00B7AB286_2_00B7AB28
                Source: C:\Windows\System32\svchost.exeCode function: 6_2_00B70B286_2_00B70B28
                Source: C:\Windows\System32\svchost.exeCode function: 6_2_00B66B0C6_2_00B66B0C
                Source: C:\Windows\System32\svchost.exeCode function: 6_2_00B713586_2_00B71358
                Source: C:\Windows\System32\svchost.exeCode function: 6_2_00B82B446_2_00B82B44
                Source: C:\Windows\System32\svchost.exeCode function: 6_2_00B6F4EC6_2_00B6F4EC
                Source: C:\Windows\System32\svchost.exeCode function: 6_2_00B84C3C6_2_00B84C3C
                Source: C:\Windows\System32\svchost.exeCode function: 6_2_00B86C286_2_00B86C28
                Source: C:\Windows\System32\svchost.exeCode function: 6_2_00B6347C6_2_00B6347C
                Source: C:\Windows\System32\svchost.exeCode function: 6_2_00B69C686_2_00B69C68
                Source: C:\Windows\System32\svchost.exeCode function: 6_2_00B65D9C6_2_00B65D9C
                Source: C:\Windows\System32\svchost.exeCode function: 6_2_00B7C5286_2_00B7C528
                Source: C:\Windows\System32\svchost.exeCode function: 6_2_00B8AD786_2_00B8AD78
                Source: C:\Windows\System32\svchost.exeCode function: 6_2_00B925506_2_00B92550
                Source: C:\Windows\System32\svchost.exeCode function: 6_2_00B816946_2_00B81694
                Source: C:\Windows\System32\svchost.exeCode function: 6_2_00B8CEE06_2_00B8CEE0
                Source: C:\Windows\System32\svchost.exeCode function: 6_2_00B646D06_2_00B646D0
                Source: C:\Windows\System32\svchost.exeCode function: 6_2_00B776C46_2_00B776C4
                Source: C:\Windows\System32\svchost.exeCode function: 6_2_00B6FE3C6_2_00B6FE3C
                Source: C:\Windows\System32\svchost.exeCode function: 6_2_00B6AE3C6_2_00B6AE3C
                Source: C:\Windows\System32\svchost.exeCode function: 6_2_00B6CE086_2_00B6CE08
                Source: C:\Windows\System32\svchost.exeCode function: 6_2_00B756686_2_00B75668
                Source: C:\Windows\System32\svchost.exeCode function: 6_2_00B6EE546_2_00B6EE54
                Source: C:\Windows\System32\svchost.exeCode function: 6_2_00B6BFA46_2_00B6BFA4
                Source: C:\Windows\System32\svchost.exeCode function: 6_2_00B667A06_2_00B667A0
                Source: C:\Windows\System32\svchost.exeCode function: 6_2_00B73FF46_2_00B73FF4
                Source: C:\Windows\System32\svchost.exeCode function: 6_2_00B61FFC6_2_00B61FFC
                Source: C:\Windows\System32\svchost.exeCode function: 6_2_00B63F386_2_00B63F38
                Source: C:\Windows\System32\svchost.exeCode function: 6_2_00B847086_2_00B84708
                Source: C:\Windows\System32\svchost.exeCode function: 6_2_00B74F786_2_00B74F78
                Source: C:\Windows\System32\svchost.exeCode function: 6_2_00B8576C6_2_00B8576C
                Source: C:\Windows\System32\svchost.exeCode function: 6_2_00BA79B86_2_00BA79B8
                Source: C:\Windows\System32\svchost.exeCode function: 6_2_00BC31786_2_00BC3178
                Source: C:\Windows\System32\svchost.exeCode function: 6_2_00BC22576_2_00BC2257
                Source: C:\Windows\System32\svchost.exeCode function: 6_2_00BBDCDE6_2_00BBDCDE
                Source: C:\Windows\System32\svchost.exeCode function: 6_2_00BBE4C86_2_00BBE4C8
                Source: C:\Windows\System32\svchost.exeCode function: 6_2_00BBED886_2_00BBED88
                Source: C:\Windows\System32\svchost.exeCode function: 6_2_00BB6D526_2_00BB6D52
                Source: C:\Windows\System32\svchost.exeCode function: 6_2_00BC8EC86_2_00BC8EC8
                Source: C:\Windows\System32\svchost.exeCode function: 6_2_00BC26236_2_00BC2623
                Source: C:\Windows\System32\svchost.exeCode function: 7_2_002BCB7C7_2_002BCB7C
                Source: C:\Windows\System32\svchost.exeCode function: 7_2_002A13E47_2_002A13E4
                Source: C:\Windows\System32\svchost.exeCode function: 7_2_002BB5907_2_002BB590
                Source: C:\Windows\System32\svchost.exeCode function: 7_2_002B16887_2_002B1688
                Source: C:\Windows\System32\svchost.exeCode function: 7_2_002BA0287_2_002BA028
                Source: C:\Windows\System32\svchost.exeCode function: 7_2_002C48047_2_002C4804
                Source: C:\Windows\System32\svchost.exeCode function: 7_2_002A10007_2_002A1000
                Source: C:\Windows\System32\svchost.exeCode function: 7_2_002BF0187_2_002BF018
                Source: C:\Windows\System32\svchost.exeCode function: 7_2_002B006C7_2_002B006C
                Source: C:\Windows\System32\svchost.exeCode function: 7_2_002C20707_2_002C2070
                Source: C:\Windows\System32\svchost.exeCode function: 7_2_002B28A07_2_002B28A0
                Source: C:\Windows\System32\svchost.exeCode function: 7_2_002D18B07_2_002D18B0
                Source: C:\Windows\System32\svchost.exeCode function: 7_2_002AB1107_2_002AB110
                Source: C:\Windows\System32\svchost.exeCode function: 7_2_002B49687_2_002B4968
                Source: C:\Windows\System32\svchost.exeCode function: 7_2_002C51A47_2_002C51A4
                Source: C:\Windows\System32\svchost.exeCode function: 7_2_002C119C7_2_002C119C
                Source: C:\Windows\System32\svchost.exeCode function: 7_2_002C39C87_2_002C39C8
                Source: C:\Windows\System32\svchost.exeCode function: 7_2_002B82347_2_002B8234
                Source: C:\Windows\System32\svchost.exeCode function: 7_2_002ACA007_2_002ACA00
                Source: C:\Windows\System32\svchost.exeCode function: 7_2_002C02547_2_002C0254
                Source: C:\Windows\System32\svchost.exeCode function: 7_2_002C0A8C7_2_002C0A8C
                Source: C:\Windows\System32\svchost.exeCode function: 7_2_002BB2C47_2_002BB2C4
                Source: C:\Windows\System32\svchost.exeCode function: 7_2_002B3ADC7_2_002B3ADC
                Source: C:\Windows\System32\svchost.exeCode function: 7_2_002BAB287_2_002BAB28
                Source: C:\Windows\System32\svchost.exeCode function: 7_2_002B0B287_2_002B0B28
                Source: C:\Windows\System32\svchost.exeCode function: 7_2_002A6B0C7_2_002A6B0C
                Source: C:\Windows\System32\svchost.exeCode function: 7_2_002C2B447_2_002C2B44
                Source: C:\Windows\System32\svchost.exeCode function: 7_2_002B13587_2_002B1358
                Source: C:\Windows\System32\svchost.exeCode function: 7_2_002B33AC7_2_002B33AC
                Source: C:\Windows\System32\svchost.exeCode function: 7_2_002C6C287_2_002C6C28
                Source: C:\Windows\System32\svchost.exeCode function: 7_2_002C4C3C7_2_002C4C3C
                Source: C:\Windows\System32\svchost.exeCode function: 7_2_002A9C687_2_002A9C68
                Source: C:\Windows\System32\svchost.exeCode function: 7_2_002A347C7_2_002A347C
                Source: C:\Windows\System32\svchost.exeCode function: 7_2_002AF4EC7_2_002AF4EC
                Source: C:\Windows\System32\svchost.exeCode function: 7_2_002BC5287_2_002BC528
                Source: C:\Windows\System32\svchost.exeCode function: 7_2_002CAD787_2_002CAD78
                Source: C:\Windows\System32\svchost.exeCode function: 7_2_002D25507_2_002D2550
                Source: C:\Windows\System32\svchost.exeCode function: 7_2_002A5D9C7_2_002A5D9C
                Source: C:\Windows\System32\svchost.exeCode function: 7_2_002AFE3C7_2_002AFE3C
                Source: C:\Windows\System32\svchost.exeCode function: 7_2_002AAE3C7_2_002AAE3C
                Source: C:\Windows\System32\svchost.exeCode function: 7_2_002ACE087_2_002ACE08
                Source: C:\Windows\System32\svchost.exeCode function: 7_2_002B56687_2_002B5668
                Source: C:\Windows\System32\svchost.exeCode function: 7_2_002AEE547_2_002AEE54
                Source: C:\Windows\System32\svchost.exeCode function: 7_2_002C16947_2_002C1694
                Source: C:\Windows\System32\svchost.exeCode function: 7_2_002CCEE07_2_002CCEE0
                Source: C:\Windows\System32\svchost.exeCode function: 7_2_002B76C47_2_002B76C4
                Source: C:\Windows\System32\svchost.exeCode function: 7_2_002A46D07_2_002A46D0
                Source: C:\Windows\System32\svchost.exeCode function: 7_2_002A3F387_2_002A3F38
                Source: C:\Windows\System32\svchost.exeCode function: 7_2_002C47087_2_002C4708
                Source: C:\Windows\System32\svchost.exeCode function: 7_2_002C576C7_2_002C576C
                Source: C:\Windows\System32\svchost.exeCode function: 7_2_002B4F787_2_002B4F78
                Source: C:\Windows\System32\svchost.exeCode function: 7_2_002A67A07_2_002A67A0
                Source: C:\Windows\System32\svchost.exeCode function: 7_2_002ABFA47_2_002ABFA4
                Source: C:\Windows\System32\svchost.exeCode function: 7_2_002A1FFC7_2_002A1FFC
                Source: C:\Windows\System32\svchost.exeCode function: 7_2_002B3FF47_2_002B3FF4
                Source: C:\Windows\System32\svchost.exeCode function: 7_2_003031787_2_00303178
                Source: C:\Windows\System32\svchost.exeCode function: 7_2_002E79B87_2_002E79B8
                Source: C:\Windows\System32\svchost.exeCode function: 7_2_003022577_2_00302257
                Source: C:\Windows\System32\svchost.exeCode function: 7_2_002FE4C87_2_002FE4C8
                Source: C:\Windows\System32\svchost.exeCode function: 7_2_002FDCDE7_2_002FDCDE
                Source: C:\Windows\System32\svchost.exeCode function: 7_2_0030D4C17_2_0030D4C1
                Source: C:\Windows\System32\svchost.exeCode function: 7_2_002F6D527_2_002F6D52
                Source: C:\Windows\System32\svchost.exeCode function: 7_2_002FED887_2_002FED88
                Source: C:\Windows\System32\svchost.exeCode function: 7_2_003026237_2_00302623
                Source: C:\Windows\System32\svchost.exeCode function: 7_2_00308EC87_2_00308EC8
                Source: C:\Windows\System32\svchost.exeCode function: 8_2_001F13E48_2_001F13E4
                Source: C:\Windows\System32\svchost.exeCode function: 8_2_0020B5908_2_0020B590
                Source: C:\Windows\System32\svchost.exeCode function: 8_2_002016888_2_00201688
                Source: C:\Windows\System32\svchost.exeCode function: 8_2_0020A0288_2_0020A028
                Source: C:\Windows\System32\svchost.exeCode function: 8_2_001F10008_2_001F1000
                Source: C:\Windows\System32\svchost.exeCode function: 8_2_002148048_2_00214804
                Source: C:\Windows\System32\svchost.exeCode function: 8_2_0020F0188_2_0020F018
                Source: C:\Windows\System32\svchost.exeCode function: 8_2_0020006C8_2_0020006C
                Source: C:\Windows\System32\svchost.exeCode function: 8_2_002120708_2_00212070
                Source: C:\Windows\System32\svchost.exeCode function: 8_2_002028A08_2_002028A0
                Source: C:\Windows\System32\svchost.exeCode function: 8_2_002218B08_2_002218B0
                Source: C:\Windows\System32\svchost.exeCode function: 8_2_001FB1108_2_001FB110
                Source: C:\Windows\System32\svchost.exeCode function: 8_2_002049688_2_00204968
                Source: C:\Windows\System32\svchost.exeCode function: 8_2_002151A48_2_002151A4
                Source: C:\Windows\System32\svchost.exeCode function: 8_2_0021119C8_2_0021119C
                Source: C:\Windows\System32\svchost.exeCode function: 8_2_002139C88_2_002139C8
                Source: C:\Windows\System32\svchost.exeCode function: 8_2_002082348_2_00208234
                Source: C:\Windows\System32\svchost.exeCode function: 8_2_001FCA008_2_001FCA00
                Source: C:\Windows\System32\svchost.exeCode function: 8_2_002102548_2_00210254
                Source: C:\Windows\System32\svchost.exeCode function: 8_2_00210A8C8_2_00210A8C
                Source: C:\Windows\System32\svchost.exeCode function: 8_2_0020B2C48_2_0020B2C4
                Source: C:\Windows\System32\svchost.exeCode function: 8_2_00203ADC8_2_00203ADC
                Source: C:\Windows\System32\svchost.exeCode function: 8_2_0020AB288_2_0020AB28
                Source: C:\Windows\System32\svchost.exeCode function: 8_2_00200B288_2_00200B28
                Source: C:\Windows\System32\svchost.exeCode function: 8_2_001F6B0C8_2_001F6B0C
                Source: C:\Windows\System32\svchost.exeCode function: 8_2_0020CB7C8_2_0020CB7C
                Source: C:\Windows\System32\svchost.exeCode function: 8_2_00212B448_2_00212B44
                Source: C:\Windows\System32\svchost.exeCode function: 8_2_002013588_2_00201358
                Source: C:\Windows\System32\svchost.exeCode function: 8_2_002033AC8_2_002033AC
                Source: C:\Windows\System32\svchost.exeCode function: 8_2_00216C288_2_00216C28
                Source: C:\Windows\System32\svchost.exeCode function: 8_2_00214C3C8_2_00214C3C
                Source: C:\Windows\System32\svchost.exeCode function: 8_2_001F347C8_2_001F347C
                Source: C:\Windows\System32\svchost.exeCode function: 8_2_001F9C688_2_001F9C68
                Source: C:\Windows\System32\svchost.exeCode function: 8_2_001FF4EC8_2_001FF4EC
                Source: C:\Windows\System32\svchost.exeCode function: 8_2_0020C5288_2_0020C528
                Source: C:\Windows\System32\svchost.exeCode function: 8_2_0021AD788_2_0021AD78
                Source: C:\Windows\System32\svchost.exeCode function: 8_2_002225508_2_00222550
                Source: C:\Windows\System32\svchost.exeCode function: 8_2_001F5D9C8_2_001F5D9C
                Source: C:\Windows\System32\svchost.exeCode function: 8_2_001FCE088_2_001FCE08
                Source: C:\Windows\System32\svchost.exeCode function: 8_2_001FFE3C8_2_001FFE3C
                Source: C:\Windows\System32\svchost.exeCode function: 8_2_001FAE3C8_2_001FAE3C
                Source: C:\Windows\System32\svchost.exeCode function: 8_2_002056688_2_00205668
                Source: C:\Windows\System32\svchost.exeCode function: 8_2_001FEE548_2_001FEE54
                Source: C:\Windows\System32\svchost.exeCode function: 8_2_002116948_2_00211694
                Source: C:\Windows\System32\svchost.exeCode function: 8_2_0021CEE08_2_0021CEE0
                Source: C:\Windows\System32\svchost.exeCode function: 8_2_001F46D08_2_001F46D0
                Source: C:\Windows\System32\svchost.exeCode function: 8_2_002076C48_2_002076C4
                Source: C:\Windows\System32\svchost.exeCode function: 8_2_001F3F388_2_001F3F38
                Source: C:\Windows\System32\svchost.exeCode function: 8_2_002147088_2_00214708
                Source: C:\Windows\System32\svchost.exeCode function: 8_2_0021576C8_2_0021576C
                Source: C:\Windows\System32\svchost.exeCode function: 8_2_00204F788_2_00204F78
                Source: C:\Windows\System32\svchost.exeCode function: 8_2_001FBFA48_2_001FBFA4
                Source: C:\Windows\System32\svchost.exeCode function: 8_2_001F67A08_2_001F67A0
                Source: C:\Windows\System32\svchost.exeCode function: 8_2_00203FF48_2_00203FF4
                Source: C:\Windows\System32\svchost.exeCode function: 8_2_001F1FFC8_2_001F1FFC
                Source: C:\Windows\System32\svchost.exeCode function: 8_2_002531788_2_00253178
                Source: C:\Windows\System32\svchost.exeCode function: 8_2_002379B88_2_002379B8
                Source: C:\Windows\System32\svchost.exeCode function: 8_2_002522578_2_00252257
                Source: C:\Windows\System32\svchost.exeCode function: 8_2_0024E4C88_2_0024E4C8
                Source: C:\Windows\System32\svchost.exeCode function: 8_2_0024DCDE8_2_0024DCDE
                Source: C:\Windows\System32\svchost.exeCode function: 8_2_00246D528_2_00246D52
                Source: C:\Windows\System32\svchost.exeCode function: 8_2_0024ED888_2_0024ED88
                Source: C:\Windows\System32\svchost.exeCode function: 8_2_002526238_2_00252623
                Source: C:\Windows\System32\svchost.exeCode function: 8_2_00258EC88_2_00258EC8
                Source: C:\Windows\System32\svchost.exeCode function: 9_2_008B13E49_2_008B13E4
                Source: C:\Windows\System32\svchost.exeCode function: 9_2_008CCB7C9_2_008CCB7C
                Source: C:\Windows\System32\svchost.exeCode function: 9_2_008CB5909_2_008CB590
                Source: C:\Windows\System32\svchost.exeCode function: 9_2_008C16889_2_008C1688
                Source: C:\Windows\System32\svchost.exeCode function: 9_2_008C28A09_2_008C28A0
                Source: C:\Windows\System32\svchost.exeCode function: 9_2_008E18B09_2_008E18B0
                Source: C:\Windows\System32\svchost.exeCode function: 9_2_008D48049_2_008D4804
                Source: C:\Windows\System32\svchost.exeCode function: 9_2_008B10009_2_008B1000
                Source: C:\Windows\System32\svchost.exeCode function: 9_2_008CF0189_2_008CF018
                Source: C:\Windows\System32\svchost.exeCode function: 9_2_008CA0289_2_008CA028
                Source: C:\Windows\System32\svchost.exeCode function: 9_2_008C006C9_2_008C006C
                Source: C:\Windows\System32\svchost.exeCode function: 9_2_008D20709_2_008D2070
                Source: C:\Windows\System32\svchost.exeCode function: 9_2_008D119C9_2_008D119C
                Source: C:\Windows\System32\svchost.exeCode function: 9_2_008D51A49_2_008D51A4
                Source: C:\Windows\System32\svchost.exeCode function: 9_2_008D39C89_2_008D39C8
                Source: C:\Windows\System32\svchost.exeCode function: 9_2_008BB1109_2_008BB110
                Source: C:\Windows\System32\svchost.exeCode function: 9_2_008C49689_2_008C4968
                Source: C:\Windows\System32\svchost.exeCode function: 9_2_008D0A8C9_2_008D0A8C
                Source: C:\Windows\System32\svchost.exeCode function: 9_2_008CB2C49_2_008CB2C4
                Source: C:\Windows\System32\svchost.exeCode function: 9_2_008C3ADC9_2_008C3ADC
                Source: C:\Windows\System32\svchost.exeCode function: 9_2_008BCA009_2_008BCA00
                Source: C:\Windows\System32\svchost.exeCode function: 9_2_008C82349_2_008C8234
                Source: C:\Windows\System32\svchost.exeCode function: 9_2_008D02549_2_008D0254
                Source: C:\Windows\System32\svchost.exeCode function: 9_2_008C33AC9_2_008C33AC
                Source: C:\Windows\System32\svchost.exeCode function: 9_2_008B6B0C9_2_008B6B0C
                Source: C:\Windows\System32\svchost.exeCode function: 9_2_008CAB289_2_008CAB28
                Source: C:\Windows\System32\svchost.exeCode function: 9_2_008C0B289_2_008C0B28
                Source: C:\Windows\System32\svchost.exeCode function: 9_2_008D2B449_2_008D2B44
                Source: C:\Windows\System32\svchost.exeCode function: 9_2_008C13589_2_008C1358
                Source: C:\Windows\System32\svchost.exeCode function: 9_2_008BF4EC9_2_008BF4EC
                Source: C:\Windows\System32\svchost.exeCode function: 9_2_008D6C289_2_008D6C28
                Source: C:\Windows\System32\svchost.exeCode function: 9_2_008D4C3C9_2_008D4C3C
                Source: C:\Windows\System32\svchost.exeCode function: 9_2_008B9C689_2_008B9C68
                Source: C:\Windows\System32\svchost.exeCode function: 9_2_008B347C9_2_008B347C
                Source: C:\Windows\System32\svchost.exeCode function: 9_2_008B5D9C9_2_008B5D9C
                Source: C:\Windows\System32\svchost.exeCode function: 9_2_008CC5289_2_008CC528
                Source: C:\Windows\System32\svchost.exeCode function: 9_2_008E25509_2_008E2550
                Source: C:\Windows\System32\svchost.exeCode function: 9_2_008DAD789_2_008DAD78
                Source: C:\Windows\System32\svchost.exeCode function: 9_2_008D16949_2_008D1694
                Source: C:\Windows\System32\svchost.exeCode function: 9_2_008C76C49_2_008C76C4
                Source: C:\Windows\System32\svchost.exeCode function: 9_2_008B46D09_2_008B46D0
                Source: C:\Windows\System32\svchost.exeCode function: 9_2_008DCEE09_2_008DCEE0
                Source: C:\Windows\System32\svchost.exeCode function: 9_2_008BCE089_2_008BCE08
                Source: C:\Windows\System32\svchost.exeCode function: 9_2_008BFE3C9_2_008BFE3C
                Source: C:\Windows\System32\svchost.exeCode function: 9_2_008BAE3C9_2_008BAE3C
                Source: C:\Windows\System32\svchost.exeCode function: 9_2_008BEE549_2_008BEE54
                Source: C:\Windows\System32\svchost.exeCode function: 9_2_008C56689_2_008C5668
                Source: C:\Windows\System32\svchost.exeCode function: 9_2_008B67A09_2_008B67A0
                Source: C:\Windows\System32\svchost.exeCode function: 9_2_008BBFA49_2_008BBFA4
                Source: C:\Windows\System32\svchost.exeCode function: 9_2_008B1FFC9_2_008B1FFC
                Source: C:\Windows\System32\svchost.exeCode function: 9_2_008C3FF49_2_008C3FF4
                Source: C:\Windows\System32\svchost.exeCode function: 9_2_008D47089_2_008D4708
                Source: C:\Windows\System32\svchost.exeCode function: 9_2_008B3F389_2_008B3F38
                Source: C:\Windows\System32\svchost.exeCode function: 9_2_008D576C9_2_008D576C
                Source: C:\Windows\System32\svchost.exeCode function: 9_2_008C4F789_2_008C4F78
                Source: C:\Windows\System32\svchost.exeCode function: 9_2_008F79B89_2_008F79B8
                Source: C:\Windows\System32\svchost.exeCode function: 9_2_009131789_2_00913178
                Source: C:\Windows\System32\svchost.exeCode function: 9_2_009122579_2_00912257
                Source: C:\Windows\System32\svchost.exeCode function: 9_2_0090DCDE9_2_0090DCDE
                Source: C:\Windows\System32\svchost.exeCode function: 9_2_0090E4C89_2_0090E4C8
                Source: C:\Windows\System32\svchost.exeCode function: 9_2_0090ED889_2_0090ED88
                Source: C:\Windows\System32\svchost.exeCode function: 9_2_00906D529_2_00906D52
                Source: C:\Windows\System32\svchost.exeCode function: 9_2_00918EC89_2_00918EC8
                Source: C:\Windows\System32\svchost.exeCode function: 9_2_009126239_2_00912623
                Source: C:\Windows\explorer.exeCode function: 10_2_0FBF168810_2_0FBF1688
                Source: C:\Windows\explorer.exeCode function: 10_2_0FBF566810_2_0FBF5668
                Source: C:\Windows\explorer.exeCode function: 10_2_0FBE5D9C10_2_0FBE5D9C
                Source: C:\Windows\explorer.exeCode function: 10_2_0FBFB59010_2_0FBFB590
                Source: C:\Windows\explorer.exeCode function: 10_2_0FBEF4EC10_2_0FBEF4EC
                Source: C:\Windows\explorer.exeCode function: 10_2_0FBE13E410_2_0FBE13E4
                Source: C:\Windows\explorer.exeCode function: 10_2_0FBFCB7C10_2_0FBFCB7C
                Source: C:\Windows\explorer.exeCode function: 10_2_0FBFB2C410_2_0FBFB2C4
                Source: C:\Windows\explorer.exeCode function: 10_2_0FBF823410_2_0FBF8234
                Source: C:\Windows\explorer.exeCode function: 10_2_0FBFF01810_2_0FBFF018
                Source: C:\Windows\explorer.exeCode function: 10_2_0FBEBFA410_2_0FBEBFA4
                Source: C:\Windows\explorer.exeCode function: 10_2_0FBE67A010_2_0FBE67A0
                Source: C:\Windows\explorer.exeCode function: 10_2_0FBE1FFC10_2_0FBE1FFC
                Source: C:\Windows\explorer.exeCode function: 10_2_0FBF3FF410_2_0FBF3FF4
                Source: C:\Windows\explorer.exeCode function: 10_2_0FBE3F3810_2_0FBE3F38
                Source: C:\Windows\explorer.exeCode function: 10_2_0FC0576C10_2_0FC0576C
                Source: C:\Windows\explorer.exeCode function: 10_2_0FBF4F7810_2_0FBF4F78
                Source: C:\Windows\explorer.exeCode function: 10_2_0FC0470810_2_0FC04708
                Source: C:\Windows\explorer.exeCode function: 10_2_0FC0CEE010_2_0FC0CEE0
                Source: C:\Windows\explorer.exeCode function: 10_2_0FC0169410_2_0FC01694
                Source: C:\Windows\explorer.exeCode function: 10_2_0FBE46D010_2_0FBE46D0
                Source: C:\Windows\explorer.exeCode function: 10_2_0FBF76C410_2_0FBF76C4
                Source: C:\Windows\explorer.exeCode function: 10_2_0FBEFE3C10_2_0FBEFE3C
                Source: C:\Windows\explorer.exeCode function: 10_2_0FBEAE3C10_2_0FBEAE3C
                Source: C:\Windows\explorer.exeCode function: 10_2_0FBECE0810_2_0FBECE08
                Source: C:\Windows\explorer.exeCode function: 10_2_0FBEEE5410_2_0FBEEE54
                Source: C:\Windows\explorer.exeCode function: 10_2_0FC1255010_2_0FC12550
                Source: C:\Windows\explorer.exeCode function: 10_2_0FBFC52810_2_0FBFC528
                Source: C:\Windows\explorer.exeCode function: 10_2_0FC0AD7810_2_0FC0AD78
                Source: C:\Windows\explorer.exeCode function: 10_2_0FBE347C10_2_0FBE347C
                Source: C:\Windows\explorer.exeCode function: 10_2_0FBE9C6810_2_0FBE9C68
                Source: C:\Windows\explorer.exeCode function: 10_2_0FC06C2810_2_0FC06C28
                Source: C:\Windows\explorer.exeCode function: 10_2_0FC04C3C10_2_0FC04C3C
                Source: C:\Windows\explorer.exeCode function: 10_2_0FBF33AC10_2_0FBF33AC
                Source: C:\Windows\explorer.exeCode function: 10_2_0FC02B4410_2_0FC02B44
                Source: C:\Windows\explorer.exeCode function: 10_2_0FBFAB2810_2_0FBFAB28
                Source: C:\Windows\explorer.exeCode function: 10_2_0FBF0B2810_2_0FBF0B28
                Source: C:\Windows\explorer.exeCode function: 10_2_0FBE6B0C10_2_0FBE6B0C
                Source: C:\Windows\explorer.exeCode function: 10_2_0FBF135810_2_0FBF1358
                Source: C:\Windows\explorer.exeCode function: 10_2_0FC00A8C10_2_0FC00A8C
                Source: C:\Windows\explorer.exeCode function: 10_2_0FBF3ADC10_2_0FBF3ADC
                Source: C:\Windows\explorer.exeCode function: 10_2_0FC0025410_2_0FC00254
                Source: C:\Windows\explorer.exeCode function: 10_2_0FBECA0010_2_0FBECA00
                Source: C:\Windows\explorer.exeCode function: 10_2_0FC039C810_2_0FC039C8
                Source: C:\Windows\explorer.exeCode function: 10_2_0FC0119C10_2_0FC0119C
                Source: C:\Windows\explorer.exeCode function: 10_2_0FC051A410_2_0FC051A4
                Source: C:\Windows\explorer.exeCode function: 10_2_0FBEB11010_2_0FBEB110
                Source: C:\Windows\explorer.exeCode function: 10_2_0FBF496810_2_0FBF4968
                Source: C:\Windows\explorer.exeCode function: 10_2_0FBF28A010_2_0FBF28A0
                Source: C:\Windows\explorer.exeCode function: 10_2_0FC118B010_2_0FC118B0
                Source: C:\Windows\explorer.exeCode function: 10_2_0FBFA02810_2_0FBFA028
                Source: C:\Windows\explorer.exeCode function: 10_2_0FC0207010_2_0FC02070
                Source: C:\Windows\explorer.exeCode function: 10_2_0FBE100010_2_0FBE1000
                Source: C:\Windows\explorer.exeCode function: 10_2_0FC0480410_2_0FC04804
                Source: C:\Windows\explorer.exeCode function: 10_2_0FBF006C10_2_0FBF006C
                Source: C:\Windows\explorer.exeCode function: 10_2_110113E410_2_110113E4
                Source: C:\Windows\explorer.exeCode function: 10_2_1102168810_2_11021688
                Source: C:\Windows\explorer.exeCode function: 10_2_1101B11010_2_1101B110
                Source: C:\Windows\explorer.exeCode function: 10_2_1102496810_2_11024968
                Source: C:\Windows\explorer.exeCode function: 10_2_1103119C10_2_1103119C
                Source: C:\Windows\explorer.exeCode function: 10_2_110351A410_2_110351A4
                Source: C:\Windows\explorer.exeCode function: 10_2_110339C810_2_110339C8
                Source: C:\Windows\explorer.exeCode function: 10_2_1101100010_2_11011000
                Source: C:\Windows\explorer.exeCode function: 10_2_1103480410_2_11034804
                Source: C:\Windows\explorer.exeCode function: 10_2_1102F01810_2_1102F018
                Source: C:\Windows\explorer.exeCode function: 10_2_1102A02810_2_1102A028
                Source: C:\Windows\explorer.exeCode function: 10_2_1102006C10_2_1102006C
                Source: C:\Windows\explorer.exeCode function: 10_2_1103207010_2_11032070
                Source: C:\Windows\explorer.exeCode function: 10_2_110228A010_2_110228A0
                Source: C:\Windows\explorer.exeCode function: 10_2_110418B010_2_110418B0
                Source: C:\Windows\explorer.exeCode function: 10_2_11016B0C10_2_11016B0C
                Source: C:\Windows\explorer.exeCode function: 10_2_1102AB2810_2_1102AB28
                Source: C:\Windows\explorer.exeCode function: 10_2_11020B2810_2_11020B28
                Source: C:\Windows\explorer.exeCode function: 10_2_11032B4410_2_11032B44
                Source: C:\Windows\explorer.exeCode function: 10_2_1102135810_2_11021358
                Source: C:\Windows\explorer.exeCode function: 10_2_1102CB7C10_2_1102CB7C
                Source: C:\Windows\explorer.exeCode function: 10_2_110233AC10_2_110233AC
                Source: C:\Windows\explorer.exeCode function: 10_2_1101CA0010_2_1101CA00
                Source: C:\Windows\explorer.exeCode function: 10_2_1102823410_2_11028234
                Source: C:\Windows\explorer.exeCode function: 10_2_1103025410_2_11030254
                Source: C:\Windows\explorer.exeCode function: 10_2_11030A8C10_2_11030A8C
                Source: C:\Windows\explorer.exeCode function: 10_2_1102B2C410_2_1102B2C4
                Source: C:\Windows\explorer.exeCode function: 10_2_11023ADC10_2_11023ADC
                Source: C:\Windows\explorer.exeCode function: 10_2_1102C52810_2_1102C528
                Source: C:\Windows\explorer.exeCode function: 10_2_1104255010_2_11042550
                Source: C:\Windows\explorer.exeCode function: 10_2_1103AD7810_2_1103AD78
                Source: C:\Windows\explorer.exeCode function: 10_2_1102B59010_2_1102B590
                Source: C:\Windows\explorer.exeCode function: 10_2_11015D9C10_2_11015D9C
                Source: C:\Windows\explorer.exeCode function: 10_2_11036C2810_2_11036C28
                Source: C:\Windows\explorer.exeCode function: 10_2_11034C3C10_2_11034C3C
                Source: C:\Windows\explorer.exeCode function: 10_2_11019C6810_2_11019C68
                Source: C:\Windows\explorer.exeCode function: 10_2_1101347C10_2_1101347C
                Source: C:\Windows\explorer.exeCode function: 10_2_1101F4EC10_2_1101F4EC
                Source: C:\Windows\explorer.exeCode function: 10_2_1103470810_2_11034708
                Source: C:\Windows\explorer.exeCode function: 10_2_11013F3810_2_11013F38
                Source: C:\Windows\explorer.exeCode function: 10_2_1103576C10_2_1103576C
                Source: C:\Windows\explorer.exeCode function: 10_2_11024F7810_2_11024F78
                Source: C:\Windows\explorer.exeCode function: 10_2_110167A010_2_110167A0
                Source: C:\Windows\explorer.exeCode function: 10_2_1101BFA410_2_1101BFA4
                Source: C:\Windows\explorer.exeCode function: 10_2_11023FF410_2_11023FF4
                Source: C:\Windows\explorer.exeCode function: 10_2_11011FFC10_2_11011FFC
                Source: C:\Windows\explorer.exeCode function: 10_2_1101CE0810_2_1101CE08
                Source: C:\Windows\explorer.exeCode function: 10_2_1101FE3C10_2_1101FE3C
                Source: C:\Windows\explorer.exeCode function: 10_2_1101AE3C10_2_1101AE3C
                Source: C:\Windows\explorer.exeCode function: 10_2_1101EE5410_2_1101EE54
                Source: C:\Windows\explorer.exeCode function: 10_2_1102566810_2_11025668
                Source: C:\Windows\explorer.exeCode function: 10_2_1103169410_2_11031694
                Source: C:\Windows\explorer.exeCode function: 10_2_110276C410_2_110276C4
                Source: C:\Windows\explorer.exeCode function: 10_2_110146D010_2_110146D0
                Source: C:\Windows\explorer.exeCode function: 10_2_1103CEE010_2_1103CEE0
                Source: C:\Windows\explorer.exeCode function: 10_2_110D13E410_2_110D13E4
                Source: C:\Windows\explorer.exeCode function: 10_2_110E168810_2_110E1688
                Source: C:\Windows\explorer.exeCode function: 10_2_110DB11010_2_110DB110
                Source: C:\Windows\explorer.exeCode function: 10_2_110E496810_2_110E4968
                Source: C:\Windows\explorer.exeCode function: 10_2_110F119C10_2_110F119C
                Source: C:\Windows\explorer.exeCode function: 10_2_110F51A410_2_110F51A4
                Source: C:\Windows\explorer.exeCode function: 10_2_110F39C810_2_110F39C8
                Source: C:\Windows\explorer.exeCode function: 10_2_110F480410_2_110F4804
                Source: C:\Windows\explorer.exeCode function: 10_2_110D100010_2_110D1000
                Source: C:\Windows\explorer.exeCode function: 10_2_110EF01810_2_110EF018
                Source: C:\Windows\explorer.exeCode function: 10_2_110EA02810_2_110EA028
                Source: C:\Windows\explorer.exeCode function: 10_2_110E006C10_2_110E006C
                Source: C:\Windows\explorer.exeCode function: 10_2_110F207010_2_110F2070
                Source: C:\Windows\explorer.exeCode function: 10_2_111018B010_2_111018B0
                Source: C:\Windows\explorer.exeCode function: 10_2_110E28A010_2_110E28A0
                Source: C:\Windows\explorer.exeCode function: 10_2_110D6B0C10_2_110D6B0C
                Source: C:\Windows\explorer.exeCode function: 10_2_110EAB2810_2_110EAB28
                Source: C:\Windows\explorer.exeCode function: 10_2_110E0B2810_2_110E0B28
                Source: C:\Windows\explorer.exeCode function: 10_2_110F2B4410_2_110F2B44
                Source: C:\Windows\explorer.exeCode function: 10_2_110E135810_2_110E1358
                Source: C:\Windows\explorer.exeCode function: 10_2_110ECB7C10_2_110ECB7C
                Source: C:\Windows\explorer.exeCode function: 10_2_110E33AC10_2_110E33AC
                Source: C:\Windows\explorer.exeCode function: 10_2_110DCA0010_2_110DCA00
                Source: C:\Windows\explorer.exeCode function: 10_2_110E823410_2_110E8234
                Source: C:\Windows\explorer.exeCode function: 10_2_110F025410_2_110F0254
                Source: C:\Windows\explorer.exeCode function: 10_2_110F0A8C10_2_110F0A8C
                Source: C:\Windows\explorer.exeCode function: 10_2_110EB2C410_2_110EB2C4
                Source: C:\Windows\explorer.exeCode function: 10_2_110E3ADC10_2_110E3ADC
                Source: C:\Windows\explorer.exeCode function: 10_2_110EC52810_2_110EC528
                Source: C:\Windows\explorer.exeCode function: 10_2_1110255010_2_11102550
                Source: C:\Windows\explorer.exeCode function: 10_2_110FAD7810_2_110FAD78
                Source: C:\Windows\explorer.exeCode function: 10_2_110D5D9C10_2_110D5D9C
                Source: C:\Windows\explorer.exeCode function: 10_2_110EB59010_2_110EB590
                Source: C:\Windows\explorer.exeCode function: 10_2_110F6C2810_2_110F6C28
                Source: C:\Windows\explorer.exeCode function: 10_2_110F4C3C10_2_110F4C3C
                Source: C:\Windows\explorer.exeCode function: 10_2_110D9C6810_2_110D9C68
                Source: C:\Windows\explorer.exeCode function: 10_2_110D347C10_2_110D347C
                Source: C:\Windows\explorer.exeCode function: 10_2_110DF4EC10_2_110DF4EC
                Source: C:\Windows\explorer.exeCode function: 10_2_110F470810_2_110F4708
                Source: C:\Windows\explorer.exeCode function: 10_2_110D3F3810_2_110D3F38
                Source: C:\Windows\explorer.exeCode function: 10_2_110F576C10_2_110F576C
                Source: C:\Windows\explorer.exeCode function: 10_2_110E4F7810_2_110E4F78
                Source: C:\Windows\explorer.exeCode function: 10_2_110DBFA410_2_110DBFA4
                Source: C:\Windows\explorer.exeCode function: 10_2_110D67A010_2_110D67A0
                Source: C:\Windows\explorer.exeCode function: 10_2_110D1FFC10_2_110D1FFC
                Source: C:\Windows\explorer.exeCode function: 10_2_110E3FF410_2_110E3FF4
                Source: C:\Windows\explorer.exeCode function: 10_2_110DCE0810_2_110DCE08
                Source: C:\Windows\explorer.exeCode function: 10_2_110DFE3C10_2_110DFE3C
                Source: C:\Windows\explorer.exeCode function: 10_2_110DAE3C10_2_110DAE3C
                Source: C:\Windows\explorer.exeCode function: 10_2_110DEE5410_2_110DEE54
                Source: C:\Windows\explorer.exeCode function: 10_2_110E566810_2_110E5668
                Source: C:\Windows\explorer.exeCode function: 10_2_110F169410_2_110F1694
                Source: C:\Windows\explorer.exeCode function: 10_2_110E76C410_2_110E76C4
                Source: C:\Windows\explorer.exeCode function: 10_2_110D46D010_2_110D46D0
                Source: C:\Windows\explorer.exeCode function: 10_2_110FCEE010_2_110FCEE0
                Source: C:\Windows\explorer.exeCode function: 10_2_0FC48ED010_2_0FC48ED0
                Source: C:\Windows\explorer.exeCode function: 10_2_0FC4262B10_2_0FC4262B
                Source: C:\Windows\explorer.exeCode function: 10_2_0FC3ED9010_2_0FC3ED90
                Source: C:\Windows\explorer.exeCode function: 10_2_0FC36D5A10_2_0FC36D5A
                Source: C:\Windows\explorer.exeCode function: 10_2_0FC3E4D010_2_0FC3E4D0
                Source: C:\Windows\explorer.exeCode function: 10_2_0FC3DCE610_2_0FC3DCE6
                Source: C:\Windows\explorer.exeCode function: 10_2_0FC4225F10_2_0FC4225F
                Source: C:\Windows\explorer.exeCode function: 10_2_0FC279C010_2_0FC279C0
                Source: C:\Windows\explorer.exeCode function: 10_2_0FC4318010_2_0FC43180
                Source: C:\Windows\explorer.exeCode function: 10_2_1107318010_2_11073180
                Source: C:\Windows\explorer.exeCode function: 10_2_110579C010_2_110579C0
                Source: C:\Windows\explorer.exeCode function: 10_2_1107225F10_2_1107225F
                Source: C:\Windows\explorer.exeCode function: 10_2_11066D5A10_2_11066D5A
                Source: C:\Windows\explorer.exeCode function: 10_2_1106ED9010_2_1106ED90
                Source: C:\Windows\explorer.exeCode function: 10_2_1106E4D010_2_1106E4D0
                Source: C:\Windows\explorer.exeCode function: 10_2_1106DCE610_2_1106DCE6
                Source: C:\Windows\explorer.exeCode function: 10_2_1107262B10_2_1107262B
                Source: C:\Windows\explorer.exeCode function: 10_2_11078ED010_2_11078ED0
                Source: C:\Windows\explorer.exeCode function: 10_2_1113318010_2_11133180
                Source: C:\Windows\explorer.exeCode function: 10_2_111179C010_2_111179C0
                Source: C:\Windows\explorer.exeCode function: 10_2_1113225F10_2_1113225F
                Source: C:\Windows\explorer.exeCode function: 10_2_11126D5A10_2_11126D5A
                Source: C:\Windows\explorer.exeCode function: 10_2_1112ED9010_2_1112ED90
                Source: C:\Windows\explorer.exeCode function: 10_2_1112E4D010_2_1112E4D0
                Source: C:\Windows\explorer.exeCode function: 10_2_1112DCE610_2_1112DCE6
                Source: C:\Windows\explorer.exeCode function: 10_2_1113262B10_2_1113262B
                Source: C:\Windows\explorer.exeCode function: 10_2_11138ED010_2_11138ED0
                Source: atw3.dllBinary or memory string: OriginalFilenameiglu.exe4 vs atw3.dll
                Source: atw3.dllStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE, DLL
                Source: 5.3.rundll32.exe.4b194c0.10.raw.unpack, type: UNPACKEDPEMatched rule: ursnif author = Sekoia.io, description = Ursnif Payload, classification = TLP:CLEAR, version = 1.0, id = ac392af3-c344-453c-9427-5bb46223e01c
                Source: 5.3.rundll32.exe.4b194c0.10.raw.unpack, type: UNPACKEDPEMatched rule: Ursnif author = kevoreilly & enzo, description = Ursnif Payload, cape_type = Ursnif Payload
                Source: 4.3.rundll32.exe.47794c0.10.raw.unpack, type: UNPACKEDPEMatched rule: ursnif author = Sekoia.io, description = Ursnif Payload, classification = TLP:CLEAR, version = 1.0, id = ac392af3-c344-453c-9427-5bb46223e01c
                Source: 4.3.rundll32.exe.47794c0.10.raw.unpack, type: UNPACKEDPEMatched rule: Ursnif author = kevoreilly & enzo, description = Ursnif Payload, cape_type = Ursnif Payload
                Source: 11.2.RuntimeBroker.exe.1ecfc703c58.2.raw.unpack, type: UNPACKEDPEMatched rule: ursnif author = Sekoia.io, description = Ursnif Payload, classification = TLP:CLEAR, version = 1.0, id = ac392af3-c344-453c-9427-5bb46223e01c
                Source: 11.2.RuntimeBroker.exe.1ecfc703c58.2.raw.unpack, type: UNPACKEDPEMatched rule: Ursnif author = kevoreilly & enzo, description = Ursnif Payload, cape_type = Ursnif Payload
                Source: 10.0.explorer.exe.fbe0000.0.unpack, type: UNPACKEDPEMatched rule: ursnif author = Sekoia.io, description = Ursnif Payload, classification = TLP:CLEAR, version = 1.0, id = ac392af3-c344-453c-9427-5bb46223e01c
                Source: 10.0.explorer.exe.fbe0000.0.unpack, type: UNPACKEDPEMatched rule: Ursnif author = kevoreilly & enzo, description = Ursnif Payload, cape_type = Ursnif Payload
                Source: 5.3.rundll32.exe.4ae94b0.2.raw.unpack, type: UNPACKEDPEMatched rule: ursnif author = Sekoia.io, description = Ursnif Payload, classification = TLP:CLEAR, version = 1.0, id = ac392af3-c344-453c-9427-5bb46223e01c
                Source: 5.3.rundll32.exe.4ae94b0.2.raw.unpack, type: UNPACKEDPEMatched rule: Ursnif author = kevoreilly & enzo, description = Ursnif Payload, cape_type = Ursnif Payload
                Source: 8.2.svchost.exe.263c50.1.unpack, type: UNPACKEDPEMatched rule: ursnif author = Sekoia.io, description = Ursnif Payload, classification = TLP:CLEAR, version = 1.0, id = ac392af3-c344-453c-9427-5bb46223e01c
                Source: 8.2.svchost.exe.263c50.1.unpack, type: UNPACKEDPEMatched rule: Ursnif author = kevoreilly & enzo, description = Ursnif Payload, cape_type = Ursnif Payload
                Source: 10.2.explorer.exe.11143c58.7.unpack, type: UNPACKEDPEMatched rule: ursnif author = Sekoia.io, description = Ursnif Payload, classification = TLP:CLEAR, version = 1.0, id = ac392af3-c344-453c-9427-5bb46223e01c
                Source: 10.2.explorer.exe.11143c58.7.unpack, type: UNPACKEDPEMatched rule: Ursnif author = kevoreilly & enzo, description = Ursnif Payload, cape_type = Ursnif Payload
                Source: 3.3.regsvr32.exe.56094c0.11.raw.unpack, type: UNPACKEDPEMatched rule: ursnif author = Sekoia.io, description = Ursnif Payload, classification = TLP:CLEAR, version = 1.0, id = ac392af3-c344-453c-9427-5bb46223e01c
                Source: 3.3.regsvr32.exe.56094c0.11.raw.unpack, type: UNPACKEDPEMatched rule: Ursnif author = kevoreilly & enzo, description = Ursnif Payload, cape_type = Ursnif Payload
                Source: 3.3.regsvr32.exe.56094c0.0.raw.unpack, type: UNPACKEDPEMatched rule: ursnif author = Sekoia.io, description = Ursnif Payload, classification = TLP:CLEAR, version = 1.0, id = ac392af3-c344-453c-9427-5bb46223e01c
                Source: 3.3.regsvr32.exe.56094c0.0.raw.unpack, type: UNPACKEDPEMatched rule: Ursnif author = kevoreilly & enzo, description = Ursnif Payload, cape_type = Ursnif Payload
                Source: 8.2.svchost.exe.233c50.2.raw.unpack, type: UNPACKEDPEMatched rule: ursnif author = Sekoia.io, description = Ursnif Payload, classification = TLP:CLEAR, version = 1.0, id = ac392af3-c344-453c-9427-5bb46223e01c
                Source: 8.2.svchost.exe.233c50.2.raw.unpack, type: UNPACKEDPEMatched rule: Ursnif author = kevoreilly & enzo, description = Ursnif Payload, cape_type = Ursnif Payload
                Source: 10.2.explorer.exe.fbe0000.0.unpack, type: UNPACKEDPEMatched rule: ursnif author = Sekoia.io, description = Ursnif Payload, classification = TLP:CLEAR, version = 1.0, id = ac392af3-c344-453c-9427-5bb46223e01c
                Source: 10.2.explorer.exe.fbe0000.0.unpack, type: UNPACKEDPEMatched rule: Ursnif author = kevoreilly & enzo, description = Ursnif Payload, cape_type = Ursnif Payload
                Source: 3.3.regsvr32.exe.56094c0.11.unpack, type: UNPACKEDPEMatched rule: ursnif author = Sekoia.io, description = Ursnif Payload, classification = TLP:CLEAR, version = 1.0, id = ac392af3-c344-453c-9427-5bb46223e01c
                Source: 3.3.regsvr32.exe.56094c0.11.unpack, type: UNPACKEDPEMatched rule: Ursnif author = kevoreilly & enzo, description = Ursnif Payload, cape_type = Ursnif Payload
                Source: 5.3.rundll32.exe.4b194c0.10.unpack, type: UNPACKEDPEMatched rule: ursnif author = Sekoia.io, description = Ursnif Payload, classification = TLP:CLEAR, version = 1.0, id = ac392af3-c344-453c-9427-5bb46223e01c
                Source: 5.3.rundll32.exe.4b194c0.10.unpack, type: UNPACKEDPEMatched rule: Ursnif author = kevoreilly & enzo, description = Ursnif Payload, cape_type = Ursnif Payload
                Source: 0.3.loaddll32.exe.2d994c0.12.raw.unpack, type: UNPACKEDPEMatched rule: ursnif author = Sekoia.io, description = Ursnif Payload, classification = TLP:CLEAR, version = 1.0, id = ac392af3-c344-453c-9427-5bb46223e01c
                Source: 0.3.loaddll32.exe.2d994c0.12.raw.unpack, type: UNPACKEDPEMatched rule: Ursnif author = kevoreilly & enzo, description = Ursnif Payload, cape_type = Ursnif Payload
                Source: 0.3.loaddll32.exe.2d994c0.1.unpack, type: UNPACKEDPEMatched rule: ursnif author = Sekoia.io, description = Ursnif Payload, classification = TLP:CLEAR, version = 1.0, id = ac392af3-c344-453c-9427-5bb46223e01c
                Source: 0.3.loaddll32.exe.2d994c0.1.unpack, type: UNPACKEDPEMatched rule: Ursnif author = kevoreilly & enzo, description = Ursnif Payload, cape_type = Ursnif Payload
                Source: 4.3.rundll32.exe.47494b0.12.raw.unpack, type: UNPACKEDPEMatched rule: ursnif author = Sekoia.io, description = Ursnif Payload, classification = TLP:CLEAR, version = 1.0, id = ac392af3-c344-453c-9427-5bb46223e01c
                Source: 4.3.rundll32.exe.47494b0.12.raw.unpack, type: UNPACKEDPEMatched rule: Ursnif author = kevoreilly & enzo, description = Ursnif Payload, cape_type = Ursnif Payload
                Source: 12.2.RuntimeBroker.exe.1d178783c58.1.raw.unpack, type: UNPACKEDPEMatched rule: ursnif author = Sekoia.io, description = Ursnif Payload, classification = TLP:CLEAR, version = 1.0, id = ac392af3-c344-453c-9427-5bb46223e01c
                Source: 12.2.RuntimeBroker.exe.1d178783c58.1.raw.unpack, type: UNPACKEDPEMatched rule: Ursnif author = kevoreilly & enzo, description = Ursnif Payload, cape_type = Ursnif Payload
                Source: 8.2.svchost.exe.263c50.1.raw.unpack, type: UNPACKEDPEMatched rule: ursnif author = Sekoia.io, description = Ursnif Payload, classification = TLP:CLEAR, version = 1.0, id = ac392af3-c344-453c-9427-5bb46223e01c
                Source: 8.2.svchost.exe.263c50.1.raw.unpack, type: UNPACKEDPEMatched rule: Ursnif author = kevoreilly & enzo, description = Ursnif Payload, cape_type = Ursnif Payload
                Source: 6.2.svchost.exe.b60000.0.unpack, type: UNPACKEDPEMatched rule: ursnif author = Sekoia.io, description = Ursnif Payload, classification = TLP:CLEAR, version = 1.0, id = ac392af3-c344-453c-9427-5bb46223e01c
                Source: 6.2.svchost.exe.b60000.0.unpack, type: UNPACKEDPEMatched rule: Ursnif author = kevoreilly & enzo, description = Ursnif Payload, cape_type = Ursnif Payload
                Source: 10.2.explorer.exe.11143c58.7.raw.unpack, type: UNPACKEDPEMatched rule: ursnif author = Sekoia.io, description = Ursnif Payload, classification = TLP:CLEAR, version = 1.0, id = ac392af3-c344-453c-9427-5bb46223e01c
                Source: 10.2.explorer.exe.11143c58.7.raw.unpack, type: UNPACKEDPEMatched rule: Ursnif author = kevoreilly & enzo, description = Ursnif Payload, cape_type = Ursnif Payload
                Source: 10.2.explorer.exe.110d0000.6.unpack, type: UNPACKEDPEMatched rule: ursnif author = Sekoia.io, description = Ursnif Payload, classification = TLP:CLEAR, version = 1.0, id = ac392af3-c344-453c-9427-5bb46223e01c
                Source: 10.2.explorer.exe.110d0000.6.unpack, type: UNPACKEDPEMatched rule: Ursnif author = kevoreilly & enzo, description = Ursnif Payload, cape_type = Ursnif Payload
                Source: 10.0.explorer.exe.fc53c58.1.unpack, type: UNPACKEDPEMatched rule: ursnif author = Sekoia.io, description = Ursnif Payload, classification = TLP:CLEAR, version = 1.0, id = ac392af3-c344-453c-9427-5bb46223e01c
                Source: 10.0.explorer.exe.fc53c58.1.unpack, type: UNPACKEDPEMatched rule: Ursnif author = kevoreilly & enzo, description = Ursnif Payload, cape_type = Ursnif Payload
                Source: 7.2.svchost.exe.2a0000.0.unpack, type: UNPACKEDPEMatched rule: ursnif author = Sekoia.io, description = Ursnif Payload, classification = TLP:CLEAR, version = 1.0, id = ac392af3-c344-453c-9427-5bb46223e01c
                Source: 7.2.svchost.exe.2a0000.0.unpack, type: UNPACKEDPEMatched rule: Ursnif author = kevoreilly & enzo, description = Ursnif Payload, cape_type = Ursnif Payload
                Source: 16.2.RuntimeBroker.exe.23b60353c58.1.unpack, type: UNPACKEDPEMatched rule: ursnif author = Sekoia.io, description = Ursnif Payload, classification = TLP:CLEAR, version = 1.0, id = ac392af3-c344-453c-9427-5bb46223e01c
                Source: 16.2.RuntimeBroker.exe.23b60353c58.1.unpack, type: UNPACKEDPEMatched rule: Ursnif author = kevoreilly & enzo, description = Ursnif Payload, cape_type = Ursnif Payload
                Source: 13.2.rundll32.exe.18f767d3c58.2.raw.unpack, type: UNPACKEDPEMatched rule: ursnif author = Sekoia.io, description = Ursnif Payload, classification = TLP:CLEAR, version = 1.0, id = ac392af3-c344-453c-9427-5bb46223e01c
                Source: 13.2.rundll32.exe.18f767d3c58.2.raw.unpack, type: UNPACKEDPEMatched rule: Ursnif author = kevoreilly & enzo, description = Ursnif Payload, cape_type = Ursnif Payload
                Source: 7.2.svchost.exe.2e3c50.2.raw.unpack, type: UNPACKEDPEMatched rule: ursnif author = Sekoia.io, description = Ursnif Payload, classification = TLP:CLEAR, version = 1.0, id = ac392af3-c344-453c-9427-5bb46223e01c
                Source: 7.2.svchost.exe.2e3c50.2.raw.unpack, type: UNPACKEDPEMatched rule: Ursnif author = kevoreilly & enzo, description = Ursnif Payload, cape_type = Ursnif Payload
                Source: 4.3.rundll32.exe.47794c0.1.unpack, type: UNPACKEDPEMatched rule: ursnif author = Sekoia.io, description = Ursnif Payload, classification = TLP:CLEAR, version = 1.0, id = ac392af3-c344-453c-9427-5bb46223e01c
                Source: 4.3.rundll32.exe.47794c0.1.unpack, type: UNPACKEDPEMatched rule: Ursnif author = kevoreilly & enzo, description = Ursnif Payload, cape_type = Ursnif Payload
                Source: 10.0.explorer.exe.fc53c58.1.raw.unpack, type: UNPACKEDPEMatched rule: ursnif author = Sekoia.io, description = Ursnif Payload, classification = TLP:CLEAR, version = 1.0, id = ac392af3-c344-453c-9427-5bb46223e01c
                Source: 10.0.explorer.exe.fc53c58.1.raw.unpack, type: UNPACKEDPEMatched rule: Ursnif author = kevoreilly & enzo, description = Ursnif Payload, cape_type = Ursnif Payload
                Source: 16.2.RuntimeBroker.exe.23b60323c58.2.raw.unpack, type: UNPACKEDPEMatched rule: ursnif author = Sekoia.io, description = Ursnif Payload, classification = TLP:CLEAR, version = 1.0, id = ac392af3-c344-453c-9427-5bb46223e01c
                Source: 16.2.RuntimeBroker.exe.23b60323c58.2.raw.unpack, type: UNPACKEDPEMatched rule: Ursnif author = kevoreilly & enzo, description = Ursnif Payload, cape_type = Ursnif Payload
                Source: 11.2.RuntimeBroker.exe.1ecfc703c58.2.unpack, type: UNPACKEDPEMatched rule: ursnif author = Sekoia.io, description = Ursnif Payload, classification = TLP:CLEAR, version = 1.0, id = ac392af3-c344-453c-9427-5bb46223e01c
                Source: 11.2.RuntimeBroker.exe.1ecfc703c58.2.unpack, type: UNPACKEDPEMatched rule: Ursnif author = kevoreilly & enzo, description = Ursnif Payload, cape_type = Ursnif Payload
                Source: 7.2.svchost.exe.313c50.1.unpack, type: UNPACKEDPEMatched rule: ursnif author = Sekoia.io, description = Ursnif Payload, classification = TLP:CLEAR, version = 1.0, id = ac392af3-c344-453c-9427-5bb46223e01c
                Source: 7.2.svchost.exe.313c50.1.unpack, type: UNPACKEDPEMatched rule: Ursnif author = kevoreilly & enzo, description = Ursnif Payload, cape_type = Ursnif Payload
                Source: 0.3.loaddll32.exe.2d694b0.10.raw.unpack, type: UNPACKEDPEMatched rule: ursnif author = Sekoia.io, description = Ursnif Payload, classification = TLP:CLEAR, version = 1.0, id = ac392af3-c344-453c-9427-5bb46223e01c
                Source: 0.3.loaddll32.exe.2d694b0.10.raw.unpack, type: UNPACKEDPEMatched rule: Ursnif author = kevoreilly & enzo, description = Ursnif Payload, cape_type = Ursnif Payload
                Source: 4.3.rundll32.exe.47794c0.10.unpack, type: UNPACKEDPEMatched rule: ursnif author = Sekoia.io, description = Ursnif Payload, classification = TLP:CLEAR, version = 1.0, id = ac392af3-c344-453c-9427-5bb46223e01c
                Source: 4.3.rundll32.exe.47794c0.10.unpack, type: UNPACKEDPEMatched rule: Ursnif author = kevoreilly & enzo, description = Ursnif Payload, cape_type = Ursnif Payload
                Source: 10.2.explorer.exe.fc53c58.2.raw.unpack, type: UNPACKEDPEMatched rule: ursnif author = Sekoia.io, description = Ursnif Payload, classification = TLP:CLEAR, version = 1.0, id = ac392af3-c344-453c-9427-5bb46223e01c
                Source: 10.2.explorer.exe.fc53c58.2.raw.unpack, type: UNPACKEDPEMatched rule: Ursnif author = kevoreilly & enzo, description = Ursnif Payload, cape_type = Ursnif Payload
                Source: 10.2.explorer.exe.11083c58.4.raw.unpack, type: UNPACKEDPEMatched rule: ursnif author = Sekoia.io, description = Ursnif Payload, classification = TLP:CLEAR, version = 1.0, id = ac392af3-c344-453c-9427-5bb46223e01c
                Source: 10.2.explorer.exe.11083c58.4.raw.unpack, type: UNPACKEDPEMatched rule: Ursnif author = kevoreilly & enzo, description = Ursnif Payload, cape_type = Ursnif Payload
                Source: 4.3.rundll32.exe.47494b0.0.raw.unpack, type: UNPACKEDPEMatched rule: ursnif author = Sekoia.io, description = Ursnif Payload, classification = TLP:CLEAR, version = 1.0, id = ac392af3-c344-453c-9427-5bb46223e01c
                Source: 4.3.rundll32.exe.47494b0.0.raw.unpack, type: UNPACKEDPEMatched rule: Ursnif author = kevoreilly & enzo, description = Ursnif Payload, cape_type = Ursnif Payload
                Source: 13.2.rundll32.exe.18f76760000.0.unpack, type: UNPACKEDPEMatched rule: ursnif author = Sekoia.io, description = Ursnif Payload, classification = TLP:CLEAR, version = 1.0, id = ac392af3-c344-453c-9427-5bb46223e01c
                Source: 13.2.rundll32.exe.18f76760000.0.unpack, type: UNPACKEDPEMatched rule: Ursnif author = kevoreilly & enzo, description = Ursnif Payload, cape_type = Ursnif Payload
                Source: 8.2.svchost.exe.1f0000.0.unpack, type: UNPACKEDPEMatched rule: ursnif author = Sekoia.io, description = Ursnif Payload, classification = TLP:CLEAR, version = 1.0, id = ac392af3-c344-453c-9427-5bb46223e01c
                Source: 8.2.svchost.exe.1f0000.0.unpack, type: UNPACKEDPEMatched rule: Ursnif author = kevoreilly & enzo, description = Ursnif Payload, cape_type = Ursnif Payload
                Source: 11.2.RuntimeBroker.exe.1ecfc690000.0.unpack, type: UNPACKEDPEMatched rule: ursnif author = Sekoia.io, description = Ursnif Payload, classification = TLP:CLEAR, version = 1.0, id = ac392af3-c344-453c-9427-5bb46223e01c
                Source: 11.2.RuntimeBroker.exe.1ecfc690000.0.unpack, type: UNPACKEDPEMatched rule: Ursnif author = kevoreilly & enzo, description = Ursnif Payload, cape_type = Ursnif Payload
                Source: 3.3.regsvr32.exe.55d94b0.1.raw.unpack, type: UNPACKEDPEMatched rule: ursnif author = Sekoia.io, description = Ursnif Payload, classification = TLP:CLEAR, version = 1.0, id = ac392af3-c344-453c-9427-5bb46223e01c
                Source: 3.3.regsvr32.exe.55d94b0.1.raw.unpack, type: UNPACKEDPEMatched rule: Ursnif author = kevoreilly & enzo, description = Ursnif Payload, cape_type = Ursnif Payload
                Source: 12.2.RuntimeBroker.exe.1d1787b3c58.2.raw.unpack, type: UNPACKEDPEMatched rule: ursnif author = Sekoia.io, description = Ursnif Payload, classification = TLP:CLEAR, version = 1.0, id = ac392af3-c344-453c-9427-5bb46223e01c
                Source: 12.2.RuntimeBroker.exe.1d1787b3c58.2.raw.unpack, type: UNPACKEDPEMatched rule: Ursnif author = kevoreilly & enzo, description = Ursnif Payload, cape_type = Ursnif Payload
                Source: 12.2.RuntimeBroker.exe.1d1787b3c58.2.unpack, type: UNPACKEDPEMatched rule: ursnif author = Sekoia.io, description = Ursnif Payload, classification = TLP:CLEAR, version = 1.0, id = ac392af3-c344-453c-9427-5bb46223e01c
                Source: 12.2.RuntimeBroker.exe.1d1787b3c58.2.unpack, type: UNPACKEDPEMatched rule: Ursnif author = kevoreilly & enzo, description = Ursnif Payload, cape_type = Ursnif Payload
                Source: 10.2.explorer.exe.11083c58.4.unpack, type: UNPACKEDPEMatched rule: ursnif author = Sekoia.io, description = Ursnif Payload, classification = TLP:CLEAR, version = 1.0, id = ac392af3-c344-453c-9427-5bb46223e01c
                Source: 10.2.explorer.exe.11083c58.4.unpack, type: UNPACKEDPEMatched rule: Ursnif author = kevoreilly & enzo, description = Ursnif Payload, cape_type = Ursnif Payload
                Source: 0.3.loaddll32.exe.2d994c0.12.unpack, type: UNPACKEDPEMatched rule: ursnif author = Sekoia.io, description = Ursnif Payload, classification = TLP:CLEAR, version = 1.0, id = ac392af3-c344-453c-9427-5bb46223e01c
                Source: 0.3.loaddll32.exe.2d994c0.12.unpack, type: UNPACKEDPEMatched rule: Ursnif author = kevoreilly & enzo, description = Ursnif Payload, cape_type = Ursnif Payload
                Source: 0.3.loaddll32.exe.2d694b0.2.raw.unpack, type: UNPACKEDPEMatched rule: ursnif author = Sekoia.io, description = Ursnif Payload, classification = TLP:CLEAR, version = 1.0, id = ac392af3-c344-453c-9427-5bb46223e01c
                Source: 0.3.loaddll32.exe.2d694b0.2.raw.unpack, type: UNPACKEDPEMatched rule: Ursnif author = kevoreilly & enzo, description = Ursnif Payload, cape_type = Ursnif Payload
                Source: 13.2.rundll32.exe.18f767d3c58.2.unpack, type: UNPACKEDPEMatched rule: ursnif author = Sekoia.io, description = Ursnif Payload, classification = TLP:CLEAR, version = 1.0, id = ac392af3-c344-453c-9427-5bb46223e01c
                Source: 13.2.rundll32.exe.18f767d3c58.2.unpack, type: UNPACKEDPEMatched rule: Ursnif author = kevoreilly & enzo, description = Ursnif Payload, cape_type = Ursnif Payload
                Source: 11.2.RuntimeBroker.exe.1ecfc6d3c58.1.raw.unpack, type: UNPACKEDPEMatched rule: ursnif author = Sekoia.io, description = Ursnif Payload, classification = TLP:CLEAR, version = 1.0, id = ac392af3-c344-453c-9427-5bb46223e01c
                Source: 11.2.RuntimeBroker.exe.1ecfc6d3c58.1.raw.unpack, type: UNPACKEDPEMatched rule: Ursnif author = kevoreilly & enzo, description = Ursnif Payload, cape_type = Ursnif Payload
                Source: 0.3.loaddll32.exe.2d994c0.1.raw.unpack, type: UNPACKEDPEMatched rule: ursnif author = Sekoia.io, description = Ursnif Payload, classification = TLP:CLEAR, version = 1.0, id = ac392af3-c344-453c-9427-5bb46223e01c
                Source: 0.3.loaddll32.exe.2d994c0.1.raw.unpack, type: UNPACKEDPEMatched rule: Ursnif author = kevoreilly & enzo, description = Ursnif Payload, cape_type = Ursnif Payload
                Source: 6.2.svchost.exe.bd3c50.2.raw.unpack, type: UNPACKEDPEMatched rule: ursnif author = Sekoia.io, description = Ursnif Payload, classification = TLP:CLEAR, version = 1.0, id = ac392af3-c344-453c-9427-5bb46223e01c
                Source: 6.2.svchost.exe.bd3c50.2.raw.unpack, type: UNPACKEDPEMatched rule: Ursnif author = kevoreilly & enzo, description = Ursnif Payload, cape_type = Ursnif Payload
                Source: 3.3.regsvr32.exe.55d94b0.12.raw.unpack, type: UNPACKEDPEMatched rule: ursnif author = Sekoia.io, description = Ursnif Payload, classification = TLP:CLEAR, version = 1.0, id = ac392af3-c344-453c-9427-5bb46223e01c
                Source: 3.3.regsvr32.exe.55d94b0.12.raw.unpack, type: UNPACKEDPEMatched rule: Ursnif author = kevoreilly & enzo, description = Ursnif Payload, cape_type = Ursnif Payload
                Source: 7.2.svchost.exe.313c50.1.raw.unpack, type: UNPACKEDPEMatched rule: ursnif author = Sekoia.io, description = Ursnif Payload, classification = TLP:CLEAR, version = 1.0, id = ac392af3-c344-453c-9427-5bb46223e01c
                Source: 7.2.svchost.exe.313c50.1.raw.unpack, type: UNPACKEDPEMatched rule: Ursnif author = kevoreilly & enzo, description = Ursnif Payload, cape_type = Ursnif Payload
                Source: 10.0.explorer.exe.fc23c58.2.raw.unpack, type: UNPACKEDPEMatched rule: ursnif author = Sekoia.io, description = Ursnif Payload, classification = TLP:CLEAR, version = 1.0, id = ac392af3-c344-453c-9427-5bb46223e01c
                Source: 10.0.explorer.exe.fc23c58.2.raw.unpack, type: UNPACKEDPEMatched rule: Ursnif author = kevoreilly & enzo, description = Ursnif Payload, cape_type = Ursnif Payload
                Source: 10.2.explorer.exe.fc23c58.1.raw.unpack, type: UNPACKEDPEMatched rule: ursnif author = Sekoia.io, description = Ursnif Payload, classification = TLP:CLEAR, version = 1.0, id = ac392af3-c344-453c-9427-5bb46223e01c
                Source: 10.2.explorer.exe.fc23c58.1.raw.unpack, type: UNPACKEDPEMatched rule: Ursnif author = kevoreilly & enzo, description = Ursnif Payload, cape_type = Ursnif Payload
                Source: 16.2.RuntimeBroker.exe.23b602e0000.0.unpack, type: UNPACKEDPEMatched rule: ursnif author = Sekoia.io, description = Ursnif Payload, classification = TLP:CLEAR, version = 1.0, id = ac392af3-c344-453c-9427-5bb46223e01c
                Source: 16.2.RuntimeBroker.exe.23b602e0000.0.unpack, type: UNPACKEDPEMatched rule: Ursnif author = kevoreilly & enzo, description = Ursnif Payload, cape_type = Ursnif Payload
                Source: 10.2.explorer.exe.fc53c58.2.unpack, type: UNPACKEDPEMatched rule: ursnif author = Sekoia.io, description = Ursnif Payload, classification = TLP:CLEAR, version = 1.0, id = ac392af3-c344-453c-9427-5bb46223e01c
                Source: 10.2.explorer.exe.fc53c58.2.unpack, type: UNPACKEDPEMatched rule: Ursnif author = kevoreilly & enzo, description = Ursnif Payload, cape_type = Ursnif Payload
                Source: 4.3.rundll32.exe.47794c0.1.raw.unpack, type: UNPACKEDPEMatched rule: ursnif author = Sekoia.io, description = Ursnif Payload, classification = TLP:CLEAR, version = 1.0, id = ac392af3-c344-453c-9427-5bb46223e01c
                Source: 4.3.rundll32.exe.47794c0.1.raw.unpack, type: UNPACKEDPEMatched rule: Ursnif author = kevoreilly & enzo, description = Ursnif Payload, cape_type = Ursnif Payload
                Source: 5.3.rundll32.exe.4ae94b0.11.raw.unpack, type: UNPACKEDPEMatched rule: ursnif author = Sekoia.io, description = Ursnif Payload, classification = TLP:CLEAR, version = 1.0, id = ac392af3-c344-453c-9427-5bb46223e01c
                Source: 5.3.rundll32.exe.4ae94b0.11.raw.unpack, type: UNPACKEDPEMatched rule: Ursnif author = kevoreilly & enzo, description = Ursnif Payload, cape_type = Ursnif Payload
                Source: 10.2.explorer.exe.11113c58.8.raw.unpack, type: UNPACKEDPEMatched rule: ursnif author = Sekoia.io, description = Ursnif Payload, classification = TLP:CLEAR, version = 1.0, id = ac392af3-c344-453c-9427-5bb46223e01c
                Source: 10.2.explorer.exe.11113c58.8.raw.unpack, type: UNPACKEDPEMatched rule: Ursnif author = kevoreilly & enzo, description = Ursnif Payload, cape_type = Ursnif Payload
                Source: 6.2.svchost.exe.bd3c50.2.unpack, type: UNPACKEDPEMatched rule: ursnif author = Sekoia.io, description = Ursnif Payload, classification = TLP:CLEAR, version = 1.0, id = ac392af3-c344-453c-9427-5bb46223e01c
                Source: 6.2.svchost.exe.bd3c50.2.unpack, type: UNPACKEDPEMatched rule: Ursnif author = kevoreilly & enzo, description = Ursnif Payload, cape_type = Ursnif Payload
                Source: 10.2.explorer.exe.11010000.3.unpack, type: UNPACKEDPEMatched rule: ursnif author = Sekoia.io, description = Ursnif Payload, classification = TLP:CLEAR, version = 1.0, id = ac392af3-c344-453c-9427-5bb46223e01c
                Source: 10.2.explorer.exe.11010000.3.unpack, type: UNPACKEDPEMatched rule: Ursnif author = kevoreilly & enzo, description = Ursnif Payload, cape_type = Ursnif Payload
                Source: 5.3.rundll32.exe.4b194c0.1.unpack, type: UNPACKEDPEMatched rule: ursnif author = Sekoia.io, description = Ursnif Payload, classification = TLP:CLEAR, version = 1.0, id = ac392af3-c344-453c-9427-5bb46223e01c
                Source: 5.3.rundll32.exe.4b194c0.1.unpack, type: UNPACKEDPEMatched rule: Ursnif author = kevoreilly & enzo, description = Ursnif Payload, cape_type = Ursnif Payload
                Source: 3.3.regsvr32.exe.56094c0.0.unpack, type: UNPACKEDPEMatched rule: ursnif author = Sekoia.io, description = Ursnif Payload, classification = TLP:CLEAR, version = 1.0, id = ac392af3-c344-453c-9427-5bb46223e01c
                Source: 3.3.regsvr32.exe.56094c0.0.unpack, type: UNPACKEDPEMatched rule: Ursnif author = kevoreilly & enzo, description = Ursnif Payload, cape_type = Ursnif Payload
                Source: 12.2.RuntimeBroker.exe.1d178740000.0.unpack, type: UNPACKEDPEMatched rule: ursnif author = Sekoia.io, description = Ursnif Payload, classification = TLP:CLEAR, version = 1.0, id = ac392af3-c344-453c-9427-5bb46223e01c
                Source: 12.2.RuntimeBroker.exe.1d178740000.0.unpack, type: UNPACKEDPEMatched rule: Ursnif author = kevoreilly & enzo, description = Ursnif Payload, cape_type = Ursnif Payload
                Source: 10.2.explorer.exe.11053c58.5.raw.unpack, type: UNPACKEDPEMatched rule: ursnif author = Sekoia.io, description = Ursnif Payload, classification = TLP:CLEAR, version = 1.0, id = ac392af3-c344-453c-9427-5bb46223e01c
                Source: 10.2.explorer.exe.11053c58.5.raw.unpack, type: UNPACKEDPEMatched rule: Ursnif author = kevoreilly & enzo, description = Ursnif Payload, cape_type = Ursnif Payload
                Source: 13.2.rundll32.exe.18f767a3c58.1.raw.unpack, type: UNPACKEDPEMatched rule: ursnif author = Sekoia.io, description = Ursnif Payload, classification = TLP:CLEAR, version = 1.0, id = ac392af3-c344-453c-9427-5bb46223e01c
                Source: 13.2.rundll32.exe.18f767a3c58.1.raw.unpack, type: UNPACKEDPEMatched rule: Ursnif author = kevoreilly & enzo, description = Ursnif Payload, cape_type = Ursnif Payload
                Source: 6.2.svchost.exe.ba3c50.1.raw.unpack, type: UNPACKEDPEMatched rule: ursnif author = Sekoia.io, description = Ursnif Payload, classification = TLP:CLEAR, version = 1.0, id = ac392af3-c344-453c-9427-5bb46223e01c
                Source: 6.2.svchost.exe.ba3c50.1.raw.unpack, type: UNPACKEDPEMatched rule: Ursnif author = kevoreilly & enzo, description = Ursnif Payload, cape_type = Ursnif Payload
                Source: 9.2.svchost.exe.923c50.1.unpack, type: UNPACKEDPEMatched rule: ursnif author = Sekoia.io, description = Ursnif Payload, classification = TLP:CLEAR, version = 1.0, id = ac392af3-c344-453c-9427-5bb46223e01c
                Source: 9.2.svchost.exe.923c50.1.unpack, type: UNPACKEDPEMatched rule: Ursnif author = kevoreilly & enzo, description = Ursnif Payload, cape_type = Ursnif Payload
                Source: 5.3.rundll32.exe.4b194c0.1.raw.unpack, type: UNPACKEDPEMatched rule: ursnif author = Sekoia.io, description = Ursnif Payload, classification = TLP:CLEAR, version = 1.0, id = ac392af3-c344-453c-9427-5bb46223e01c
                Source: 5.3.rundll32.exe.4b194c0.1.raw.unpack, type: UNPACKEDPEMatched rule: Ursnif author = kevoreilly & enzo, description = Ursnif Payload, cape_type = Ursnif Payload
                Source: 9.2.svchost.exe.8b0000.0.unpack, type: UNPACKEDPEMatched rule: ursnif author = Sekoia.io, description = Ursnif Payload, classification = TLP:CLEAR, version = 1.0, id = ac392af3-c344-453c-9427-5bb46223e01c
                Source: 9.2.svchost.exe.8b0000.0.unpack, type: UNPACKEDPEMatched rule: Ursnif author = kevoreilly & enzo, description = Ursnif Payload, cape_type = Ursnif Payload
                Source: 9.2.svchost.exe.923c50.1.raw.unpack, type: UNPACKEDPEMatched rule: ursnif author = Sekoia.io, description = Ursnif Payload, classification = TLP:CLEAR, version = 1.0, id = ac392af3-c344-453c-9427-5bb46223e01c
                Source: 9.2.svchost.exe.923c50.1.raw.unpack, type: UNPACKEDPEMatched rule: Ursnif author = kevoreilly & enzo, description = Ursnif Payload, cape_type = Ursnif Payload
                Source: 16.2.RuntimeBroker.exe.23b60353c58.1.raw.unpack, type: UNPACKEDPEMatched rule: ursnif author = Sekoia.io, description = Ursnif Payload, classification = TLP:CLEAR, version = 1.0, id = ac392af3-c344-453c-9427-5bb46223e01c
                Source: 16.2.RuntimeBroker.exe.23b60353c58.1.raw.unpack, type: UNPACKEDPEMatched rule: Ursnif author = kevoreilly & enzo, description = Ursnif Payload, cape_type = Ursnif Payload
                Source: 9.2.svchost.exe.8f3c50.2.raw.unpack, type: UNPACKEDPEMatched rule: ursnif author = Sekoia.io, description = Ursnif Payload, classification = TLP:CLEAR, version = 1.0, id = ac392af3-c344-453c-9427-5bb46223e01c
                Source: 9.2.svchost.exe.8f3c50.2.raw.unpack, type: UNPACKEDPEMatched rule: Ursnif author = kevoreilly & enzo, description = Ursnif Payload, cape_type = Ursnif Payload
                Source: 0000000D.00000002.4491591462.0000018F767A0000.00000004.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Gozi_261f5ac5 reference_sample = 31835c6350177eff88265e81335a50fcbe0dc46771bf031c836947851dcebb4f, os = windows, severity = x86, creation_date = 2019-08-02, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = cbc8fec8fbaa809cfc7da7db72aeda43d4270f907e675016cbbc2e28e7b8553c, id = 261f5ac5-7800-4580-ac37-80b71c47c270, last_modified = 2021-08-23
                Source: 00000006.00000002.1794583919.0000000000BA0000.00000004.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Gozi_261f5ac5 reference_sample = 31835c6350177eff88265e81335a50fcbe0dc46771bf031c836947851dcebb4f, os = windows, severity = x86, creation_date = 2019-08-02, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = cbc8fec8fbaa809cfc7da7db72aeda43d4270f907e675016cbbc2e28e7b8553c, id = 261f5ac5-7800-4580-ac37-80b71c47c270, last_modified = 2021-08-23
                Source: 0000000A.00000002.4584529450.0000000011110000.00000004.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Gozi_261f5ac5 reference_sample = 31835c6350177eff88265e81335a50fcbe0dc46771bf031c836947851dcebb4f, os = windows, severity = x86, creation_date = 2019-08-02, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = cbc8fec8fbaa809cfc7da7db72aeda43d4270f907e675016cbbc2e28e7b8553c, id = 261f5ac5-7800-4580-ac37-80b71c47c270, last_modified = 2021-08-23
                Source: 0000000A.00000002.4583903329.0000000011050000.00000004.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Gozi_261f5ac5 reference_sample = 31835c6350177eff88265e81335a50fcbe0dc46771bf031c836947851dcebb4f, os = windows, severity = x86, creation_date = 2019-08-02, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = cbc8fec8fbaa809cfc7da7db72aeda43d4270f907e675016cbbc2e28e7b8553c, id = 261f5ac5-7800-4580-ac37-80b71c47c270, last_modified = 2021-08-23
                Source: 00000010.00000002.4494674655.0000023B60320000.00000004.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Gozi_261f5ac5 reference_sample = 31835c6350177eff88265e81335a50fcbe0dc46771bf031c836947851dcebb4f, os = windows, severity = x86, creation_date = 2019-08-02, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = cbc8fec8fbaa809cfc7da7db72aeda43d4270f907e675016cbbc2e28e7b8553c, id = 261f5ac5-7800-4580-ac37-80b71c47c270, last_modified = 2021-08-23
                Source: 00000007.00000002.1765483170.00000000002E0000.00000004.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Gozi_261f5ac5 reference_sample = 31835c6350177eff88265e81335a50fcbe0dc46771bf031c836947851dcebb4f, os = windows, severity = x86, creation_date = 2019-08-02, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = cbc8fec8fbaa809cfc7da7db72aeda43d4270f907e675016cbbc2e28e7b8553c, id = 261f5ac5-7800-4580-ac37-80b71c47c270, last_modified = 2021-08-23
                Source: 0000000B.00000002.4500037251.000001ECFC6D0000.00000004.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Gozi_261f5ac5 reference_sample = 31835c6350177eff88265e81335a50fcbe0dc46771bf031c836947851dcebb4f, os = windows, severity = x86, creation_date = 2019-08-02, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = cbc8fec8fbaa809cfc7da7db72aeda43d4270f907e675016cbbc2e28e7b8553c, id = 261f5ac5-7800-4580-ac37-80b71c47c270, last_modified = 2021-08-23
                Source: 00000008.00000002.1799435534.0000000000230000.00000004.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Gozi_261f5ac5 reference_sample = 31835c6350177eff88265e81335a50fcbe0dc46771bf031c836947851dcebb4f, os = windows, severity = x86, creation_date = 2019-08-02, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = cbc8fec8fbaa809cfc7da7db72aeda43d4270f907e675016cbbc2e28e7b8553c, id = 261f5ac5-7800-4580-ac37-80b71c47c270, last_modified = 2021-08-23
                Source: 00000009.00000002.1788993940.00000000008F0000.00000004.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Gozi_261f5ac5 reference_sample = 31835c6350177eff88265e81335a50fcbe0dc46771bf031c836947851dcebb4f, os = windows, severity = x86, creation_date = 2019-08-02, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = cbc8fec8fbaa809cfc7da7db72aeda43d4270f907e675016cbbc2e28e7b8553c, id = 261f5ac5-7800-4580-ac37-80b71c47c270, last_modified = 2021-08-23
                Source: 0000000A.00000000.1784927308.000000000FC20000.00000004.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Gozi_261f5ac5 reference_sample = 31835c6350177eff88265e81335a50fcbe0dc46771bf031c836947851dcebb4f, os = windows, severity = x86, creation_date = 2019-08-02, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = cbc8fec8fbaa809cfc7da7db72aeda43d4270f907e675016cbbc2e28e7b8553c, id = 261f5ac5-7800-4580-ac37-80b71c47c270, last_modified = 2021-08-23
                Source: 0000000A.00000002.4582957265.000000000FC20000.00000004.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Gozi_261f5ac5 reference_sample = 31835c6350177eff88265e81335a50fcbe0dc46771bf031c836947851dcebb4f, os = windows, severity = x86, creation_date = 2019-08-02, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = cbc8fec8fbaa809cfc7da7db72aeda43d4270f907e675016cbbc2e28e7b8553c, id = 261f5ac5-7800-4580-ac37-80b71c47c270, last_modified = 2021-08-23
                Source: 0000000C.00000002.4499540202.000001D178780000.00000004.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Gozi_261f5ac5 reference_sample = 31835c6350177eff88265e81335a50fcbe0dc46771bf031c836947851dcebb4f, os = windows, severity = x86, creation_date = 2019-08-02, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = cbc8fec8fbaa809cfc7da7db72aeda43d4270f907e675016cbbc2e28e7b8553c, id = 261f5ac5-7800-4580-ac37-80b71c47c270, last_modified = 2021-08-23
                Source: Process Memory Space: svchost.exe PID: 2344, type: MEMORYSTRMatched rule: Windows_Trojan_Gozi_261f5ac5 reference_sample = 31835c6350177eff88265e81335a50fcbe0dc46771bf031c836947851dcebb4f, os = windows, severity = x86, creation_date = 2019-08-02, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = cbc8fec8fbaa809cfc7da7db72aeda43d4270f907e675016cbbc2e28e7b8553c, id = 261f5ac5-7800-4580-ac37-80b71c47c270, last_modified = 2021-08-23
                Source: Process Memory Space: svchost.exe PID: 2720, type: MEMORYSTRMatched rule: Windows_Trojan_Gozi_261f5ac5 reference_sample = 31835c6350177eff88265e81335a50fcbe0dc46771bf031c836947851dcebb4f, os = windows, severity = x86, creation_date = 2019-08-02, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = cbc8fec8fbaa809cfc7da7db72aeda43d4270f907e675016cbbc2e28e7b8553c, id = 261f5ac5-7800-4580-ac37-80b71c47c270, last_modified = 2021-08-23
                Source: Process Memory Space: svchost.exe PID: 3760, type: MEMORYSTRMatched rule: Windows_Trojan_Gozi_261f5ac5 reference_sample = 31835c6350177eff88265e81335a50fcbe0dc46771bf031c836947851dcebb4f, os = windows, severity = x86, creation_date = 2019-08-02, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = cbc8fec8fbaa809cfc7da7db72aeda43d4270f907e675016cbbc2e28e7b8553c, id = 261f5ac5-7800-4580-ac37-80b71c47c270, last_modified = 2021-08-23
                Source: Process Memory Space: svchost.exe PID: 6148, type: MEMORYSTRMatched rule: Windows_Trojan_Gozi_261f5ac5 reference_sample = 31835c6350177eff88265e81335a50fcbe0dc46771bf031c836947851dcebb4f, os = windows, severity = x86, creation_date = 2019-08-02, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = cbc8fec8fbaa809cfc7da7db72aeda43d4270f907e675016cbbc2e28e7b8553c, id = 261f5ac5-7800-4580-ac37-80b71c47c270, last_modified = 2021-08-23
                Source: Process Memory Space: explorer.exe PID: 2580, type: MEMORYSTRMatched rule: Windows_Trojan_Gozi_261f5ac5 reference_sample = 31835c6350177eff88265e81335a50fcbe0dc46771bf031c836947851dcebb4f, os = windows, severity = x86, creation_date = 2019-08-02, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = cbc8fec8fbaa809cfc7da7db72aeda43d4270f907e675016cbbc2e28e7b8553c, id = 261f5ac5-7800-4580-ac37-80b71c47c270, last_modified = 2021-08-23
                Source: Process Memory Space: RuntimeBroker.exe PID: 4872, type: MEMORYSTRMatched rule: Windows_Trojan_Gozi_261f5ac5 reference_sample = 31835c6350177eff88265e81335a50fcbe0dc46771bf031c836947851dcebb4f, os = windows, severity = x86, creation_date = 2019-08-02, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = cbc8fec8fbaa809cfc7da7db72aeda43d4270f907e675016cbbc2e28e7b8553c, id = 261f5ac5-7800-4580-ac37-80b71c47c270, last_modified = 2021-08-23
                Source: Process Memory Space: RuntimeBroker.exe PID: 5092, type: MEMORYSTRMatched rule: Windows_Trojan_Gozi_261f5ac5 reference_sample = 31835c6350177eff88265e81335a50fcbe0dc46771bf031c836947851dcebb4f, os = windows, severity = x86, creation_date = 2019-08-02, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = cbc8fec8fbaa809cfc7da7db72aeda43d4270f907e675016cbbc2e28e7b8553c, id = 261f5ac5-7800-4580-ac37-80b71c47c270, last_modified = 2021-08-23
                Source: Process Memory Space: rundll32.exe PID: 1060, type: MEMORYSTRMatched rule: Windows_Trojan_Gozi_261f5ac5 reference_sample = 31835c6350177eff88265e81335a50fcbe0dc46771bf031c836947851dcebb4f, os = windows, severity = x86, creation_date = 2019-08-02, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = cbc8fec8fbaa809cfc7da7db72aeda43d4270f907e675016cbbc2e28e7b8553c, id = 261f5ac5-7800-4580-ac37-80b71c47c270, last_modified = 2021-08-23
                Source: Process Memory Space: RuntimeBroker.exe PID: 5116, type: MEMORYSTRMatched rule: Windows_Trojan_Gozi_261f5ac5 reference_sample = 31835c6350177eff88265e81335a50fcbe0dc46771bf031c836947851dcebb4f, os = windows, severity = x86, creation_date = 2019-08-02, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Gozi, fingerprint = cbc8fec8fbaa809cfc7da7db72aeda43d4270f907e675016cbbc2e28e7b8553c, id = 261f5ac5-7800-4580-ac37-80b71c47c270, last_modified = 2021-08-23
                Source: atw3.dllStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                Source: adsnrans.dll.5.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                Source: classification engineClassification label: mal100.phis.bank.troj.spyw.evad.winDLL@21/2@3/1
                Source: C:\Windows\System32\svchost.exeCode function: 6_2_00B6EB00 memset,CloseHandle,CreateToolhelp32Snapshot,GetModuleHandleA,GetProcAddress,Thread32First,OpenThread,QueueUserAPC,CloseHandle,Thread32Next,CloseHandle,6_2_00B6EB00
                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\AvicprovJump to behavior
                Source: C:\Windows\System32\svchost.exeMutant created: \Sessions\1\BaseNamedObjects\{90EE84C6-AF70-4266-B9C4-5396FD38372A}
                Source: C:\Windows\System32\rundll32.exeMutant created: \Sessions\1\BaseNamedObjects\{749DA4BA-432A-C6CA-6DE8-275AF19C4B2E}
                Source: C:\Windows\System32\RuntimeBroker.exeMutant created: \Sessions\1\BaseNamedObjects\{6C7B0D4D-DB3F-7E73-C560-3F92C994E3E6}
                Source: C:\Windows\System32\svchost.exeMutant created: \Sessions\1\BaseNamedObjects\{C059565F-1F02-F268-A9F4-C346ED68A7DA}
                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4136:120:WilError_03
                Source: C:\Windows\System32\RuntimeBroker.exeMutant created: \Sessions\1\BaseNamedObjects\{0837D834-C7EE-7A5D-91BC-EB4E55B04F62}
                Source: C:\Windows\System32\svchost.exeMutant created: \Sessions\1\BaseNamedObjects\{A876083A-E7E9-1ADE-B15C-0BEE75506F02}
                Source: C:\Windows\System32\RuntimeBroker.exeMutant created: \Sessions\1\BaseNamedObjects\{34EAAB4A-0390-8675-2DA8-E71AB15C0BEE}
                Source: C:\Windows\System32\svchost.exeMutant created: \Sessions\1\BaseNamedObjects\{D4DF70B3-23C9-261C-4D48-07BAD1FC2B8E}
                Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:2472:120:WilError_03
                Source: atw3.dllStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                Source: C:\Windows\System32\loaddll32.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\atw3.dll,DllRegisterServer
                Source: atw3.dllReversingLabs: Detection: 57%
                Source: atw3.dllVirustotal: Detection: 68%
                Source: svchost.exeString found in binary or memory: EmailAddressCollection/EmailAddress[%u]/Address
                Source: svchost.exeString found in binary or memory: EmailAddressCollection/EmailAddress[%u]/Address
                Source: svchost.exeString found in binary or memory: EmailAddressCollection/EmailAddress[%u]/Address
                Source: svchost.exeString found in binary or memory: EmailAddressCollection/EmailAddress[%u]/Address
                Source: explorer.exeString found in binary or memory: EmailAddressCollection/EmailAddress[%u]/Address
                Source: unknownProcess created: C:\Windows\System32\loaddll32.exe loaddll32.exe "C:\Users\user\Desktop\atw3.dll"
                Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\atw3.dll",#1
                Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\atw3.dll
                Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\atw3.dll,DllRegisterServer
                Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\atw3.dll",#1
                Source: C:\Windows\SysWOW64\regsvr32.exeProcess created: C:\Windows\System32\svchost.exe C:\Windows\system32\svchost.exe
                Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\System32\svchost.exe C:\Windows\system32\svchost.exe
                Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\System32\svchost.exe C:\Windows\system32\svchost.exe
                Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\System32\svchost.exe C:\Windows\system32\svchost.exe
                Source: C:\Windows\explorer.exeProcess created: C:\Windows\System32\rundll32.exe "C:\Windows\system32\rundll32.exe" "C:\Users\user\AppData\Roaming\Microsoft\Avicprov\adsnrans.dll",DllRegisterServer
                Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\atw3.dll",#1Jump to behavior
                Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\atw3.dllJump to behavior
                Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\atw3.dll,DllRegisterServerJump to behavior
                Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\System32\svchost.exe C:\Windows\system32\svchost.exeJump to behavior
                Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\atw3.dll",#1Jump to behavior
                Source: C:\Windows\SysWOW64\regsvr32.exeProcess created: C:\Windows\System32\svchost.exe C:\Windows\system32\svchost.exeJump to behavior
                Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\System32\svchost.exe C:\Windows\system32\svchost.exeJump to behavior
                Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\System32\svchost.exe C:\Windows\system32\svchost.exeJump to behavior
                Source: C:\Windows\explorer.exeProcess created: C:\Windows\System32\rundll32.exe "C:\Windows\system32\rundll32.exe" "C:\Users\user\AppData\Roaming\Microsoft\Avicprov\adsnrans.dll",DllRegisterServerJump to behavior
                Source: C:\Windows\System32\loaddll32.exeSection loaded: apphelp.dllJump to behavior
                Source: C:\Windows\System32\loaddll32.exeSection loaded: devobj.dllJump to behavior
                Source: C:\Windows\System32\loaddll32.exeSection loaded: msasn1.dllJump to behavior
                Source: C:\Windows\SysWOW64\cmd.exeSection loaded: apphelp.dllJump to behavior
                Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: apphelp.dllJump to behavior
                Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: aclayers.dllJump to behavior
                Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: mpr.dllJump to behavior
                Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: sfc.dllJump to behavior
                Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: sfc_os.dllJump to behavior
                Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: devobj.dllJump to behavior
                Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: msasn1.dllJump to behavior
                Source: C:\Windows\System32\svchost.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Windows\System32\svchost.exeSection loaded: winhttp.dllJump to behavior
                Source: C:\Windows\System32\svchost.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: C:\Windows\System32\svchost.exeSection loaded: mswsock.dllJump to behavior
                Source: C:\Windows\System32\svchost.exeSection loaded: iphlpapi.dllJump to behavior
                Source: C:\Windows\System32\svchost.exeSection loaded: winnsi.dllJump to behavior
                Source: C:\Windows\System32\svchost.exeSection loaded: dhcpcsvc6.dllJump to behavior
                Source: C:\Windows\System32\svchost.exeSection loaded: dhcpcsvc.dllJump to behavior
                Source: C:\Windows\System32\svchost.exeSection loaded: webio.dllJump to behavior
                Source: C:\Windows\System32\svchost.exeSection loaded: dnsapi.dllJump to behavior
                Source: C:\Windows\System32\svchost.exeSection loaded: rasadhlp.dllJump to behavior
                Source: C:\Windows\System32\svchost.exeSection loaded: fwpuclnt.dllJump to behavior
                Source: C:\Windows\System32\svchost.exeSection loaded: schannel.dllJump to behavior
                Source: C:\Windows\System32\svchost.exeSection loaded: mskeyprotect.dllJump to behavior
                Source: C:\Windows\System32\svchost.exeSection loaded: ntasn1.dllJump to behavior
                Source: C:\Windows\System32\svchost.exeSection loaded: ncrypt.dllJump to behavior
                Source: C:\Windows\System32\svchost.exeSection loaded: ncryptsslp.dllJump to behavior
                Source: C:\Windows\System32\svchost.exeSection loaded: msasn1.dllJump to behavior
                Source: C:\Windows\System32\svchost.exeSection loaded: cryptsp.dllJump to behavior
                Source: C:\Windows\System32\svchost.exeSection loaded: rsaenh.dllJump to behavior
                Source: C:\Windows\System32\svchost.exeSection loaded: cryptbase.dllJump to behavior
                Source: C:\Windows\System32\svchost.exeSection loaded: gpapi.dllJump to behavior
                Source: C:\Windows\System32\svchost.exeSection loaded: dpapi.dllJump to behavior
                Source: C:\Windows\System32\svchost.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Windows\System32\svchost.exeSection loaded: winhttp.dllJump to behavior
                Source: C:\Windows\System32\svchost.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: C:\Windows\System32\svchost.exeSection loaded: mswsock.dllJump to behavior
                Source: C:\Windows\System32\svchost.exeSection loaded: iphlpapi.dllJump to behavior
                Source: C:\Windows\System32\svchost.exeSection loaded: winnsi.dllJump to behavior
                Source: C:\Windows\System32\svchost.exeSection loaded: dhcpcsvc6.dllJump to behavior
                Source: C:\Windows\System32\svchost.exeSection loaded: dhcpcsvc.dllJump to behavior
                Source: C:\Windows\System32\svchost.exeSection loaded: webio.dllJump to behavior
                Source: C:\Windows\System32\svchost.exeSection loaded: dnsapi.dllJump to behavior
                Source: C:\Windows\System32\svchost.exeSection loaded: rasadhlp.dllJump to behavior
                Source: C:\Windows\System32\svchost.exeSection loaded: fwpuclnt.dllJump to behavior
                Source: C:\Windows\System32\svchost.exeSection loaded: schannel.dllJump to behavior
                Source: C:\Windows\System32\svchost.exeSection loaded: mskeyprotect.dllJump to behavior
                Source: C:\Windows\System32\svchost.exeSection loaded: ntasn1.dllJump to behavior
                Source: C:\Windows\System32\svchost.exeSection loaded: ncrypt.dllJump to behavior
                Source: C:\Windows\System32\svchost.exeSection loaded: ncryptsslp.dllJump to behavior
                Source: C:\Windows\System32\svchost.exeSection loaded: msasn1.dllJump to behavior
                Source: C:\Windows\System32\svchost.exeSection loaded: cryptsp.dllJump to behavior
                Source: C:\Windows\System32\svchost.exeSection loaded: rsaenh.dllJump to behavior
                Source: C:\Windows\System32\svchost.exeSection loaded: cryptbase.dllJump to behavior
                Source: C:\Windows\System32\svchost.exeSection loaded: gpapi.dllJump to behavior
                Source: C:\Windows\System32\svchost.exeSection loaded: dpapi.dllJump to behavior
                Source: C:\Windows\System32\svchost.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Windows\System32\svchost.exeSection loaded: winhttp.dllJump to behavior
                Source: C:\Windows\System32\svchost.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: C:\Windows\System32\svchost.exeSection loaded: mswsock.dllJump to behavior
                Source: C:\Windows\System32\svchost.exeSection loaded: iphlpapi.dllJump to behavior
                Source: C:\Windows\System32\svchost.exeSection loaded: winnsi.dllJump to behavior
                Source: C:\Windows\System32\svchost.exeSection loaded: dhcpcsvc6.dllJump to behavior
                Source: C:\Windows\System32\svchost.exeSection loaded: dhcpcsvc.dllJump to behavior
                Source: C:\Windows\System32\svchost.exeSection loaded: webio.dllJump to behavior
                Source: C:\Windows\System32\svchost.exeSection loaded: dnsapi.dllJump to behavior
                Source: C:\Windows\System32\svchost.exeSection loaded: fwpuclnt.dllJump to behavior
                Source: C:\Windows\System32\svchost.exeSection loaded: rasadhlp.dllJump to behavior
                Source: C:\Windows\System32\svchost.exeSection loaded: schannel.dllJump to behavior
                Source: C:\Windows\System32\svchost.exeSection loaded: mskeyprotect.dllJump to behavior
                Source: C:\Windows\System32\svchost.exeSection loaded: ntasn1.dllJump to behavior
                Source: C:\Windows\System32\svchost.exeSection loaded: ncrypt.dllJump to behavior
                Source: C:\Windows\System32\svchost.exeSection loaded: ncryptsslp.dllJump to behavior
                Source: C:\Windows\System32\svchost.exeSection loaded: msasn1.dllJump to behavior
                Source: C:\Windows\System32\svchost.exeSection loaded: cryptsp.dllJump to behavior
                Source: C:\Windows\System32\svchost.exeSection loaded: rsaenh.dllJump to behavior
                Source: C:\Windows\System32\svchost.exeSection loaded: cryptbase.dllJump to behavior
                Source: C:\Windows\System32\svchost.exeSection loaded: gpapi.dllJump to behavior
                Source: C:\Windows\System32\svchost.exeSection loaded: dpapi.dllJump to behavior
                Source: C:\Windows\System32\svchost.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Windows\System32\svchost.exeSection loaded: winhttp.dllJump to behavior
                Source: C:\Windows\System32\svchost.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: C:\Windows\System32\svchost.exeSection loaded: mswsock.dllJump to behavior
                Source: C:\Windows\System32\svchost.exeSection loaded: iphlpapi.dllJump to behavior
                Source: C:\Windows\System32\svchost.exeSection loaded: winnsi.dllJump to behavior
                Source: C:\Windows\System32\svchost.exeSection loaded: dhcpcsvc6.dllJump to behavior
                Source: C:\Windows\System32\svchost.exeSection loaded: dhcpcsvc.dllJump to behavior
                Source: C:\Windows\System32\svchost.exeSection loaded: webio.dllJump to behavior
                Source: C:\Windows\System32\svchost.exeSection loaded: dnsapi.dllJump to behavior
                Source: C:\Windows\System32\svchost.exeSection loaded: rasadhlp.dllJump to behavior
                Source: C:\Windows\System32\svchost.exeSection loaded: fwpuclnt.dllJump to behavior
                Source: C:\Windows\System32\svchost.exeSection loaded: schannel.dllJump to behavior
                Source: C:\Windows\System32\svchost.exeSection loaded: mskeyprotect.dllJump to behavior
                Source: C:\Windows\System32\svchost.exeSection loaded: ntasn1.dllJump to behavior
                Source: C:\Windows\System32\svchost.exeSection loaded: ncrypt.dllJump to behavior
                Source: C:\Windows\System32\svchost.exeSection loaded: ncryptsslp.dllJump to behavior
                Source: C:\Windows\System32\svchost.exeSection loaded: msasn1.dllJump to behavior
                Source: C:\Windows\System32\svchost.exeSection loaded: cryptsp.dllJump to behavior
                Source: C:\Windows\System32\svchost.exeSection loaded: rsaenh.dllJump to behavior
                Source: C:\Windows\System32\svchost.exeSection loaded: cryptbase.dllJump to behavior
                Source: C:\Windows\System32\svchost.exeSection loaded: gpapi.dllJump to behavior
                Source: C:\Windows\System32\svchost.exeSection loaded: dpapi.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: webio.dllJump to behavior
                Source: C:\Windows\System32\RuntimeBroker.exeSection loaded: winhttp.dllJump to behavior
                Source: C:\Windows\System32\RuntimeBroker.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: C:\Windows\System32\RuntimeBroker.exeSection loaded: mswsock.dllJump to behavior
                Source: C:\Windows\System32\RuntimeBroker.exeSection loaded: iphlpapi.dllJump to behavior
                Source: C:\Windows\System32\RuntimeBroker.exeSection loaded: winnsi.dllJump to behavior
                Source: C:\Windows\System32\RuntimeBroker.exeSection loaded: dhcpcsvc6.dllJump to behavior
                Source: C:\Windows\System32\RuntimeBroker.exeSection loaded: dhcpcsvc.dllJump to behavior
                Source: C:\Windows\System32\RuntimeBroker.exeSection loaded: webio.dllJump to behavior
                Source: C:\Windows\System32\RuntimeBroker.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: C:\Windows\System32\RuntimeBroker.exeSection loaded: mswsock.dllJump to behavior
                Source: C:\Windows\System32\RuntimeBroker.exeSection loaded: winnsi.dllJump to behavior
                Source: C:\Windows\System32\RuntimeBroker.exeSection loaded: dhcpcsvc6.dllJump to behavior
                Source: C:\Windows\System32\RuntimeBroker.exeSection loaded: msasn1.dllJump to behavior
                Source: C:\Windows\System32\RuntimeBroker.exeSection loaded: winhttp.dllJump to behavior
                Source: C:\Windows\System32\RuntimeBroker.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: C:\Windows\System32\RuntimeBroker.exeSection loaded: mswsock.dllJump to behavior
                Source: C:\Windows\System32\RuntimeBroker.exeSection loaded: winnsi.dllJump to behavior
                Source: C:\Windows\explorer.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{50CE75BC-766C-4136-BF5E-9197AA23569E}\InProcServer32Jump to behavior
                Source: Window RecorderWindow detected: More than 3 window changes detected
                Source: Binary string: ntdll.pdb source: loaddll32.exe, 00000000.00000003.1736053407.0000000002E00000.00000004.00001000.00020000.00000000.sdmp, regsvr32.exe, 00000003.00000003.1713119224.0000000005830000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1714071911.0000000004AD0000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1706772809.0000000004DA0000.00000004.00001000.00020000.00000000.sdmp
                Source: Binary string: ntdll.pdbUGP source: loaddll32.exe, 00000000.00000003.1736053407.0000000002E00000.00000004.00001000.00020000.00000000.sdmp, regsvr32.exe, 00000003.00000003.1713119224.0000000005830000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1714071911.0000000004AD0000.00000004.00001000.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1706772809.0000000004DA0000.00000004.00001000.00020000.00000000.sdmp
                Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6CBF150F LoadLibraryA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetProcAddress,FindWindowA,0_2_6CBF150F
                Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\regsvr32.exe regsvr32.exe /s C:\Users\user\Desktop\atw3.dll
                Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6CBF732B push ecx; ret 0_2_6CBF733B
                Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_0081548A push esp; retf 0_2_0081549A
                Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_0081528D push ecx; retf 0_2_00815291
                Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_008138A9 push ecx; ret 0_2_008138D2
                Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_008132E9 push edi; retf 0_2_008132EA
                Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_0081462C push ecx; ret 0_2_0081462D
                Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00812E4D push ds; iretd 0_2_00812E5F
                Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00814B30 push ecx; ret 0_2_00814B69
                Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00812538 pushfd ; rep ret 0_2_00812539
                Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_6CBF732B push ecx; ret 3_2_6CBF733B
                Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_03464B30 push ecx; ret 3_2_03464B69
                Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_03462538 pushfd ; rep ret 3_2_03462539
                Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_03462E4D push ds; iretd 3_2_03462E5F
                Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_0346462C push ecx; ret 3_2_0346462D
                Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_034632E9 push edi; retf 3_2_034632EA
                Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_0346528D push ecx; retf 3_2_03465291
                Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_0346548A push esp; retf 3_2_0346549A
                Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_034638A9 push ecx; ret 3_2_034638D2
                Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_6CBF732B push ecx; ret 4_2_6CBF733B
                Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_03F54B30 push ecx; ret 4_2_03F54B69
                Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_03F52538 pushfd ; rep ret 4_2_03F52539
                Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_03F532E9 push edi; retf 4_2_03F532EA
                Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_03F538A9 push ecx; ret 4_2_03F538D2
                Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_03F5528D push ecx; retf 4_2_03F55291
                Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_03F5548A push esp; retf 4_2_03F5549A
                Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_03F52E4D push ds; iretd 4_2_03F52E5F
                Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_03F5462C push ecx; ret 4_2_03F5462D
                Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_6CBF732B push ecx; ret 5_2_6CBF733B
                Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_02A438A9 push ecx; ret 5_2_02A438D2
                Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_02A4528D push ecx; retf 5_2_02A45291
                Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_02A4548A push esp; retf 5_2_02A4549A
                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Avicprov\adsnrans.dllJump to dropped file

                Boot Survival

                barindex
                Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
                Source: C:\Windows\System32\loaddll32.exeWindow found: window name: ProgManJump to behavior
                Source: C:\Windows\SysWOW64\regsvr32.exeWindow found: window name: ProgManJump to behavior
                Source: C:\Windows\SysWOW64\rundll32.exeWindow found: window name: ProgManJump to behavior
                Source: C:\Windows\SysWOW64\rundll32.exeWindow found: window name: ProgManJump to behavior
                Source: C:\Windows\SysWOW64\rundll32.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run DefasextJump to behavior
                Source: C:\Windows\SysWOW64\rundll32.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run DefasextJump to behavior

                Hooking and other Techniques for Hiding and Protection

                barindex
                Yara detected Ursnif
                Source: Yara matchFile source: 0000000D.00000002.4491591462.0000018F767A0000.00000004.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000006.00000002.1794583919.0000000000BA0000.00000004.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000A.00000002.4584529450.0000000011110000.00000004.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000A.00000002.4583903329.0000000011050000.00000004.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000010.00000002.4494674655.0000023B60320000.00000004.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000007.00000002.1765483170.00000000002E0000.00000004.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000B.00000002.4500037251.000001ECFC6D0000.00000004.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000008.00000002.1799435534.0000000000230000.00000004.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000009.00000002.1788993940.00000000008F0000.00000004.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000A.00000000.1784927308.000000000FC20000.00000004.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000A.00000002.4582957265.000000000FC20000.00000004.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000C.00000002.4499540202.000001D178780000.00000004.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: svchost.exe PID: 2344, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: svchost.exe PID: 2720, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: svchost.exe PID: 3760, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: svchost.exe PID: 6148, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: explorer.exe PID: 2580, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: RuntimeBroker.exe PID: 4872, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: RuntimeBroker.exe PID: 5092, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 1060, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: RuntimeBroker.exe PID: 5116, type: MEMORYSTR
                Source: Yara matchFile source: 3.2.regsvr32.exe.34b0000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.3.loaddll32.exe.2d694b0.2.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 11.2.RuntimeBroker.exe.1ecfc6d3c58.1.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 10.2.explorer.exe.fc23c58.1.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 4.2.rundll32.exe.3fa0000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 16.2.RuntimeBroker.exe.23b60323c58.2.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 10.2.explorer.exe.11053c58.5.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 5.3.rundll32.exe.4ae94b0.2.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 13.2.rundll32.exe.18f767a3c58.1.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 9.2.svchost.exe.8f3c50.2.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 5.2.rundll32.exe.42d0000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 8.2.svchost.exe.233c50.2.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 4.3.rundll32.exe.47494b0.12.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 12.2.RuntimeBroker.exe.1d178783c58.1.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 5.3.rundll32.exe.4ae94b0.11.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 3.3.regsvr32.exe.55d94b0.1.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 6.2.svchost.exe.ba3c50.1.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 10.2.explorer.exe.11113c58.8.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 4.3.rundll32.exe.47494b0.12.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 4.2.rundll32.exe.6cbf0000.1.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 10.0.explorer.exe.fc23c58.2.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.3.loaddll32.exe.2d694b0.10.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 7.2.svchost.exe.2e3c50.2.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 4.2.rundll32.exe.3fa0000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 16.2.RuntimeBroker.exe.23b60323c58.2.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.3.loaddll32.exe.2d694b0.10.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 4.3.rundll32.exe.47494b0.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 8.2.svchost.exe.233c50.2.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.loaddll32.exe.da0000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 5.2.rundll32.exe.42d0000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 3.2.regsvr32.exe.34b0000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.loaddll32.exe.da0000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 3.3.regsvr32.exe.55d94b0.1.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 5.2.rundll32.exe.6cbf0000.1.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 3.3.regsvr32.exe.55d94b0.12.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.3.loaddll32.exe.2d694b0.2.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 11.2.RuntimeBroker.exe.1ecfc6d3c58.1.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 12.2.RuntimeBroker.exe.1d178783c58.1.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 3.3.regsvr32.exe.55d94b0.12.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 10.0.explorer.exe.fc23c58.2.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 10.2.explorer.exe.fc23c58.1.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 4.3.rundll32.exe.47494b0.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 5.3.rundll32.exe.4ae94b0.11.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 10.2.explorer.exe.11113c58.8.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 3.2.regsvr32.exe.6cbf0000.1.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 5.3.rundll32.exe.4ae94b0.2.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 7.2.svchost.exe.2e3c50.2.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.loaddll32.exe.6cbf0000.1.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 10.2.explorer.exe.11053c58.5.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 13.2.rundll32.exe.18f767a3c58.1.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 6.2.svchost.exe.ba3c50.1.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 9.2.svchost.exe.8f3c50.2.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0000000C.00000002.4499716991.000001D178783000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000005.00000003.1698401383.0000000004AE9000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000009.00000002.1789075538.00000000008F3000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000004.00000002.1717418718.0000000003FA0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000005.00000002.1716335740.00000000042D0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000005.00000003.1714696706.0000000004AE9000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000003.00000003.1713752147.00000000055D9000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000003.00000002.1715716468.00000000034B0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000004.00000003.1701139079.0000000004749000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000006.00000002.1794641096.0000000000BA3000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.1740443411.0000000000DA0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000010.00000002.4494737876.0000023B60323000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000A.00000002.4584103095.0000000011053000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000B.00000002.4500307838.000001ECFC6D3000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000007.00000002.1765530141.00000000002E3000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000A.00000002.4583025983.000000000FC23000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000A.00000000.1785007984.000000000FC23000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000003.00000003.1697742809.00000000055D9000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.1734980952.0000000002D69000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000008.00000002.1799489416.0000000000233000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000004.00000003.1716382978.0000000004749000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000A.00000002.4584617538.0000000011113000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000D.00000002.4491795198.0000018F767A3000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.1739987325.0000000002D69000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Hooks registry keys query functions (used to hide registry keys)
                Source: explorer.exeIAT, EAT, inline or SSDT hook detected: function: api-ms-win-core-registry-l1-1-0.dll:RegGetValueW
                Modifies the export address table of user mode modules (user mode EAT hooks)
                Source: explorer.exeIAT of a user mode module has changed: module: KERNEL32.DLL function: CreateProcessAsUserW address: 7FFE216DE41C
                Modifies the import address table of user mode modules (user mode IAT hooks)
                Source: explorer.exeEAT of a user mode module has changed: module: user32.dll function: api-ms-win-core-processthreads-l1-1-0.dll:CreateProcessW address: 7FFE216DE400
                Modifies the prolog of user mode functions (user mode inline hooks)
                Source: explorer.exeUser mode code has changed: module: ntdll.dll function: RtlExitUserThread new code: 0xEB 0xBF 0xFE 0xEC 0xCC 0xCC
                Source: C:\Windows\System32\svchost.exeKey value created or modified: HKEY_CURRENT_USER\SOFTWARE\AppDataLow\Software\Microsoft\A00F7A51-7F7E-D2F9-09D4-23264D4807BA TempJump to behavior
                Source: C:\Windows\System32\loaddll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\loaddll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\regsvr32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\regsvr32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                Malware Analysis System Evasion

                barindex
                Contain functionality to detect virtual machines
                Source: C:\Windows\System32\loaddll32.exeCode function: vbox qemu qemu vmware 0_2_6CBF1000
                Source: C:\Windows\SysWOW64\regsvr32.exeCode function: vbox qemu qemu vmware 3_2_6CBF1000
                Source: C:\Windows\SysWOW64\rundll32.exeCode function: vbox qemu qemu vmware 4_2_6CBF1000
                Source: C:\Windows\SysWOW64\rundll32.exeCode function: vbox qemu qemu vmware 5_2_6CBF1000
                Contains functionality to compare user and computer (likely to detect sandboxes)
                Source: C:\Windows\explorer.exeCode function: OpenProcess,K32GetModuleFileNameExW,CloseHandle,StrRChrW,StrChrW,StrStrIW,GetSystemTimeAsFileTime,GetWindowTextW,HeapAlloc,GetSystemTimeAsFileTime,10_2_0FBFDFB8
                Switches to a custom stack to bypass stack traces
                Source: C:\Windows\SysWOW64\regsvr32.exeAPI/Special instruction interceptor: Address: 7FFE2220DA04
                Source: C:\Windows\SysWOW64\regsvr32.exeAPI/Special instruction interceptor: Address: 7FFE2220D744
                Source: C:\Windows\SysWOW64\regsvr32.exeAPI/Special instruction interceptor: Address: 7FFE22210154
                Source: C:\Windows\System32\loaddll32.exeAPI/Special instruction interceptor: Address: 7FFE2220DA04
                Source: C:\Windows\System32\loaddll32.exeAPI/Special instruction interceptor: Address: 7FFE2220D744
                Source: C:\Windows\System32\loaddll32.exeAPI/Special instruction interceptor: Address: 7FFE22210154
                Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6CBF52C0 rdtsc 0_2_6CBF52C0
                Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6CBF1000 SetupDiGetClassDevsA,SetupDiEnumDeviceInfo,SetupDiGetDeviceRegistryPropertyA,SetupDiGetDeviceRegistryPropertyA,SetupDiGetDeviceRegistryPropertyA,StrStrIA,StrStrIA,StrStrIA,StrStrIA,StrStrIA,SetupDiDestroyDeviceInfoList,0_2_6CBF1000
                Source: C:\Windows\SysWOW64\rundll32.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Microsoft\Avicprov\adsnrans.dllJump to dropped file
                Source: C:\Windows\explorer.exeEvasive API call chain: GetSystemTimeAsFileTime,DecisionNodes
                Source: C:\Windows\SysWOW64\rundll32.exeCheck user administrative privileges: GetTokenInformation,DecisionNodesgraph_4-2788
                Source: C:\Windows\SysWOW64\regsvr32.exeCheck user administrative privileges: GetTokenInformation,DecisionNodesgraph_3-2790
                Source: C:\Windows\System32\loaddll32.exeCheck user administrative privileges: GetTokenInformation,DecisionNodesgraph_0-2788
                Source: C:\Windows\System32\svchost.exeAPI coverage: 4.6 %
                Source: C:\Windows\System32\svchost.exeAPI coverage: 4.7 %
                Source: C:\Windows\System32\svchost.exeAPI coverage: 3.4 %
                Source: C:\Windows\System32\svchost.exeAPI coverage: 4.6 %
                Source: C:\Windows\explorer.exeAPI coverage: 4.7 %
                Source: C:\Windows\System32\svchost.exe TID: 5308Thread sleep time: -30000s >= -30000sJump to behavior
                Source: C:\Windows\System32\svchost.exe TID: 5552Thread sleep time: -30000s >= -30000sJump to behavior
                Source: C:\Windows\System32\svchost.exe TID: 5580Thread sleep time: -30000s >= -30000sJump to behavior
                Source: C:\Windows\System32\svchost.exe TID: 4408Thread sleep time: -30000s >= -30000sJump to behavior
                Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6CBF2FCE HeapAlloc,HeapAlloc,HeapAlloc,memset,CreateFileA,GetFileTime,CloseHandle,StrRChrA,lstrcatA,FindFirstFileA,FindFirstFileA,CompareFileTime,CompareFileTime,FindClose,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,StrChrA,memcpy,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,FindClose,HeapFree,HeapFree,0_2_6CBF2FCE
                Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6CBF5E30 VirtualAlloc,SHGetFolderPathW,wcslen,memset,memcpy,memcpy,AddFontResourceExW,RemoveFontResourceExW,memset,memcpy,FindFirstFileW,FindNextFileW,memset,memcpy,wcslen,memcpy,AddFontResourceExW,RemoveFontResourceExW,DefWindowProcW,RegisterClassExW,memset,CreateWindowExW,DestroyWindow,SetParent,SetWindowLongW,GetWindowLongW,SetWindowLongW,EnterCriticalSection,CreateThread,CreateThread,SetThreadAffinityMask,SetThreadAffinityMask,SetThreadAffinityMask,GetCurrentThread,SetThreadAffinityMask,SetThreadAffinityMask,GetCurrentThread,SetThreadPriority,SetThreadPriority,SetThreadPriority,GetCurrentThread,SetThreadAffinityMask,SetThreadAffinityMask,GetCurrentThread,SetThreadPriority,SetThreadPriority,SetThreadPriority,ResumeThread,ResumeThread,Sleep,LeaveCriticalSection,memset,AddFontResourceExW,EnterCriticalSection,GetWindowLongW,SetMenu,0_2_6CBF5E30
                Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_6CBF2FCE HeapAlloc,HeapAlloc,HeapAlloc,memset,CreateFileA,GetFileTime,CloseHandle,StrRChrA,lstrcatA,FindFirstFileA,FindFirstFileA,CompareFileTime,CompareFileTime,FindClose,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,StrChrA,memcpy,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,FindClose,HeapFree,HeapFree,3_2_6CBF2FCE
                Source: C:\Windows\SysWOW64\regsvr32.exeCode function: 3_2_6CBF5E30 VirtualAlloc,SHGetFolderPathW,wcslen,memset,memcpy,memcpy,AddFontResourceExW,RemoveFontResourceExW,memset,memcpy,FindFirstFileW,FindNextFileW,memset,memcpy,wcslen,memcpy,AddFontResourceExW,RemoveFontResourceExW,DefWindowProcW,RegisterClassExW,memset,CreateWindowExW,DestroyWindow,SetParent,SetWindowLongW,GetWindowLongW,SetWindowLongW,EnterCriticalSection,CreateThread,CreateThread,SetThreadAffinityMask,SetThreadAffinityMask,SetThreadAffinityMask,GetCurrentThread,SetThreadAffinityMask,SetThreadAffinityMask,GetCurrentThread,SetThreadPriority,SetThreadPriority,SetThreadPriority,GetCurrentThread,SetThreadAffinityMask,SetThreadAffinityMask,GetCurrentThread,SetThreadPriority,SetThreadPriority,SetThreadPriority,ResumeThread,ResumeThread,Sleep,LeaveCriticalSection,memset,AddFontResourceExW,EnterCriticalSection,GetWindowLongW,SetMenu,3_2_6CBF5E30
                Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_6CBF2FCE HeapAlloc,HeapAlloc,HeapAlloc,memset,CreateFileA,GetFileTime,CloseHandle,StrRChrA,lstrcatA,FindFirstFileA,FindFirstFileA,CompareFileTime,CompareFileTime,FindClose,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,StrChrA,memcpy,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,FindClose,HeapFree,HeapFree,4_2_6CBF2FCE
                Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_6CBF5E30 VirtualAlloc,SHGetFolderPathW,wcslen,memset,memcpy,memcpy,AddFontResourceExW,RemoveFontResourceExW,memset,memcpy,FindFirstFileW,FindNextFileW,memset,memcpy,wcslen,memcpy,AddFontResourceExW,RemoveFontResourceExW,DefWindowProcW,RegisterClassExW,memset,CreateWindowExW,DestroyWindow,SetParent,SetWindowLongW,GetWindowLongW,SetWindowLongW,EnterCriticalSection,CreateThread,CreateThread,SetThreadAffinityMask,SetThreadAffinityMask,SetThreadAffinityMask,GetCurrentThread,SetThreadAffinityMask,SetThreadAffinityMask,GetCurrentThread,SetThreadPriority,SetThreadPriority,SetThreadPriority,GetCurrentThread,SetThreadAffinityMask,SetThreadAffinityMask,GetCurrentThread,SetThreadPriority,SetThreadPriority,SetThreadPriority,ResumeThread,ResumeThread,Sleep,LeaveCriticalSection,memset,AddFontResourceExW,EnterCriticalSection,GetWindowLongW,SetMenu,4_2_6CBF5E30
                Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_6CBF2FCE HeapAlloc,HeapAlloc,HeapAlloc,memset,CreateFileA,GetFileTime,CloseHandle,StrRChrA,lstrcatA,FindFirstFileA,FindFirstFileA,CompareFileTime,CompareFileTime,FindClose,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,StrChrA,memcpy,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,FindClose,HeapFree,HeapFree,5_2_6CBF2FCE
                Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_6CBF5E30 VirtualAlloc,SHGetFolderPathW,wcslen,memset,memcpy,memcpy,AddFontResourceExW,RemoveFontResourceExW,memset,memcpy,FindFirstFileW,FindNextFileW,memset,memcpy,wcslen,memcpy,AddFontResourceExW,RemoveFontResourceExW,DefWindowProcW,RegisterClassExW,memset,CreateWindowExW,DestroyWindow,SetParent,SetWindowLongW,GetWindowLongW,SetWindowLongW,EnterCriticalSection,CreateThread,CreateThread,SetThreadAffinityMask,SetThreadAffinityMask,SetThreadAffinityMask,GetCurrentThread,SetThreadAffinityMask,SetThreadAffinityMask,GetCurrentThread,SetThreadPriority,SetThreadPriority,SetThreadPriority,GetCurrentThread,SetThreadAffinityMask,SetThreadAffinityMask,GetCurrentThread,SetThreadPriority,SetThreadPriority,SetThreadPriority,ResumeThread,ResumeThread,Sleep,LeaveCriticalSection,memset,AddFontResourceExW,EnterCriticalSection,GetWindowLongW,SetMenu,5_2_6CBF5E30
                Source: C:\Windows\System32\svchost.exeCode function: 6_2_00B918B0 VirtualAlloc,wcslen,memset,memcpy,memcpy,memcpy,FindFirstFileW,FindNextFileW,memset,memcpy,wcslen,memcpy,memset,EnterCriticalSection,CreateThread,CreateThread,SetThreadAffinityMask,SetThreadAffinityMask,SetThreadAffinityMask,GetCurrentThread,SetThreadAffinityMask,SetThreadAffinityMask,GetCurrentThread,SetThreadPriority,SetThreadPriority,SetThreadPriority,GetCurrentThread,SetThreadAffinityMask,SetThreadAffinityMask,GetCurrentThread,SetThreadPriority,SetThreadPriority,SetThreadPriority,ResumeThread,ResumeThread,Sleep,LeaveCriticalSection,memset,EnterCriticalSection,6_2_00B918B0
                Source: C:\Windows\System32\svchost.exeCode function: 6_2_00B75ABC lstrlenW,HeapAlloc,HeapAlloc,HeapAlloc,FindFirstFileW,lstrlenW,HeapFree,HeapAlloc,RemoveDirectoryW,DeleteFileW,FindNextFileW,GetLastError,HeapFree,HeapFree,HeapFree,6_2_00B75ABC
                Source: C:\Windows\System32\svchost.exeCode function: 6_2_00B78234 HeapAlloc,HeapAlloc,memset,CreateFileA,GetFileTime,CloseHandle,StrRChrA,lstrcatA,FindFirstFileA,HeapFree,HeapFree,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,StrChrA,memcpy,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,FindClose,6_2_00B78234
                Source: C:\Windows\System32\svchost.exeCode function: 6_2_00B75668 HeapAlloc,lstrlenW,lstrlenW,HeapAlloc,memset,FindFirstFileW,lstrlenW,lstrlenW,HeapAlloc,memset,wcscpy,EnterCriticalSection,LeaveCriticalSection,FindNextFileW,WaitForSingleObject,FindClose,FindFirstFileW,lstrlenW,HeapFree,HeapAlloc,FindNextFileW,WaitForSingleObject,FindClose,HeapFree,HeapFree,HeapFree,6_2_00B75668
                Source: C:\Windows\System32\svchost.exeCode function: 7_2_002D18B0 VirtualAlloc,wcslen,memset,memcpy,memcpy,memcpy,FindFirstFileW,FindNextFileW,memset,memcpy,wcslen,memcpy,memset,EnterCriticalSection,CreateThread,CreateThread,SetThreadAffinityMask,SetThreadAffinityMask,SetThreadAffinityMask,GetCurrentThread,SetThreadAffinityMask,SetThreadAffinityMask,GetCurrentThread,SetThreadPriority,SetThreadPriority,SetThreadPriority,GetCurrentThread,SetThreadAffinityMask,SetThreadAffinityMask,GetCurrentThread,SetThreadPriority,SetThreadPriority,SetThreadPriority,ResumeThread,ResumeThread,Sleep,LeaveCriticalSection,memset,EnterCriticalSection,7_2_002D18B0
                Source: C:\Windows\System32\svchost.exeCode function: 7_2_002B8234 HeapAlloc,HeapAlloc,memset,CreateFileA,GetFileTime,CloseHandle,StrRChrA,lstrcatA,FindFirstFileA,HeapFree,HeapFree,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,StrChrA,memcpy,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,FindClose,7_2_002B8234
                Source: C:\Windows\System32\svchost.exeCode function: 7_2_002B5ABC lstrlenW,HeapAlloc,HeapAlloc,HeapAlloc,FindFirstFileW,lstrlenW,HeapFree,HeapAlloc,RemoveDirectoryW,DeleteFileW,FindNextFileW,GetLastError,HeapFree,HeapFree,HeapFree,7_2_002B5ABC
                Source: C:\Windows\System32\svchost.exeCode function: 7_2_002B5668 HeapAlloc,lstrlenW,lstrlenW,HeapAlloc,memset,FindFirstFileW,lstrlenW,lstrlenW,HeapAlloc,memset,wcscpy,EnterCriticalSection,LeaveCriticalSection,FindNextFileW,WaitForSingleObject,FindClose,FindFirstFileW,lstrlenW,HeapFree,HeapAlloc,FindNextFileW,WaitForSingleObject,FindClose,HeapFree,HeapFree,HeapFree,7_2_002B5668
                Source: C:\Windows\System32\svchost.exeCode function: 8_2_002218B0 VirtualAlloc,wcslen,memset,memcpy,memcpy,memcpy,FindFirstFileW,FindNextFileW,memset,memcpy,wcslen,memcpy,memset,EnterCriticalSection,CreateThread,CreateThread,SetThreadAffinityMask,SetThreadAffinityMask,SetThreadAffinityMask,GetCurrentThread,SetThreadAffinityMask,SetThreadAffinityMask,GetCurrentThread,SetThreadPriority,SetThreadPriority,SetThreadPriority,GetCurrentThread,SetThreadAffinityMask,SetThreadAffinityMask,GetCurrentThread,SetThreadPriority,SetThreadPriority,SetThreadPriority,ResumeThread,ResumeThread,Sleep,LeaveCriticalSection,memset,EnterCriticalSection,8_2_002218B0
                Source: C:\Windows\System32\svchost.exeCode function: 8_2_00208234 HeapAlloc,HeapAlloc,memset,CreateFileA,GetFileTime,CloseHandle,StrRChrA,lstrcatA,FindFirstFileA,HeapFree,HeapFree,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,StrChrA,memcpy,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,FindClose,8_2_00208234
                Source: C:\Windows\System32\svchost.exeCode function: 8_2_00205ABC lstrlenW,HeapAlloc,HeapAlloc,HeapAlloc,FindFirstFileW,lstrlenW,HeapFree,HeapAlloc,RemoveDirectoryW,DeleteFileW,FindNextFileW,GetLastError,HeapFree,HeapFree,HeapFree,8_2_00205ABC
                Source: C:\Windows\System32\svchost.exeCode function: 8_2_00205668 HeapAlloc,lstrlenW,lstrlenW,HeapAlloc,memset,FindFirstFileW,lstrlenW,lstrlenW,HeapAlloc,memset,wcscpy,EnterCriticalSection,LeaveCriticalSection,FindNextFileW,WaitForSingleObject,FindClose,FindFirstFileW,lstrlenW,HeapFree,HeapAlloc,FindNextFileW,WaitForSingleObject,FindClose,HeapFree,HeapFree,HeapFree,8_2_00205668
                Source: C:\Windows\System32\svchost.exeCode function: 9_2_008E18B0 VirtualAlloc,wcslen,memset,memcpy,memcpy,memcpy,FindFirstFileW,FindNextFileW,memset,memcpy,wcslen,memcpy,memset,EnterCriticalSection,CreateThread,CreateThread,SetThreadAffinityMask,SetThreadAffinityMask,SetThreadAffinityMask,GetCurrentThread,SetThreadAffinityMask,SetThreadAffinityMask,GetCurrentThread,SetThreadPriority,SetThreadPriority,SetThreadPriority,GetCurrentThread,SetThreadAffinityMask,SetThreadAffinityMask,GetCurrentThread,SetThreadPriority,SetThreadPriority,SetThreadPriority,ResumeThread,ResumeThread,Sleep,LeaveCriticalSection,memset,EnterCriticalSection,9_2_008E18B0
                Source: C:\Windows\System32\svchost.exeCode function: 9_2_008C5ABC lstrlenW,HeapAlloc,HeapAlloc,HeapAlloc,FindFirstFileW,lstrlenW,HeapFree,HeapAlloc,RemoveDirectoryW,DeleteFileW,FindNextFileW,GetLastError,HeapFree,HeapFree,HeapFree,9_2_008C5ABC
                Source: C:\Windows\System32\svchost.exeCode function: 9_2_008C8234 HeapAlloc,HeapAlloc,memset,CreateFileA,GetFileTime,CloseHandle,StrRChrA,lstrcatA,FindFirstFileA,HeapFree,HeapFree,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,StrChrA,memcpy,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,FindClose,9_2_008C8234
                Source: C:\Windows\System32\svchost.exeCode function: 9_2_008C5668 HeapAlloc,lstrlenW,lstrlenW,HeapAlloc,memset,FindFirstFileW,lstrlenW,lstrlenW,HeapAlloc,memset,wcscpy,EnterCriticalSection,LeaveCriticalSection,FindNextFileW,WaitForSingleObject,FindClose,FindFirstFileW,lstrlenW,HeapFree,HeapAlloc,FindNextFileW,WaitForSingleObject,FindClose,HeapFree,HeapFree,HeapFree,9_2_008C5668
                Source: C:\Windows\explorer.exeCode function: 10_2_0FBF5668 HeapAlloc,lstrlenW,lstrlenW,HeapAlloc,memset,PathCombineW,FindFirstFileW,lstrlenW,lstrlenW,HeapAlloc,memset,wcscpy,StrRChrW,PathCombineW,PathFindFileNameW,PathCombineW,EnterCriticalSection,LeaveCriticalSection,FindNextFileW,WaitForSingleObject,FindClose,PathCombineW,FindFirstFileW,lstrlenW,HeapFree,HeapAlloc,PathCombineW,FindNextFileW,WaitForSingleObject,FindClose,HeapFree,HeapFree,HeapFree,10_2_0FBF5668
                Source: C:\Windows\explorer.exeCode function: 10_2_0FBF8234 HeapAlloc,HeapAlloc,memset,CreateFileA,GetFileTime,CloseHandle,StrRChrA,lstrcatA,FindFirstFileA,HeapFree,HeapFree,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,StrChrA,memcpy,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,FindClose,10_2_0FBF8234
                Source: C:\Windows\explorer.exeCode function: 10_2_0FBF5ABC lstrlenW,HeapAlloc,HeapAlloc,HeapAlloc,PathCombineW,FindFirstFileW,lstrlenW,HeapFree,HeapAlloc,PathCombineW,RemoveDirectoryW,DeleteFileW,FindNextFileW,GetLastError,HeapFree,HeapFree,HeapFree,10_2_0FBF5ABC
                Source: C:\Windows\explorer.exeCode function: 10_2_0FC118B0 VirtualAlloc,wcslen,memset,memcpy,memcpy,memcpy,FindFirstFileW,FindNextFileW,memset,memcpy,wcslen,memcpy,memset,EnterCriticalSection,CreateThread,CreateThread,SetThreadAffinityMask,SetThreadAffinityMask,SetThreadAffinityMask,GetCurrentThread,SetThreadAffinityMask,SetThreadAffinityMask,GetCurrentThread,SetThreadPriority,SetThreadPriority,SetThreadPriority,GetCurrentThread,SetThreadAffinityMask,SetThreadAffinityMask,GetCurrentThread,SetThreadPriority,SetThreadPriority,SetThreadPriority,ResumeThread,ResumeThread,Sleep,LeaveCriticalSection,memset,EnterCriticalSection,10_2_0FC118B0
                Source: C:\Windows\explorer.exeCode function: 10_2_110418B0 VirtualAlloc,wcslen,memset,memcpy,memcpy,memcpy,FindFirstFileW,FindNextFileW,memset,memcpy,wcslen,memcpy,memset,EnterCriticalSection,CreateThread,CreateThread,SetThreadAffinityMask,SetThreadAffinityMask,SetThreadAffinityMask,GetCurrentThread,SetThreadAffinityMask,SetThreadAffinityMask,GetCurrentThread,SetThreadPriority,SetThreadPriority,SetThreadPriority,GetCurrentThread,SetThreadAffinityMask,SetThreadAffinityMask,GetCurrentThread,SetThreadPriority,SetThreadPriority,SetThreadPriority,ResumeThread,ResumeThread,Sleep,LeaveCriticalSection,memset,EnterCriticalSection,10_2_110418B0
                Source: C:\Windows\explorer.exeCode function: 10_2_11028234 HeapAlloc,HeapAlloc,memset,CreateFileA,GetFileTime,CloseHandle,StrRChrA,lstrcatA,FindFirstFileA,HeapFree,HeapFree,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,memcpy,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,FindClose,10_2_11028234
                Source: C:\Windows\explorer.exeCode function: 10_2_11025ABC lstrlenW,HeapAlloc,HeapAlloc,HeapAlloc,FindFirstFileW,lstrlenW,HeapFree,HeapAlloc,RemoveDirectoryW,DeleteFileW,FindNextFileW,GetLastError,HeapFree,HeapFree,HeapFree,10_2_11025ABC
                Source: C:\Windows\explorer.exeCode function: 10_2_11025668 HeapAlloc,lstrlenW,lstrlenW,HeapAlloc,memset,FindFirstFileW,lstrlenW,lstrlenW,HeapAlloc,memset,wcscpy,EnterCriticalSection,LeaveCriticalSection,FindNextFileW,WaitForSingleObject,FindClose,FindFirstFileW,lstrlenW,HeapFree,HeapAlloc,FindNextFileW,WaitForSingleObject,FindClose,HeapFree,HeapFree,HeapFree,10_2_11025668
                Source: C:\Windows\explorer.exeCode function: 10_2_111018B0 VirtualAlloc,wcslen,memset,memcpy,memcpy,memcpy,FindFirstFileW,FindNextFileW,memset,memcpy,wcslen,memcpy,memset,EnterCriticalSection,CreateThread,CreateThread,SetThreadAffinityMask,SetThreadAffinityMask,SetThreadAffinityMask,GetCurrentThread,SetThreadAffinityMask,SetThreadAffinityMask,GetCurrentThread,SetThreadPriority,SetThreadPriority,SetThreadPriority,GetCurrentThread,SetThreadAffinityMask,SetThreadAffinityMask,GetCurrentThread,SetThreadPriority,SetThreadPriority,SetThreadPriority,ResumeThread,ResumeThread,Sleep,LeaveCriticalSection,memset,EnterCriticalSection,10_2_111018B0
                Source: C:\Windows\explorer.exeCode function: 10_2_110E8234 HeapAlloc,HeapAlloc,memset,CreateFileA,GetFileTime,CloseHandle,StrRChrA,lstrcatA,FindFirstFileA,HeapFree,HeapFree,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,memcpy,FindNextFileA,FindClose,FindFirstFileA,CompareFileTime,FindClose,10_2_110E8234
                Source: C:\Windows\explorer.exeCode function: 10_2_110E5ABC lstrlenW,HeapAlloc,HeapAlloc,HeapAlloc,FindFirstFileW,lstrlenW,HeapFree,HeapAlloc,RemoveDirectoryW,DeleteFileW,FindNextFileW,GetLastError,HeapFree,HeapFree,HeapFree,10_2_110E5ABC
                Source: C:\Windows\explorer.exeCode function: 10_2_110E5668 HeapAlloc,lstrlenW,lstrlenW,HeapAlloc,memset,FindFirstFileW,lstrlenW,lstrlenW,HeapAlloc,memset,wcscpy,EnterCriticalSection,LeaveCriticalSection,FindNextFileW,WaitForSingleObject,FindClose,FindFirstFileW,lstrlenW,HeapFree,HeapAlloc,FindNextFileW,WaitForSingleObject,FindClose,HeapFree,HeapFree,HeapFree,10_2_110E5668
                Source: C:\Windows\System32\svchost.exeCode function: 6_2_00B6932C wcscpy,GetLogicalDriveStringsW,HeapAlloc,memset,GetLogicalDriveStringsW,WaitForSingleObject,GetDriveTypeW,lstrlenW,wcscpy,lstrlenW,HeapFree,HeapFree,HeapFree,6_2_00B6932C
                Source: explorer.exe, 0000000A.00000002.4573458808.00000000098A8000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: k&Ven_VMware&Prod_Virtual_disk\4&1656f219&0&000000
                Source: rundll32.exe, rundll32.exe, 00000005.00000002.1716486508.000000006CBF1000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: virtual hd
                Source: explorer.exe, 0000000A.00000002.4490368301.0000000001240000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&0000000}
                Source: explorer.exe, 0000000A.00000002.4506551141.00000000079FB000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: \\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
                Source: RuntimeBroker.exe, 0000000C.00000002.4492098507.000001D175C80000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-21-2246122658-3693405117-2476756634-1002\fdeploy\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
                Source: rundll32.exe, 0000000D.00000002.4490166405.0000018F76598000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll%
                Source: svchost.exe, 00000006.00000002.1795357235.000001EE6FC6B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000007.00000002.1766449588.000002715546D000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.1800200737.000002390246B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000009.00000002.1790335410.00000236FDA6B000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.1770828071.000000000982D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.4565072197.00000000097D4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.4565072197.000000000982D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.1770828071.00000000097D4000.00000004.00000001.00020000.00000000.sdmp, RuntimeBroker.exe, 0000000C.00000002.4492098507.000001D175CDF000.00000004.00000001.00020000.00000000.sdmp, RuntimeBroker.exe, 00000010.00000002.4493588539.0000023B5E6B7000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                Source: svchost.exe, 00000009.00000002.1789867435.00000236FDA13000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW@2
                Source: svchost.exe, 00000008.00000002.1799939841.0000023902413000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW@dH
                Source: explorer.exe, 0000000A.00000003.3106345061.0000000009979000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\4&224f42ef&0&000000
                Source: RuntimeBroker.exe, 00000010.00000002.4503781745.0000023B60E79000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                Source: svchost.exe, 00000007.00000002.1766518278.0000027155483000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWMSAFD L2CAP [Bluetooth]
                Source: explorer.exe, 0000000A.00000002.4565072197.0000000009815000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: NECVMWar VMware SATA CD00\w
                Source: explorer.exe, 0000000A.00000002.4565072197.0000000009815000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}$
                Source: explorer.exe, 0000000A.00000002.4573458808.00000000098A8000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\4&1656f219&0&000000
                Source: explorer.exe, 0000000A.00000000.1768729709.00000000079FB000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: \\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}'
                Source: svchost.exe, 00000006.00000002.1795453454.000001EE6FC84000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW@%SystemRoot%\System32\fveui.dll,-844
                Source: explorer.exe, 0000000A.00000002.4506551141.00000000079FB000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: \\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}%
                Source: rundll32.exe, 00000005.00000002.1716486508.000000006CBF1000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: vmware
                Source: svchost.exe, 00000009.00000002.1790479088.00000236FDA82000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWwbG`|M
                Source: explorer.exe, 0000000A.00000003.3106345061.0000000009979000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: VMware SATA CD00
                Source: svchost.exe, 00000006.00000002.1795087735.000001EE6FC13000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW@Z
                Source: explorer.exe, 0000000A.00000000.1768729709.00000000078AD000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: NXTTAVMWare
                Source: explorer.exe, 0000000A.00000002.4565072197.0000000009815000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\4&224f&0&000000
                Source: rundll32.exe, 00000005.00000002.1716486508.000000006CBF1000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: 64RtlSetUnhandledExceptionFilterSystemRoot%08X-%04X-%04X-%04X-%08X%04X{%08X-%04X-%04X-%04X-%08X%04X}ADVAPI32.DLL*.*LdrGetProcedureAddressRtlExitUserThreadCreateRemoteThreadZwWriteVirtualMemoryLdrLoadDllZwProtectVirtualMemorykernelbaseLdrRegisterDllNotificationLdrUnregisterDllNotification\.exe%TEMP%\LowCreateProcessACreateProcessWCreateProcessAsUserACreateProcessAsUserWvboxqemurunascmd.exe/C "copy "%s" "%s" /y && rundll32 "%s",%S"/C "copy "%s" "%s" /y && "%s" "%s""Low\vmwarevirtual hdc:\321.txt"%S" "%S"ProgManversion=%u&soft=1&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%sMicrosoftIsWow64ProcessWow64EnableWow64FsRedirectionD:(D;OICI;GA;;;BG)(D;OICI;GA;;;AN)(A;OICI;GA;;;AU)(A;OICI;GA;;;BA)
                Source: explorer.exe, 0000000A.00000002.4506551141.0000000007A34000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.1768729709.0000000007A34000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWen-GBnx
                Source: RuntimeBroker.exe, 0000000B.00000002.4498496505.000001ECFBFD7000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWw5%SystemRoot%\system32\mswsock.dllLocalState
                Source: svchost.exe, 00000008.00000002.1800288306.0000023902482000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW@%SystemRoot%\system32\NgcRecovery.dll,-100@%SystemRoot%\system32\WindowsPowerShell\v1.0\powershell.exe,-124@%SystemRoot%\system32\WindowsPowerShell\v1.0\powershell.exe,-124@%SystemRoot%\System32\fveui.dll,-844RSVP UDPv6 Service Provider
                Source: svchost.exe, 00000007.00000002.1766051352.0000027155413000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW@jHUq
                Source: explorer.exe, 0000000A.00000000.1770828071.0000000009660000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\4&224F42EF&0&000000er
                Source: explorer.exe, 0000000A.00000002.4490368301.0000000001240000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000
                Source: RuntimeBroker.exe, 00000010.00000002.4493588539.0000023B5E6B7000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
                Source: C:\Windows\System32\svchost.exeAPI call chain: ExitProcess graph end node
                Source: C:\Windows\System32\svchost.exeAPI call chain: ExitProcess graph end node
                Source: C:\Windows\System32\svchost.exeAPI call chain: ExitProcess graph end node
                Source: C:\Windows\System32\svchost.exeAPI call chain: ExitProcess graph end node
                Source: C:\Windows\explorer.exeAPI call chain: ExitProcess graph end node
                Source: C:\Windows\System32\loaddll32.exeProcess information queried: ProcessInformationJump to behavior
                Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6CBF52C0 rdtsc 0_2_6CBF52C0
                Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00810DD2 LdrLoadDll,0_2_00810DD2
                Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6CBF150F LoadLibraryA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetProcAddress,FindWindowA,0_2_6CBF150F

                HIPS / PFW / Operating System Protection Evasion

                barindex
                System process connects to network (likely due to code injection or exploit)
                Source: C:\Windows\explorer.exeNetwork Connect: 185.85.0.29 443Jump to behavior
                Allocates memory in foreign processes
                Source: C:\Windows\System32\loaddll32.exeMemory allocated: C:\Windows\System32\svchost.exe base: 970000 protect: page execute and read and writeJump to behavior
                Source: C:\Windows\SysWOW64\regsvr32.exeMemory allocated: C:\Windows\System32\svchost.exe base: C20000 protect: page execute and read and writeJump to behavior
                Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: C:\Windows\System32\svchost.exe base: 2B0000 protect: page execute and read and writeJump to behavior
                Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: C:\Windows\System32\svchost.exe base: 360000 protect: page execute and read and writeJump to behavior
                Source: C:\Windows\explorer.exeMemory allocated: C:\Windows\System32\RuntimeBroker.exe base: 1ECFC750000 protect: page execute and read and writeJump to behavior
                Source: C:\Windows\explorer.exeMemory allocated: C:\Windows\System32\rundll32.exe base: 18F76540000 protect: page execute and read and writeJump to behavior
                Source: C:\Windows\explorer.exeMemory allocated: C:\Windows\System32\RuntimeBroker.exe base: 1D1777A0000 protect: page execute and read and writeJump to behavior
                Source: C:\Windows\explorer.exeMemory allocated: C:\Windows\System32\RuntimeBroker.exe base: 23B603A0000 protect: page execute and read and writeJump to behavior
                Changes memory attributes in foreign processes to executable or writable
                Source: C:\Windows\explorer.exeMemory protected: C:\Windows\System32\RuntimeBroker.exe base: 7FFE221C4640 protect: page execute and read and writeJump to behavior
                Source: C:\Windows\explorer.exeMemory protected: C:\Windows\System32\RuntimeBroker.exe base: 7FFE221C4640 protect: page execute readJump to behavior
                Source: C:\Windows\explorer.exeMemory protected: C:\Windows\System32\RuntimeBroker.exe base: 7FFE221C4640 protect: page execute and read and writeJump to behavior
                Source: C:\Windows\explorer.exeMemory protected: C:\Windows\System32\RuntimeBroker.exe base: 7FFE221C4640 protect: page execute and read and writeJump to behavior
                Source: C:\Windows\explorer.exeMemory protected: C:\Windows\System32\RuntimeBroker.exe base: 7FFE221C4640 protect: page execute readJump to behavior
                Source: C:\Windows\explorer.exeMemory protected: C:\Windows\System32\RuntimeBroker.exe base: 7FFE221C4640 protect: page execute and read and writeJump to behavior
                Source: C:\Windows\explorer.exeMemory protected: C:\Windows\System32\RuntimeBroker.exe base: 7FFE221C4640 protect: page execute and read and writeJump to behavior
                Source: C:\Windows\explorer.exeMemory protected: C:\Windows\System32\RuntimeBroker.exe base: 7FFE221C4640 protect: page execute readJump to behavior
                Source: C:\Windows\explorer.exeMemory protected: C:\Windows\System32\RuntimeBroker.exe base: 7FFE221C4640 protect: page execute and read and writeJump to behavior
                Source: C:\Windows\explorer.exeMemory protected: C:\Windows\System32\RuntimeBroker.exe base: 7FFE221C4640 protect: page execute and read and writeJump to behavior
                Source: C:\Windows\explorer.exeMemory protected: C:\Windows\System32\RuntimeBroker.exe base: 7FFE221C4640 protect: page execute readJump to behavior
                Creates a thread in another existing process (thread injection)
                Source: C:\Windows\System32\svchost.exeThread created: C:\Windows\explorer.exe EIP: 221C4640Jump to behavior
                Source: C:\Windows\System32\svchost.exeThread created: C:\Windows\explorer.exe EIP: 221C4640Jump to behavior
                Source: C:\Windows\System32\svchost.exeThread created: C:\Windows\explorer.exe EIP: 221C4640Jump to behavior
                Source: C:\Windows\System32\svchost.exeThread created: C:\Windows\explorer.exe EIP: 221C4640Jump to behavior
                Source: C:\Windows\explorer.exeThread created: C:\Windows\System32\RuntimeBroker.exe EIP: 221C4640Jump to behavior
                Source: C:\Windows\explorer.exeThread created: C:\Windows\System32\RuntimeBroker.exe EIP: 221C4640Jump to behavior
                Source: C:\Windows\explorer.exeThread created: C:\Windows\System32\RuntimeBroker.exe EIP: 221C4640Jump to behavior
                Source: C:\Windows\explorer.exeThread created: C:\Windows\System32\RuntimeBroker.exe EIP: 221C4640Jump to behavior
                Injects code into the Windows Explorer (explorer.exe)
                Source: C:\Windows\System32\svchost.exeMemory written: PID: 2580 base: 7FFE221C4640 value: EBJump to behavior
                Source: C:\Windows\System32\svchost.exeMemory written: PID: 2580 base: 3450000 value: 40Jump to behavior
                Source: C:\Windows\System32\svchost.exeMemory written: PID: 2580 base: 7FFE221C4640 value: 40Jump to behavior
                Source: C:\Windows\System32\svchost.exeMemory written: PID: 2580 base: 7FFE221C4640 value: EBJump to behavior
                Source: C:\Windows\System32\svchost.exeMemory written: PID: 2580 base: 1340000 value: 40Jump to behavior
                Source: C:\Windows\System32\svchost.exeMemory written: PID: 2580 base: 7FFE221C4640 value: 40Jump to behavior
                Source: C:\Windows\System32\svchost.exeMemory written: PID: 2580 base: 7FFE221C4640 value: EBJump to behavior
                Source: C:\Windows\System32\svchost.exeMemory written: PID: 2580 base: 7FFE221C4640 value: EBJump to behavior
                Source: C:\Windows\System32\svchost.exeMemory written: PID: 2580 base: 3440000 value: 40Jump to behavior
                Source: C:\Windows\System32\svchost.exeMemory written: PID: 2580 base: 7FFE221C4640 value: 40Jump to behavior
                Maps a DLL or memory area into another process
                Source: C:\Windows\System32\loaddll32.exeSection loaded: NULL target: C:\Windows\System32\svchost.exe protection: execute and read and writeJump to behavior
                Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: NULL target: C:\Windows\System32\svchost.exe protection: execute and read and writeJump to behavior
                Source: C:\Windows\SysWOW64\rundll32.exeSection loaded: NULL target: C:\Windows\System32\svchost.exe protection: execute and read and writeJump to behavior
                Source: C:\Windows\SysWOW64\rundll32.exeSection loaded: NULL target: C:\Windows\System32\svchost.exe protection: execute and read and writeJump to behavior
                Source: C:\Windows\System32\svchost.exeSection loaded: NULL target: C:\Windows\explorer.exe protection: execute and read and writeJump to behavior
                Source: C:\Windows\System32\svchost.exeSection loaded: NULL target: C:\Windows\explorer.exe protection: execute and read and writeJump to behavior
                Source: C:\Windows\System32\svchost.exeSection loaded: NULL target: C:\Windows\explorer.exe protection: execute and read and writeJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: NULL target: C:\Windows\System32\RuntimeBroker.exe protection: execute and read and writeJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: NULL target: C:\Windows\System32\rundll32.exe protection: execute and read and writeJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: NULL target: C:\Windows\System32\RuntimeBroker.exe protection: execute and read and writeJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: NULL target: C:\Windows\System32\RuntimeBroker.exe protection: execute and read and writeJump to behavior
                Modifies the context of a thread in another process (thread injection)
                Source: C:\Windows\System32\loaddll32.exeThread register set: target process: 6148Jump to behavior
                Source: C:\Windows\SysWOW64\regsvr32.exeThread register set: target process: 2344Jump to behavior
                Source: C:\Windows\SysWOW64\rundll32.exeThread register set: target process: 3760Jump to behavior
                Source: C:\Windows\SysWOW64\rundll32.exeThread register set: target process: 2720Jump to behavior
                Source: C:\Windows\System32\svchost.exeThread register set: target process: 2580Jump to behavior
                Source: C:\Windows\System32\svchost.exeThread register set: target process: 2580Jump to behavior
                Source: C:\Windows\System32\svchost.exeThread register set: target process: 2580Jump to behavior
                Source: C:\Windows\explorer.exeThread register set: target process: 4872Jump to behavior
                Source: C:\Windows\explorer.exeThread register set: target process: 1060Jump to behavior
                Source: C:\Windows\explorer.exeThread register set: target process: 5092Jump to behavior
                Source: C:\Windows\explorer.exeThread register set: target process: 5116Jump to behavior
                Writes to foreign memory regions
                Source: C:\Windows\System32\loaddll32.exeMemory written: C:\Windows\System32\svchost.exe base: 7FF6EEF25080Jump to behavior
                Source: C:\Windows\System32\loaddll32.exeMemory written: C:\Windows\System32\svchost.exe base: 970000Jump to behavior
                Source: C:\Windows\System32\loaddll32.exeMemory written: C:\Windows\System32\svchost.exe base: 7FF6EEF25080Jump to behavior
                Source: C:\Windows\SysWOW64\regsvr32.exeMemory written: C:\Windows\System32\svchost.exe base: 7FF6EEF25080Jump to behavior
                Source: C:\Windows\SysWOW64\regsvr32.exeMemory written: C:\Windows\System32\svchost.exe base: C20000Jump to behavior
                Source: C:\Windows\SysWOW64\regsvr32.exeMemory written: C:\Windows\System32\svchost.exe base: 7FF6EEF25080Jump to behavior
                Source: C:\Windows\SysWOW64\rundll32.exeMemory written: C:\Windows\System32\svchost.exe base: 7FF6EEF25080Jump to behavior
                Source: C:\Windows\SysWOW64\rundll32.exeMemory written: C:\Windows\System32\svchost.exe base: 2B0000Jump to behavior
                Source: C:\Windows\SysWOW64\rundll32.exeMemory written: C:\Windows\System32\svchost.exe base: 7FF6EEF25080Jump to behavior
                Source: C:\Windows\SysWOW64\rundll32.exeMemory written: C:\Windows\System32\svchost.exe base: 7FF6EEF25080Jump to behavior
                Source: C:\Windows\SysWOW64\rundll32.exeMemory written: C:\Windows\System32\svchost.exe base: 360000Jump to behavior
                Source: C:\Windows\SysWOW64\rundll32.exeMemory written: C:\Windows\System32\svchost.exe base: 7FF6EEF25080Jump to behavior
                Source: C:\Windows\System32\svchost.exeMemory written: C:\Windows\explorer.exe base: 7FFE221C4640Jump to behavior
                Source: C:\Windows\System32\svchost.exeMemory written: C:\Windows\explorer.exe base: 3450000Jump to behavior
                Source: C:\Windows\System32\svchost.exeMemory written: C:\Windows\explorer.exe base: 7FFE221C4640Jump to behavior
                Source: C:\Windows\System32\svchost.exeMemory written: C:\Windows\explorer.exe base: 7FFE221C4640Jump to behavior
                Source: C:\Windows\System32\svchost.exeMemory written: C:\Windows\explorer.exe base: 1340000Jump to behavior
                Source: C:\Windows\System32\svchost.exeMemory written: C:\Windows\explorer.exe base: 7FFE221C4640Jump to behavior
                Source: C:\Windows\System32\svchost.exeMemory written: C:\Windows\explorer.exe base: 7FFE221C4640Jump to behavior
                Source: C:\Windows\System32\svchost.exeMemory written: C:\Windows\explorer.exe base: 7FFE221C4640Jump to behavior
                Source: C:\Windows\System32\svchost.exeMemory written: C:\Windows\explorer.exe base: 3440000Jump to behavior
                Source: C:\Windows\System32\svchost.exeMemory written: C:\Windows\explorer.exe base: 7FFE221C4640Jump to behavior
                Source: C:\Windows\explorer.exeMemory written: C:\Windows\System32\RuntimeBroker.exe base: 7FFE221C4640Jump to behavior
                Source: C:\Windows\explorer.exeMemory written: C:\Windows\System32\RuntimeBroker.exe base: 1ECFC750000Jump to behavior
                Source: C:\Windows\explorer.exeMemory written: C:\Windows\System32\RuntimeBroker.exe base: 7FFE221C4640Jump to behavior
                Source: C:\Windows\explorer.exeMemory written: C:\Windows\System32\rundll32.exe base: 7FF760AD6890Jump to behavior
                Source: C:\Windows\explorer.exeMemory written: C:\Windows\System32\rundll32.exe base: 18F76540000Jump to behavior
                Source: C:\Windows\explorer.exeMemory written: C:\Windows\System32\rundll32.exe base: 7FF760AD6890Jump to behavior
                Source: C:\Windows\explorer.exeMemory written: C:\Windows\System32\RuntimeBroker.exe base: 7FFE221C4640Jump to behavior
                Source: C:\Windows\explorer.exeMemory written: C:\Windows\System32\RuntimeBroker.exe base: 1D1777A0000Jump to behavior
                Source: C:\Windows\explorer.exeMemory written: C:\Windows\System32\RuntimeBroker.exe base: 7FFE221C4640Jump to behavior
                Source: C:\Windows\explorer.exeMemory written: C:\Windows\System32\RuntimeBroker.exe base: 7FFE221C4640Jump to behavior
                Source: C:\Windows\explorer.exeMemory written: C:\Windows\System32\RuntimeBroker.exe base: 23B603A0000Jump to behavior
                Source: C:\Windows\explorer.exeMemory written: C:\Windows\System32\RuntimeBroker.exe base: 7FFE221C4640Jump to behavior
                Source: C:\Windows\explorer.exeMemory written: C:\Windows\System32\RuntimeBroker.exe base: 7FFE221C4640Jump to behavior
                Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6CBF1DDB memset,CoInitializeEx,PathFindExtensionW,lstrcpyW,lstrlenW,lstrlenW,lstrlenW,lstrlenA,lstrcpyW,lstrlenW,lstrlenW,lstrlenW,wsprintfW,ShellExecuteExW,CoUninitialize,0_2_6CBF1DDB
                Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\System32\svchost.exe C:\Windows\system32\svchost.exeJump to behavior
                Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\atw3.dll",#1Jump to behavior
                Source: C:\Windows\SysWOW64\regsvr32.exeProcess created: C:\Windows\System32\svchost.exe C:\Windows\system32\svchost.exeJump to behavior
                Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\System32\svchost.exe C:\Windows\system32\svchost.exeJump to behavior
                Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\System32\svchost.exe C:\Windows\system32\svchost.exeJump to behavior
                Source: explorer.exe, 0000000A.00000000.1770828071.0000000009815000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.1768532891.0000000004CE0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.4502384170.0000000004CE0000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: Shell_TrayWnd
                Source: loaddll32.exe, loaddll32.exe, 00000000.00000002.1740519196.000000006CBF1000.00000040.00000001.01000000.00000003.sdmp, loaddll32.exe, 00000000.00000002.1740364483.0000000000A2D000.00000004.00000020.00020000.00000000.sdmp, regsvr32.exe, regsvr32.exe, 00000003.00000002.1716573620.000000006CBF1000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: ProgMan
                Source: explorer.exe, 0000000A.00000002.4492726608.00000000018A0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000000A.00000000.1767210511.00000000018A0000.00000002.00000001.00040000.00000000.sdmp, RuntimeBroker.exe, 0000000B.00000000.1804479853.000001ECFA860000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progman
                Source: explorer.exe, 0000000A.00000000.1766662216.0000000001240000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.4490368301.0000000001240000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 1Progman$
                Source: explorer.exe, 0000000A.00000002.4492726608.00000000018A0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000000A.00000000.1767210511.00000000018A0000.00000002.00000001.00040000.00000000.sdmp, RuntimeBroker.exe, 0000000B.00000000.1804479853.000001ECFA860000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progmanlock
                Source: loaddll32.exe, 00000000.00000002.1740519196.000000006CBF1000.00000040.00000001.01000000.00000003.sdmp, regsvr32.exe, 00000003.00000002.1716573620.000000006CBF1000.00000040.00000001.01000000.00000003.sdmp, rundll32.exe, 00000004.00000002.1717839092.000000006CBF1000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: 64RtlSetUnhandledExceptionFilterSystemRoot%08X-%04X-%04X-%04X-%08X%04X{%08X-%04X-%04X-%04X-%08X%04X}ADVAPI32.DLL*.*LdrGetProcedureAddressRtlExitUserThreadCreateRemoteThreadZwWriteVirtualMemoryLdrLoadDllZwProtectVirtualMemorykernelbaseLdrRegisterDllNotificationLdrUnregisterDllNotification\.exe%TEMP%\LowCreateProcessACreateProcessWCreateProcessAsUserACreateProcessAsUserWvboxqemurunascmd.exe/C "copy "%s" "%s" /y && rundll32 "%s",%S"/C "copy "%s" "%s" /y && "%s" "%s""Low\vmwarevirtual hdc:\321.txt"%S" "%S"ProgManversion=%u&soft=1&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%sMicrosoftIsWow64ProcessWow64EnableWow64FsRedirectionD:(D;OICI;GA;;;BG)(D;OICI;GA;;;AN)(A;OICI;GA;;;AU)(A;OICI;GA;;;BA)
                Source: explorer.exe, 0000000A.00000002.4492726608.00000000018A0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000000A.00000000.1767210511.00000000018A0000.00000002.00000001.00040000.00000000.sdmp, RuntimeBroker.exe, 0000000B.00000000.1804479853.000001ECFA860000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: }Program Manager
                Source: explorer.exe, 0000000A.00000002.4583369028.0000000010CE0000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: C:\Windows\explorer.exeProgram Managerr
                Source: C:\Windows\System32\svchost.exeCode function: 6_2_00BB88BA cpuid 6_2_00BB88BA
                Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6CBF1000 SetupDiGetClassDevsA,SetupDiEnumDeviceInfo,SetupDiGetDeviceRegistryPropertyA,SetupDiGetDeviceRegistryPropertyA,SetupDiGetDeviceRegistryPropertyA,StrStrIA,StrStrIA,StrStrIA,StrStrIA,StrStrIA,SetupDiDestroyDeviceInfoList,0_2_6CBF1000
                Source: C:\Windows\System32\svchost.exeCode function: 6_2_00B71688 InitializeCriticalSection,HeapAlloc,memset,InitializeCriticalSection,CreateMutexExA,GetLastError,CloseHandle,HeapAlloc,InitializeCriticalSection,InitializeCriticalSection,GetVersion,GetModuleHandleA,HeapAlloc,GetUserNameA,HeapAlloc,GetUserNameA,memcpy,GetModuleHandleA,GetModuleHandleA,GetSystemTimeAsFileTime,HeapFree,GetModuleHandleA,CreateThread,CloseHandle,GetLastError,GetShellWindow,GetWindowThreadProcessId,ZwQueryInformationProcess,OpenProcess,NtSuspendProcess,RtlNtStatusToDosError,NtResumeProcess,RtlNtStatusToDosError,CloseHandle,GetLastError,ExitProcess,HeapAlloc,CreateThread,CreateStreamOnHGlobal,CreateEventA,CreateThread,GetLastError,LoadLibraryA,CreateNamedPipeA,CreateThread,GetLastError,CloseHandle,GetLastError,StrChrA,HeapFree,HeapAlloc,wsprintfA,CreateThread,6_2_00B71688
                Source: C:\Windows\System32\svchost.exeCode function: 6_2_00B71688 InitializeCriticalSection,HeapAlloc,memset,InitializeCriticalSection,CreateMutexExA,GetLastError,CloseHandle,HeapAlloc,InitializeCriticalSection,InitializeCriticalSection,GetVersion,GetModuleHandleA,HeapAlloc,GetUserNameA,HeapAlloc,GetUserNameA,memcpy,GetModuleHandleA,GetModuleHandleA,GetSystemTimeAsFileTime,HeapFree,GetModuleHandleA,CreateThread,CloseHandle,GetLastError,GetShellWindow,GetWindowThreadProcessId,ZwQueryInformationProcess,OpenProcess,NtSuspendProcess,RtlNtStatusToDosError,NtResumeProcess,RtlNtStatusToDosError,CloseHandle,GetLastError,ExitProcess,HeapAlloc,CreateThread,CreateStreamOnHGlobal,CreateEventA,CreateThread,GetLastError,LoadLibraryA,CreateNamedPipeA,CreateThread,GetLastError,CloseHandle,GetLastError,StrChrA,HeapFree,HeapAlloc,wsprintfA,CreateThread,6_2_00B71688
                Source: C:\Windows\System32\svchost.exeCode function: 6_2_00B71688 InitializeCriticalSection,HeapAlloc,memset,InitializeCriticalSection,CreateMutexExA,GetLastError,CloseHandle,HeapAlloc,InitializeCriticalSection,InitializeCriticalSection,GetVersion,GetModuleHandleA,HeapAlloc,GetUserNameA,HeapAlloc,GetUserNameA,memcpy,GetModuleHandleA,GetModuleHandleA,GetSystemTimeAsFileTime,HeapFree,GetModuleHandleA,CreateThread,CloseHandle,GetLastError,GetShellWindow,GetWindowThreadProcessId,ZwQueryInformationProcess,OpenProcess,NtSuspendProcess,RtlNtStatusToDosError,NtResumeProcess,RtlNtStatusToDosError,CloseHandle,GetLastError,ExitProcess,HeapAlloc,CreateThread,CreateStreamOnHGlobal,CreateEventA,CreateThread,GetLastError,LoadLibraryA,CreateNamedPipeA,CreateThread,GetLastError,CloseHandle,GetLastError,StrChrA,HeapFree,HeapAlloc,wsprintfA,CreateThread,6_2_00B71688
                Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6CBF4FC0 GetVersionExW,0_2_6CBF4FC0

                Lowering of HIPS / PFW / Operating System Security Settings

                barindex
                Overwrites Mozilla Firefox settings
                Source: C:\Windows\explorer.exeFile written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\prefs.jsJump to behavior

                Stealing of Sensitive Information

                barindex
                Yara detected Ursnif
                Source: Yara matchFile source: 0000000D.00000002.4491591462.0000018F767A0000.00000004.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000006.00000002.1794583919.0000000000BA0000.00000004.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000A.00000002.4584529450.0000000011110000.00000004.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000A.00000002.4583903329.0000000011050000.00000004.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000010.00000002.4494674655.0000023B60320000.00000004.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000007.00000002.1765483170.00000000002E0000.00000004.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000B.00000002.4500037251.000001ECFC6D0000.00000004.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000008.00000002.1799435534.0000000000230000.00000004.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000009.00000002.1788993940.00000000008F0000.00000004.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000A.00000000.1784927308.000000000FC20000.00000004.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000A.00000002.4582957265.000000000FC20000.00000004.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000C.00000002.4499540202.000001D178780000.00000004.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: svchost.exe PID: 2344, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: svchost.exe PID: 2720, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: svchost.exe PID: 3760, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: svchost.exe PID: 6148, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: explorer.exe PID: 2580, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: RuntimeBroker.exe PID: 4872, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: RuntimeBroker.exe PID: 5092, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 1060, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: RuntimeBroker.exe PID: 5116, type: MEMORYSTR
                Source: Yara matchFile source: 3.2.regsvr32.exe.34b0000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.3.loaddll32.exe.2d694b0.2.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 11.2.RuntimeBroker.exe.1ecfc6d3c58.1.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 10.2.explorer.exe.fc23c58.1.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 4.2.rundll32.exe.3fa0000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 16.2.RuntimeBroker.exe.23b60323c58.2.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 10.2.explorer.exe.11053c58.5.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 5.3.rundll32.exe.4ae94b0.2.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 13.2.rundll32.exe.18f767a3c58.1.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 9.2.svchost.exe.8f3c50.2.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 5.2.rundll32.exe.42d0000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 8.2.svchost.exe.233c50.2.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 4.3.rundll32.exe.47494b0.12.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 12.2.RuntimeBroker.exe.1d178783c58.1.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 5.3.rundll32.exe.4ae94b0.11.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 3.3.regsvr32.exe.55d94b0.1.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 6.2.svchost.exe.ba3c50.1.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 10.2.explorer.exe.11113c58.8.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 4.3.rundll32.exe.47494b0.12.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 4.2.rundll32.exe.6cbf0000.1.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 10.0.explorer.exe.fc23c58.2.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.3.loaddll32.exe.2d694b0.10.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 7.2.svchost.exe.2e3c50.2.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 4.2.rundll32.exe.3fa0000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 16.2.RuntimeBroker.exe.23b60323c58.2.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.3.loaddll32.exe.2d694b0.10.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 4.3.rundll32.exe.47494b0.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 8.2.svchost.exe.233c50.2.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.loaddll32.exe.da0000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 5.2.rundll32.exe.42d0000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 3.2.regsvr32.exe.34b0000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.loaddll32.exe.da0000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 3.3.regsvr32.exe.55d94b0.1.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 5.2.rundll32.exe.6cbf0000.1.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 3.3.regsvr32.exe.55d94b0.12.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.3.loaddll32.exe.2d694b0.2.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 11.2.RuntimeBroker.exe.1ecfc6d3c58.1.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 12.2.RuntimeBroker.exe.1d178783c58.1.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 3.3.regsvr32.exe.55d94b0.12.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 10.0.explorer.exe.fc23c58.2.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 10.2.explorer.exe.fc23c58.1.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 4.3.rundll32.exe.47494b0.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 5.3.rundll32.exe.4ae94b0.11.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 10.2.explorer.exe.11113c58.8.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 3.2.regsvr32.exe.6cbf0000.1.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 5.3.rundll32.exe.4ae94b0.2.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 7.2.svchost.exe.2e3c50.2.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.loaddll32.exe.6cbf0000.1.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 10.2.explorer.exe.11053c58.5.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 13.2.rundll32.exe.18f767a3c58.1.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 6.2.svchost.exe.ba3c50.1.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 9.2.svchost.exe.8f3c50.2.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0000000C.00000002.4499716991.000001D178783000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000005.00000003.1698401383.0000000004AE9000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000009.00000002.1789075538.00000000008F3000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000004.00000002.1717418718.0000000003FA0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000005.00000002.1716335740.00000000042D0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000005.00000003.1714696706.0000000004AE9000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000003.00000003.1713752147.00000000055D9000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000003.00000002.1715716468.00000000034B0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000004.00000003.1701139079.0000000004749000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000006.00000002.1794641096.0000000000BA3000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.1740443411.0000000000DA0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000010.00000002.4494737876.0000023B60323000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000A.00000002.4584103095.0000000011053000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000B.00000002.4500307838.000001ECFC6D3000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000007.00000002.1765530141.00000000002E3000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000A.00000002.4583025983.000000000FC23000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000A.00000000.1785007984.000000000FC23000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000003.00000003.1697742809.00000000055D9000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.1734980952.0000000002D69000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000008.00000002.1799489416.0000000000233000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000004.00000003.1716382978.0000000004749000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000A.00000002.4584617538.0000000011113000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000D.00000002.4491795198.0000018F767A3000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.1739987325.0000000002D69000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Tries to harvest and steal browser information (history, passwords, etc)
                Source: C:\Windows\explorer.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\prefs.jsJump to behavior

                Remote Access Functionality

                barindex
                Yara detected Ursnif
                Source: Yara matchFile source: 0000000D.00000002.4491591462.0000018F767A0000.00000004.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000006.00000002.1794583919.0000000000BA0000.00000004.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000A.00000002.4584529450.0000000011110000.00000004.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000A.00000002.4583903329.0000000011050000.00000004.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000010.00000002.4494674655.0000023B60320000.00000004.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000007.00000002.1765483170.00000000002E0000.00000004.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000B.00000002.4500037251.000001ECFC6D0000.00000004.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000008.00000002.1799435534.0000000000230000.00000004.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000009.00000002.1788993940.00000000008F0000.00000004.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000A.00000000.1784927308.000000000FC20000.00000004.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000A.00000002.4582957265.000000000FC20000.00000004.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000C.00000002.4499540202.000001D178780000.00000004.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: svchost.exe PID: 2344, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: svchost.exe PID: 2720, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: svchost.exe PID: 3760, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: svchost.exe PID: 6148, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: explorer.exe PID: 2580, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: RuntimeBroker.exe PID: 4872, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: RuntimeBroker.exe PID: 5092, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 1060, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: RuntimeBroker.exe PID: 5116, type: MEMORYSTR
                Source: Yara matchFile source: 3.2.regsvr32.exe.34b0000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.3.loaddll32.exe.2d694b0.2.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 11.2.RuntimeBroker.exe.1ecfc6d3c58.1.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 10.2.explorer.exe.fc23c58.1.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 4.2.rundll32.exe.3fa0000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 16.2.RuntimeBroker.exe.23b60323c58.2.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 10.2.explorer.exe.11053c58.5.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 5.3.rundll32.exe.4ae94b0.2.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 13.2.rundll32.exe.18f767a3c58.1.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 9.2.svchost.exe.8f3c50.2.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 5.2.rundll32.exe.42d0000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 8.2.svchost.exe.233c50.2.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 4.3.rundll32.exe.47494b0.12.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 12.2.RuntimeBroker.exe.1d178783c58.1.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 5.3.rundll32.exe.4ae94b0.11.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 3.3.regsvr32.exe.55d94b0.1.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 6.2.svchost.exe.ba3c50.1.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 10.2.explorer.exe.11113c58.8.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 4.3.rundll32.exe.47494b0.12.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 4.2.rundll32.exe.6cbf0000.1.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 10.0.explorer.exe.fc23c58.2.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.3.loaddll32.exe.2d694b0.10.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 7.2.svchost.exe.2e3c50.2.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 4.2.rundll32.exe.3fa0000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 16.2.RuntimeBroker.exe.23b60323c58.2.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.3.loaddll32.exe.2d694b0.10.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 4.3.rundll32.exe.47494b0.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 8.2.svchost.exe.233c50.2.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.loaddll32.exe.da0000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 5.2.rundll32.exe.42d0000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 3.2.regsvr32.exe.34b0000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.loaddll32.exe.da0000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 3.3.regsvr32.exe.55d94b0.1.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 5.2.rundll32.exe.6cbf0000.1.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 3.3.regsvr32.exe.55d94b0.12.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.3.loaddll32.exe.2d694b0.2.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 11.2.RuntimeBroker.exe.1ecfc6d3c58.1.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 12.2.RuntimeBroker.exe.1d178783c58.1.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 3.3.regsvr32.exe.55d94b0.12.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 10.0.explorer.exe.fc23c58.2.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 10.2.explorer.exe.fc23c58.1.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 4.3.rundll32.exe.47494b0.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 5.3.rundll32.exe.4ae94b0.11.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 10.2.explorer.exe.11113c58.8.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 3.2.regsvr32.exe.6cbf0000.1.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 5.3.rundll32.exe.4ae94b0.2.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 7.2.svchost.exe.2e3c50.2.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.loaddll32.exe.6cbf0000.1.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 10.2.explorer.exe.11053c58.5.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 13.2.rundll32.exe.18f767a3c58.1.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 6.2.svchost.exe.ba3c50.1.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 9.2.svchost.exe.8f3c50.2.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0000000C.00000002.4499716991.000001D178783000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000005.00000003.1698401383.0000000004AE9000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000009.00000002.1789075538.00000000008F3000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000004.00000002.1717418718.0000000003FA0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000005.00000002.1716335740.00000000042D0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000005.00000003.1714696706.0000000004AE9000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000003.00000003.1713752147.00000000055D9000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000003.00000002.1715716468.00000000034B0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000004.00000003.1701139079.0000000004749000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000006.00000002.1794641096.0000000000BA3000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.1740443411.0000000000DA0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000010.00000002.4494737876.0000023B60323000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000A.00000002.4584103095.0000000011053000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000B.00000002.4500307838.000001ECFC6D3000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000007.00000002.1765530141.00000000002E3000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000A.00000002.4583025983.000000000FC23000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000A.00000000.1785007984.000000000FC23000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000003.00000003.1697742809.00000000055D9000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.1734980952.0000000002D69000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000008.00000002.1799489416.0000000000233000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000004.00000003.1716382978.0000000004749000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000A.00000002.4584617538.0000000011113000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000D.00000002.4491795198.0000018F767A3000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.1739987325.0000000002D69000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY

                Mitre Att&ck Matrix

                ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                Gather Victim Identity Information1
                Scripting                		1
                Valid Accounts                		3
                Native API                		1
                Scripting                		1
                Exploitation for Privilege Escalation                		1
                Obfuscated Files or Information                		1
                OS Credential Dumping                		1
                System Time Discovery                		Remote Services1
                Archive Collected Data                		1
                Ingress Tool Transfer                		Exfiltration Over Other Network MediumAbuse Accessibility Features
                CredentialsDomainsDefault Accounts2
                Command and Scripting Interpreter                		1
                DLL Side-Loading                		1
                DLL Side-Loading                		1
                Software Packing                		3
                Credential API Hooking                		1
                Peripheral Device Discovery                		Remote Desktop Protocol1
                Browser Session Hijacking                		11
                Encrypted Channel                		Exfiltration Over BluetoothNetwork Denial of Service
                Email AddressesDNS ServerDomain AccountsAt1
                Valid Accounts                		1
                Valid Accounts                		1
                DLL Side-Loading                		11
                Input Capture                		1
                Account Discovery                		SMB/Windows Admin Shares1
                Data from Local System                		2
                Non-Application Layer Protocol                		Automated ExfiltrationData Encrypted for Impact
                Employee NamesVirtual Private ServerLocal AccountsCron1
                Registry Run Keys / Startup Folder                		1
                Access Token Manipulation                		4
                Rootkit                		NTDS2
                File and Directory Discovery                		Distributed Component Object Model3
                Credential API Hooking                		3
                Application Layer Protocol                		Traffic DuplicationData Destruction
                Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon Script813
                Process Injection                		1
                Masquerading                		LSA Secrets123
                System Information Discovery                		SSH11
                Input Capture                		1
                Proxy                		Scheduled TransferData Encrypted for Impact
                Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC Scripts1
                Registry Run Keys / Startup Folder                		1
                Valid Accounts                		Cached Domain Credentials1
                Query Registry                		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
                Modify Registry                		DCSync511
                Security Software Discovery                		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job11
                Virtualization/Sandbox Evasion                		Proc Filesystem11
                Virtualization/Sandbox Evasion                		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt1
                Access Token Manipulation                		/etc/passwd and /etc/shadow3
                Process Discovery                		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
                IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCron813
                Process Injection                		Network Sniffing1
                System Owner/User Discovery                		Shared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement
                Network Security AppliancesDomainsCompromise Software Dependencies and Development ToolsAppleScriptLaunchdLaunchd1
                Regsvr32                		Input CaptureSystem Network Connections DiscoverySoftware Deployment ToolsRemote Data StagingMail ProtocolsExfiltration Over Unencrypted Non-C2 ProtocolFirmware Corruption
                Gather Victim Org InformationDNS ServerCompromise Software Supply ChainWindows Command ShellScheduled TaskScheduled Task1
                Rundll32                		KeyloggingProcess DiscoveryTaint Shared ContentScreen CaptureDNSExfiltration Over Physical MediumResource Hijacking

                Behavior Graph

                Hide Legend

                Legend:

                • Process
                • Signature
                • Created File
                • DNS/IP Info
                • Is Dropped
                • Is Windows Process
                • Number of created Registry Values
                • Number of created Files
                • Visual Basic
                • Delphi
                • Java
                • .Net C# or VB.NET
                • C, C++ or other language
                • Is malicious
                • Internet
                behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1581113 Sample: atw3.dll Startdate: 27/12/2024 Architecture: WINDOWS Score: 100 52 ardshinbank.at 2->52 54 www.php.net 2->54 56 5 other IPs or domains 2->56 60 Found malware configuration 2->60 62 Malicious sample detected (through community Yara rule) 2->62 64 Antivirus detection for dropped file 2->64 66 13 other signatures 2->66 10 loaddll32.exe 3 2->10         started        signatures3 process4 signatures5 92 Detected Gozi e-Banking trojan 10->92 94 Contain functionality to detect virtual machines 10->94 96 Writes to foreign memory regions 10->96 98 5 other signatures 10->98 13 regsvr32.exe 1 2 10->13         started        16 cmd.exe 1 10->16         started        18 rundll32.exe 2 10->18         started        20 2 other processes 10->20 process6 signatures7 100 Detected Gozi e-Banking trojan 13->100 102 Contain functionality to detect virtual machines 13->102 104 Writes to foreign memory regions 13->104 120 2 other signatures 13->120 22 svchost.exe 1 13->22         started        25 rundll32.exe 1 3 16->25         started        106 Allocates memory in foreign processes 18->106 108 Modifies the context of a thread in another process (thread injection) 18->108 110 Maps a DLL or memory area into another process 18->110 28 svchost.exe 18->28         started        112 Found PHP interpreter 20->112 114 Found Tor onion address 20->114 116 Injects code into the Windows Explorer (explorer.exe) 20->116 118 Creates a thread in another existing process (thread injection) 20->118 process8 file9 68 Detected Gozi e-Banking trojan 22->68 70 Found PHP interpreter 22->70 72 Found Tor onion address 22->72 74 Maps a DLL or memory area into another process 22->74 30 explorer.exe 10 1 22->30 injected 48 C:\Users\user\AppData\...\adsnrans.dll, PE32 25->48 dropped 76 Writes to foreign memory regions 25->76 78 Allocates memory in foreign processes 25->78 80 Modifies the context of a thread in another process (thread injection) 25->80 82 Tries to detect process monitoring tools (Task Manager, Process Explorer etc.) 25->82 34 svchost.exe 1 25->34         started        37 conhost.exe 25->37         started        84 Injects code into the Windows Explorer (explorer.exe) 28->84 86 Creates a thread in another existing process (thread injection) 28->86 signatures10 process11 dnsIp12 50 C:\Users\user\AppData\Roaming\...\prefs.js, ASCII 30->50 dropped 122 Detected Gozi e-Banking trojan 30->122 124 System process connects to network (likely due to code injection or exploit) 30->124 126 Found PHP interpreter 30->126 134 9 other signatures 30->134 39 rundll32.exe 30->39         started        42 RuntimeBroker.exe 30->42 injected 44 RuntimeBroker.exe 30->44 injected 46 2 other processes 30->46 58 www-php-net.ax4z.com 185.85.0.29, 443, 49730, 49731 SOPRADO-ANYDE Germany 34->58 128 Found Tor onion address 34->128 130 Injects code into the Windows Explorer (explorer.exe) 34->130 132 Writes to foreign memory regions 34->132 file13 signatures14 process15 signatures16 88 Found PHP interpreter 39->88 90 Found Tor onion address 39->90

                Screenshots

                Thumbnails

                This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                windows-stand

                Antivirus, Machine Learning and Genetic Malware Detection

                Initial Sample

                SourceDetectionScannerLabelLink
                atw3.dll58%ReversingLabsWin32.Trojan.Ditertag
                atw3.dll68%VirustotalBrowse
                atw3.dll100%AviraHEUR/AGEN.1301198
                atw3.dll100%Joe Sandbox ML

                Dropped Files

                SourceDetectionScannerLabelLink
                C:\Users\user\AppData\Roaming\Microsoft\Avicprov\adsnrans.dll100%AviraHEUR/AGEN.1301198
                C:\Users\user\AppData\Roaming\Microsoft\Avicprov\adsnrans.dll100%Joe Sandbox ML
                C:\Users\user\AppData\Roaming\Microsoft\Avicprov\adsnrans.dll58%ReversingLabsWin32.Trojan.Ditertag

                Unpacked PE Files

                No Antivirus matches

                Domains

                No Antivirus matches

                URLs

                SourceDetectionScannerLabelLink
                http://https://file://USER.ID%lu.exe/upd0%Avira URL Cloudsafe
                http://www.zend.com0%Avira URL Cloudsafe
                http://constitution.org/usdeclar.txt0%Avira URL Cloudsafe
                http://constitution.org/usdeclar.txtC:0%Avira URL Cloudsafe
                http://ardshinbank.at/W0%Avira URL Cloudsafe

                Domains and IPs

                Contacted Domains

                NameIPActiveMaliciousAntivirus DetectionReputation
                www-php-net.ax4z.com
                		185.85.0.29
                		truefalse
                  		high
                  s-part-0035.t-0009.t-msedge.net
                  		13.107.246.63
                  		truefalse
                    		high
                    default.qdr.p1.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.com
                    		217.20.58.100
                    		truefalse
                      		high
                      fp2e7a.wpc.phicdn.net
                      		192.229.221.95
                      		truefalse
                        		high
                        www.php.net
                        		unknown
                        		unknownfalse
                          		high
                          ardshinbank.at
                          		unknown
                          		unknowntrue
                            		unknown

                            Contacted URLs

                            NameMaliciousAntivirus DetectionReputation
                            https://www.php.net/license/3_0.txtfalse
                              		high

                              URLs from Memory and Binaries

                              NameSourceMaliciousAntivirus DetectionReputation
                              https://aka.ms/odirmrexplorer.exe, 0000000A.00000003.3106178648.00000000079FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.1768729709.00000000079FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.4506551141.00000000079FB000.00000004.00000001.00020000.00000000.sdmpfalse
                                		high
                                http://www.php.net:80/license/3_0.txtsvchost.exe, 00000006.00000002.1795210701.000001EE6FC40000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000007.00000002.1766213035.0000027155441000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.1800059950.0000023902440000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000009.00000002.1790082787.00000236FDA40000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.1778334322.000000000CAF3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3105533064.000000000CAF6000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.4581566450.000000000CAFC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3105098265.000000000CAF3000.00000004.00000001.00020000.00000000.sdmpfalse
                                  		high
                                  https://opensource.org/licenses/PHP-3.0svchost.exe, 00000006.00000002.1795659909.000001EE6FCC9000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000006.00000002.1795453454.000001EE6FC84000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000006.00000002.1795147368.000001EE6FC2F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000006.00000002.1795275730.000001EE6FC5E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000007.00000002.1766151576.000002715542F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000007.00000002.1766282559.0000027155460000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000007.00000002.1766639415.00000271554C2000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000007.00000002.1766449588.0000027155478000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.1800000998.000002390242F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.1800118673.000002390245E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.1800490342.00000239024BA000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.1800288306.0000023902482000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000009.00000002.1790479088.00000236FDA82000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000009.00000002.1790907478.00000236FDACF000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000009.00000002.1790194491.00000236FDA5E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000009.00000002.1789957584.00000236FDA31000.00000004.00000020.00020000.00000000.sdmpfalse
                                    		high
                                    https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DVexplorer.exe, 0000000A.00000002.4503442805.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.1768729709.0000000007900000.00000004.00000001.00020000.00000000.sdmpfalse
                                      		high
                                      https://www.msn.com/en-us/news/us/when-does-daylight-saving-time-end-2023-here-s-when-to-set-your-clexplorer.exe, 0000000A.00000000.1768729709.00000000078AD000.00000004.00000001.00020000.00000000.sdmpfalse
                                        		high
                                        https://powerpoint.office.comcemberexplorer.exe, 0000000A.00000003.3106682325.000000000C5E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.4579755975.000000000C5E6000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.1777038113.000000000C5AA000.00000004.00000001.00020000.00000000.sdmpfalse
                                          		high
                                          https://api.msn.com:443/v1/news/Feed/Windows?explorer.exe, 0000000A.00000002.4503442805.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.4565072197.00000000097D4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.1768729709.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.1770828071.00000000097D4000.00000004.00000001.00020000.00000000.sdmpfalse
                                            		high
                                            http://constitution.org/usdeclar.txtC:svchost.exe, 00000006.00000002.1794583919.0000000000BA0000.00000004.80000000.00040000.00000000.sdmp, svchost.exe, 00000007.00000002.1765483170.00000000002E0000.00000004.80000000.00040000.00000000.sdmp, svchost.exe, 00000008.00000002.1799435534.0000000000230000.00000004.80000000.00040000.00000000.sdmp, svchost.exe, 00000009.00000002.1788993940.00000000008F0000.00000004.80000000.00040000.00000000.sdmp, explorer.exe, 0000000A.00000002.4584529450.0000000011110000.00000004.80000000.00040000.00000000.sdmp, RuntimeBroker.exe, 0000000B.00000002.4500037251.000001ECFC6D0000.00000004.80000000.00040000.00000000.sdmp, RuntimeBroker.exe, 0000000C.00000002.4499540202.000001D178780000.00000004.80000000.00040000.00000000.sdmp, rundll32.exe, 0000000D.00000002.4491591462.0000018F767A0000.00000004.80000000.00040000.00000000.sdmp, RuntimeBroker.exe, 00000010.00000002.4494674655.0000023B60320000.00000004.80000000.00040000.00000000.sdmpfalse
                                            • Avira URL Cloud: safe
                                            		unknown
                                            https://bridge.lga1.admarketplace.net/ctp?version=16.0.0&key=1696332238301000001.2&ci=1696332238417.explorer.exe, 0000000A.00000002.4583369028.0000000010C9E000.00000004.00000001.00020000.00000000.sdmp, prefs.js.10.drfalse
                                              		high
                                              http://https://file://USER.ID%lu.exe/updsvchost.exe, 00000006.00000002.1794583919.0000000000BA0000.00000004.80000000.00040000.00000000.sdmp, svchost.exe, 00000007.00000002.1765483170.00000000002E0000.00000004.80000000.00040000.00000000.sdmp, svchost.exe, 00000008.00000002.1799435534.0000000000230000.00000004.80000000.00040000.00000000.sdmp, svchost.exe, 00000009.00000002.1788993940.00000000008F0000.00000004.80000000.00040000.00000000.sdmp, explorer.exe, 0000000A.00000002.4584529450.0000000011110000.00000004.80000000.00040000.00000000.sdmp, RuntimeBroker.exe, 0000000B.00000002.4500037251.000001ECFC6D0000.00000004.80000000.00040000.00000000.sdmp, RuntimeBroker.exe, 0000000C.00000002.4499540202.000001D178780000.00000004.80000000.00040000.00000000.sdmp, rundll32.exe, 0000000D.00000002.4491591462.0000018F767A0000.00000004.80000000.00040000.00000000.sdmp, RuntimeBroker.exe, 00000010.00000002.4494674655.0000023B60320000.00000004.80000000.00040000.00000000.sdmptrue
                                              • Avira URL Cloud: safe
                                              		unknown
                                              https://www.msn.com/en-us/money/personalfinance/no-wonder-the-american-public-is-confused-if-you-re-explorer.exe, 0000000A.00000002.4503442805.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.1768729709.0000000007900000.00000004.00000001.00020000.00000000.sdmpfalse
                                                		high
                                                http://www.php.net//explorer.exe, 0000000A.00000000.1778286571.000000000CA42000.00000004.00000001.00020000.00000000.sdmpfalse
                                                  		high
                                                  https://excel.office.comexplorer.exe, 0000000A.00000003.3106682325.000000000C5E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.4579755975.000000000C5E6000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.1777038113.000000000C5AA000.00000004.00000001.00020000.00000000.sdmpfalse
                                                    		high
                                                    http://www.php.netsvchost.exe, 00000006.00000002.1795659909.000001EE6FCC9000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000006.00000002.1795453454.000001EE6FC84000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000006.00000002.1795147368.000001EE6FC2F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000006.00000002.1795275730.000001EE6FC5E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000007.00000002.1766151576.000002715542F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000007.00000002.1766282559.0000027155460000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000007.00000002.1766639415.00000271554C2000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000007.00000002.1766449588.0000027155478000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.1800000998.000002390242F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.1800118673.000002390245E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.1800490342.00000239024BA000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.1800288306.0000023902482000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000009.00000002.1790479088.00000236FDA82000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000009.00000002.1790907478.00000236FDACF000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000009.00000002.1790194491.00000236FDA5E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000009.00000002.1789957584.00000236FDA31000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3104935163.000000000CB6D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3106148906.000000000CBFF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3105185061.000000000CB6E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3105964393.000000000C9C3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3107173949.000000000C9DE000.00000004.00000001.00020000.00000000.sdmpfalse
                                                      		high
                                                      http://schemas.microexplorer.exe, 0000000A.00000002.4537942603.0000000008720000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000000A.00000000.1772870579.0000000009B60000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000000A.00000000.1769772722.0000000007F40000.00000002.00000001.00040000.00000000.sdmp, RuntimeBroker.exe, 0000000B.00000000.1805839625.000001ECFC470000.00000002.00000001.00040000.00000000.sdmp, RuntimeBroker.exe, 0000000C.00000000.1833669471.000001D178850000.00000002.00000001.00040000.00000000.sdmp, RuntimeBroker.exe, 00000010.00000002.4498222206.0000023B609B0000.00000002.00000001.00040000.00000000.sdmpfalse
                                                        		high
                                                        http://www.php.net/license/3_0.txtcrundll32.exe, 0000000D.00000002.4490166405.0000018F765BC000.00000004.00000020.00020000.00000000.sdmpfalse
                                                          		high
                                                          https://www.msn.com/en-us/news/us/a-nationwide-emergency-alert-will-be-sent-to-all-u-s-cellphones-weexplorer.exe, 0000000A.00000002.4503442805.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.1768729709.0000000007900000.00000004.00000001.00020000.00000000.sdmpfalse
                                                            		high
                                                            https://simpleflying.com/how-do-you-become-an-air-traffic-controller/explorer.exe, 0000000A.00000002.4503442805.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.1768729709.0000000007900000.00000004.00000001.00020000.00000000.sdmpfalse
                                                              		high
                                                              http://www.php.net/svchost.exe, 00000006.00000002.1795659909.000001EE6FCC9000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000006.00000002.1795453454.000001EE6FC84000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000006.00000002.1795147368.000001EE6FC2F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000006.00000002.1795275730.000001EE6FC5E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000007.00000002.1766151576.000002715542F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000007.00000002.1766282559.0000027155460000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000007.00000002.1766639415.00000271554C2000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000007.00000002.1766449588.0000027155478000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.1800000998.000002390242F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.1799939841.0000023902425000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.1800118673.000002390245E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.1800490342.00000239024BA000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.1800288306.0000023902482000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000009.00000002.1790479088.00000236FDA82000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000009.00000002.1790907478.00000236FDACF000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000009.00000002.1790194491.00000236FDA5E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000009.00000002.1789957584.00000236FDA31000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3106148906.000000000CBFF000.00000004.00000001.00020000.00000000.sdmp, RuntimeBroker.exe, 0000000B.00000002.4491235090.000001ECFA213000.00000004.00000001.00020000.00000000.sdmp, RuntimeBroker.exe, 0000000B.00000002.4492189420.000001ECFA2A4000.00000004.00000001.00020000.00000000.sdmp, RuntimeBroker.exe, 0000000B.00000002.4493124013.000001ECFA2E0000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                		high
                                                                https://www.php.net/license/3_0.txtbe679svchost.exe, 00000007.00000002.1766449588.000002715546D000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                  		high
                                                                  https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gTUYexplorer.exe, 0000000A.00000002.4503442805.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.1768729709.0000000007900000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                    		high
                                                                    https://windows.msn.com:443/shellv2?osLocale=en-GB&chosenMarketReason=ImplicitNewexplorer.exe, 0000000A.00000002.4503442805.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.1768729709.0000000007900000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                      		high
                                                                      https://www.php.net/license/3_0.txtomsvchost.exe, 00000006.00000002.1795357235.000001EE6FC6B000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                        		high
                                                                        https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4QqmfZfYfQfafZbXfpbWfpbX7ReNxR3UIG8zInwYIFIVs9eYiprefs.js.10.drfalse
                                                                          		high
                                                                          https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gHZu-darkexplorer.exe, 0000000A.00000002.4503442805.00000000078AD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.1768729709.00000000078AD000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                            		high
                                                                            https://www.msn.com/en-us/lifestyle/travel/i-ve-worked-at-a-campsite-for-5-years-these-are-the-15-miexplorer.exe, 0000000A.00000002.4503442805.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.1768729709.0000000007900000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                              		high
                                                                              https://api.msn.com/qexplorer.exe, 0000000A.00000002.4565072197.00000000097D4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.1770828071.00000000097D4000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                		high
                                                                                https://api.msn.com/v1/news/Feed/Windows?activityId=0CC40BF291614022B7DF6E2143E8A6AF&timeOut=5000&ocexplorer.exe, 0000000A.00000002.4503442805.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.1768729709.0000000007900000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                  		high
                                                                                  https://www.php.net/license/3_01.txtsvchost.exe, 00000006.00000002.1795659909.000001EE6FCC9000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000006.00000002.1795453454.000001EE6FC84000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000006.00000002.1795147368.000001EE6FC2F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000006.00000002.1795275730.000001EE6FC5E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000007.00000002.1766151576.000002715542F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000007.00000002.1766282559.0000027155460000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000007.00000002.1766639415.00000271554C2000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000007.00000002.1766449588.0000027155478000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.1800000998.000002390242F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.1800118673.000002390245E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.1800490342.00000239024BA000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.1800288306.0000023902482000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000009.00000002.1790479088.00000236FDA82000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000009.00000002.1790907478.00000236FDACF000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000009.00000002.1790194491.00000236FDA5E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000009.00000002.1789957584.00000236FDA31000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                    		high
                                                                                    https://activity.windows.com/UserActivity.ReadWrite.CreatedByAppcrobat.exeexplorer.exe, 0000000A.00000003.3106375939.000000000C893000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.1777038113.000000000C893000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                      		high
                                                                                      https://www.msn.com/en-us/lifestyle/lifestyle-buzz/biden-makes-decision-that-will-impact-more-than-1explorer.exe, 0000000A.00000002.4503442805.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.1768729709.0000000007900000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                        		high
                                                                                        https://www.php.net/svchost.exe, 00000006.00000002.1795357235.000001EE6FC6B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000007.00000002.1766449588.000002715546D000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.1800200737.000002390246B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000009.00000002.1790194491.00000236FDA5E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000009.00000002.1790335410.00000236FDA6B000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                          		high
                                                                                          https://assets.msn.com/staticsb/statics/latest/traffic/Notification/desktop/svg/RoadHazard.svgexplorer.exe, 0000000A.00000000.1768729709.0000000007900000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                            		high
                                                                                            https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gMeu-darkexplorer.exe, 0000000A.00000002.4503442805.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.1768729709.0000000007900000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                              		high
                                                                                              https://www.msn.com/en-us/money/personalfinance/13-states-that-don-t-tax-your-retirement-income/ar-Aexplorer.exe, 0000000A.00000002.4503442805.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.4503442805.00000000078AD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.1768729709.00000000078AD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.1768729709.0000000007900000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                		high
                                                                                                https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_7548d4575af019e4c148ccf1a78112802e66a0816a72fc94explorer.exe, 0000000A.00000002.4583369028.0000000010C9E000.00000004.00000001.00020000.00000000.sdmp, prefs.js.10.drfalse
                                                                                                  		high
                                                                                                  http://ardshinbank.at/Wexplorer.exe, 0000000A.00000000.1777038113.000000000C54A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.4578967664.000000000C54A000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                  • Avira URL Cloud: safe
                                                                                                  		unknown
                                                                                                  https://www.php.net/license/3_0.txtzsvchost.exe, 00000009.00000002.1790194491.00000236FDA69000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                    		high
                                                                                                    https://assets.msn.com/weathermapdata/1/static/weather/Icons/JyNGQgA=/Condition/AAehR3S.svgexplorer.exe, 0000000A.00000000.1768729709.0000000007900000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                      		high
                                                                                                      http://www.autoitscript.com/autoit3/Jexplorer.exe, 0000000A.00000003.3106178648.00000000079B5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.1768729709.00000000079B1000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                        		high
                                                                                                        https://wns.windows.com/Lexplorer.exe, 0000000A.00000000.1777038113.000000000C557000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.4578967664.000000000C557000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                          		high
                                                                                                          https://word.office.comexplorer.exe, 0000000A.00000003.3106682325.000000000C5E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.4579755975.000000000C5E6000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.1777038113.000000000C5AA000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                            		high
                                                                                                            https://www.php.net:443/license/3_0.txtsvchost.exe, 00000006.00000002.1795210701.000001EE6FC40000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.1800288306.0000023902482000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000009.00000002.1790082787.00000236FDA40000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3105533064.000000000CAF6000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.4581566450.000000000CAFC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3105098265.000000000CAF3000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                              		high
                                                                                                              https://contile-images.services.mozilla.com/0TegrVVRalreHILhR2WvtD_CFzj13HCDcLqqpvXSOuY.10862.jpgexplorer.exe, 0000000A.00000002.4583369028.0000000010C9E000.00000004.00000001.00020000.00000000.sdmp, prefs.js.10.drfalse
                                                                                                                		high
                                                                                                                https://assets.msn.com/weathermapdata/1/static/finance/1stparty/FinanceTaskbarIcons/Finance_Earningsexplorer.exe, 0000000A.00000000.1768729709.0000000007900000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                  		high
                                                                                                                  https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gHZuexplorer.exe, 0000000A.00000002.4503442805.00000000078AD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.1768729709.00000000078AD000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                    		high
                                                                                                                    https://www.msn.com/en-us/news/topic/breast%20cancer%20awareness%20month?ocid=winp1headereventexplorer.exe, 0000000A.00000002.4503442805.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.1768729709.0000000007900000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                      		high
                                                                                                                      https://www.php.net/license/3_0.txtKexplorer.exe, 0000000A.00000003.3106375939.000000000C964000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.4580412188.000000000C964000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                        		high
                                                                                                                        https://www.msn.com/en-us/weather/topstories/us-weather-super-el-nino-to-bring-more-flooding-and-winexplorer.exe, 0000000A.00000002.4503442805.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.1768729709.0000000007900000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                          		high
                                                                                                                          https://bridge.lga1.ap01.net/ctp?version=16.0.0&key=1696332238301000001.1&ci=1696332238417.12791&ctaexplorer.exe, 0000000A.00000002.4583369028.0000000010C9E000.00000004.00000001.00020000.00000000.sdmp, prefs.js.10.drfalse
                                                                                                                            		high
                                                                                                                            https://www.php.net/license/3_0.txt-kvsvchost.exe, 00000007.00000002.1766449588.0000027155478000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                              		high
                                                                                                                              https://windows.msn.com:443/shell?osLocale=en-GB&chosenMarketReason=ImplicitNewexplorer.exe, 0000000A.00000002.4503442805.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.1768729709.0000000007900000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                		high
                                                                                                                                https://www.msn.com/en-us/news/politics/clarence-thomas-in-spotlight-as-supreme-court-delivers-blow-explorer.exe, 0000000A.00000002.4503442805.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.1768729709.0000000007900000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                  		high
                                                                                                                                  http://www.php.net/erRuntimeBroker.exe, 0000000B.00000002.4492189420.000001ECFA2A4000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                    		high
                                                                                                                                    https://www.php.net:443/license/3_0.txtonic0Localsvchost.exe, 00000007.00000002.1766213035.0000027155441000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                      		high
                                                                                                                                      http://www.php.net/license/3_0.txtsvchost.exe, 00000009.00000002.1790194491.00000236FDA5E000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.1778286571.000000000CA42000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.1777038113.000000000C964000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3106375939.000000000C964000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.4580412188.000000000C964000.00000004.00000001.00020000.00000000.sdmp, RuntimeBroker.exe, 0000000B.00000002.4497033597.000001ECFBF43000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000002.4490166405.0000018F765BC000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                        		high
                                                                                                                                        https://aka.ms/Vh5j3kexplorer.exe, 0000000A.00000003.3106178648.00000000079FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.1768729709.00000000079FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.4506551141.00000000079FB000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                          		high
                                                                                                                                          http://www.zend.comsvchost.exe, 00000006.00000002.1795659909.000001EE6FCC9000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000006.00000002.1795453454.000001EE6FC84000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000006.00000002.1795147368.000001EE6FC2F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000006.00000002.1795275730.000001EE6FC5E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000007.00000002.1766151576.000002715542F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000007.00000002.1766282559.0000027155460000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000007.00000002.1766639415.00000271554C2000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000007.00000002.1766449588.0000027155478000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.1800000998.000002390242F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.1800118673.000002390245E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.1800490342.00000239024BA000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.1800288306.0000023902482000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000009.00000002.1790479088.00000236FDA82000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000009.00000002.1790907478.00000236FDACF000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000009.00000002.1790194491.00000236FDA5E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000009.00000002.1789957584.00000236FDA31000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3104935163.000000000CB6D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3106148906.000000000CBFF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3105185061.000000000CB6E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3105964393.000000000C9C3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.3107173949.000000000C9DE000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                          • Avira URL Cloud: safe
                                                                                                                                          		unknown
                                                                                                                                          https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gMeuexplorer.exe, 0000000A.00000002.4503442805.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.1768729709.0000000007900000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                            		high
                                                                                                                                            https://api.msn.com/v1/news/Feed/Windows?&explorer.exe, 0000000A.00000002.4565072197.00000000096DF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.1770828071.00000000096DF000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                              		high
                                                                                                                                              https://assets.msn.com/weathermapdata/1/static/weather/Icons/JyNGQgA=/Teaser/humidity.svgexplorer.exe, 0000000A.00000002.4503442805.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.1768729709.0000000007900000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                                		high
                                                                                                                                                https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gTUY-darkexplorer.exe, 0000000A.00000002.4503442805.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.1768729709.0000000007900000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                                  		high
                                                                                                                                                  http://constitution.org/usdeclar.txtexplorer.exe, 0000000A.00000002.4585045937.0000000011B2C000.00000004.00000001.00020000.00000000.sdmp, RuntimeBroker.exe, 0000000B.00000002.4500037251.000001ECFC6D0000.00000004.80000000.00040000.00000000.sdmp, RuntimeBroker.exe, 0000000C.00000002.4499540202.000001D178780000.00000004.80000000.00040000.00000000.sdmp, rundll32.exe, 0000000D.00000002.4491591462.0000018F767A0000.00000004.80000000.00040000.00000000.sdmp, RuntimeBroker.exe, 00000010.00000002.4494674655.0000023B60320000.00000004.80000000.00040000.00000000.sdmpfalse
                                                                                                                                                  • Avira URL Cloud: safe
                                                                                                                                                  		unknown
                                                                                                                                                  https://www.rd.com/list/polite-habits-campers-dislike/explorer.exe, 0000000A.00000002.4503442805.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.1768729709.0000000007900000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                                    		high
                                                                                                                                                    https://contile-images.services.mozilla.com/obgoOYObjIFea_bXuT6L4LbBJ8j425AD87S1HMD3BWg.9991.jpgexplorer.exe, 0000000A.00000002.4583369028.0000000010C9E000.00000004.00000001.00020000.00000000.sdmp, prefs.js.10.drfalse
                                                                                                                                                      		high
                                                                                                                                                      http://www.php.net/license/3_0.txtsexplorer.exe, 0000000A.00000000.1778286571.000000000CA42000.00000004.00000001.00020000.00000000.sdmp, RuntimeBroker.exe, 0000000B.00000002.4497033597.000001ECFBF43000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000002.4490166405.0000018F765BC000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                        		high
                                                                                                                                                        https://android.notify.windows.com/iOSexplorer.exe, 0000000A.00000002.4578967664.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.1777038113.000000000C5AA000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                                          		high
                                                                                                                                                          http://www.php.net/license/3_0.txtverRuntimeBroker.exe, 0000000B.00000002.4497033597.000001ECFBF43000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                                            		high
                                                                                                                                                            https://www.msn.com/en-us/news/us/metro-officials-still-investigating-friday-s-railcar-derailment/arexplorer.exe, 0000000A.00000002.4503442805.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.1768729709.0000000007900000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                                              		high
                                                                                                                                                              https://img.s-msn.com/tenant/amp/entityid/AAbC0oi.imgexplorer.exe, 0000000A.00000002.4503442805.00000000078AD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.1768729709.00000000078AD000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                                                		high
                                                                                                                                                                https://api.msn.com/explorer.exe, 0000000A.00000002.4565072197.00000000097D4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.1770828071.00000000097D4000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                                                  		high
                                                                                                                                                                  https://www.msn.com/en-us/news/politics/exclusive-john-kelly-goes-on-the-record-to-confirm-several-dexplorer.exe, 0000000A.00000002.4503442805.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.1768729709.0000000007900000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                                                    		high
                                                                                                                                                                    https://outlook.com_explorer.exe, 0000000A.00000003.3106682325.000000000C5E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.4579755975.000000000C5E6000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.1777038113.000000000C5AA000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                                                      		high
                                                                                                                                                                      https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DV-darkexplorer.exe, 0000000A.00000002.4503442805.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.1768729709.0000000007900000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                                                        		high
                                                                                                                                                                        https://www.msn.com:443/en-us/feedexplorer.exe, 0000000A.00000002.4503442805.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.1768729709.0000000007900000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                                                          		high
                                                                                                                                                                          https://www.rd.com/newsletter/?int_source=direct&int_medium=rd.com&int_campaign=nlrda_20221001_toppeexplorer.exe, 0000000A.00000002.4503442805.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.1768729709.0000000007900000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                                                            		high
                                                                                                                                                                            https://www.msn.com/en-us/news/world/agostini-krausz-and-l-huillier-win-physics-nobel-for-looking-atexplorer.exe, 0000000A.00000002.4503442805.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.1768729709.0000000007900000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                                                              		high
                                                                                                                                                                              https://www.msn.com/en-us/weather/topstories/rest-of-hurricane-season-in-uncharted-waters-because-ofexplorer.exe, 0000000A.00000002.4503442805.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.1768729709.0000000007900000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                                                                		high

                                                                                                                                                                                World Map of Contacted IPs

                                                                                                                                                                                • No. of IPs < 25%
                                                                                                                                                                                • 25% < No. of IPs < 50%
                                                                                                                                                                                • 50% < No. of IPs < 75%
                                                                                                                                                                                • 75% < No. of IPs

                                                                                                                                                                                Public IPs

                                                                                                                                                                                IPDomainCountryFlagASNASN NameMalicious
                                                                                                                                                                                185.85.0.29
                                                                                                                                                                                		www-php-net.ax4z.comGermany
                                                                                                                                                                                		20546SOPRADO-ANYDEfalse

                                                                                                                                                                                General Information

                                                                                                                                                                                Joe Sandbox version:41.0.0 Charoite
                                                                                                                                                                                Analysis ID:1581113
                                                                                                                                                                                Start date and time:2024-12-27 00:54:06 +01:00
                                                                                                                                                                                Joe Sandbox product:CloudBasic
                                                                                                                                                                                Overall analysis duration:0h 11m 4s
                                                                                                                                                                                Hypervisor based Inspection enabled:false
                                                                                                                                                                                Report type:full
                                                                                                                                                                                Cookbook file name:default.jbs
                                                                                                                                                                                Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                                                                                                                                Number of analysed new started processes analysed:14
                                                                                                                                                                                Number of new started drivers analysed:0
                                                                                                                                                                                Number of existing processes analysed:0
                                                                                                                                                                                Number of existing drivers analysed:0
                                                                                                                                                                                Number of injected processes analysed:5
                                                                                                                                                                                Technologies:
                                                                                                                                                                                • HCA enabled
                                                                                                                                                                                • EGA enabled
                                                                                                                                                                                • AMSI enabled
                                                                                                                                                                                Analysis Mode:default
                                                                                                                                                                                Analysis stop reason:Timeout
                                                                                                                                                                                Sample name:atw3.dll
                                                                                                                                                                                Detection:MAL
                                                                                                                                                                                Classification:mal100.phis.bank.troj.spyw.evad.winDLL@21/2@3/1
                                                                                                                                                                                EGA Information:
                                                                                                                                                                                • Successful, ratio: 100%
                                                                                                                                                                                HCA Information:
                                                                                                                                                                                • Successful, ratio: 99%
                                                                                                                                                                                • Number of executed functions: 193
                                                                                                                                                                                • Number of non-executed functions: 287
                                                                                                                                                                                Cookbook Comments:
                                                                                                                                                                                • Found application associated with file extension: .dll
                                                                                                                                                                                • Override analysis time to 240000 for current running targets taking high CPU consumption

                                                                                                                                                                                Warnings

                                                                                                                                                                                • Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe
                                                                                                                                                                                • Excluded IPs from analysis (whitelisted): 20.189.173.6, 13.107.246.63
                                                                                                                                                                                • Excluded domains from analysis (whitelisted): self-events-data.trafficmanager.net, ocsp.digicert.com, otelrules.azureedge.net, ctldl.windowsupdate.com.delivery.microsoft.com, otelrules.afd.azureedge.net, self.events.data.microsoft.com, ocsp.edge.digicert.com, azureedge-t-prod.trafficmanager.net, ctldl.windowsupdate.com, wu-b-net.trafficmanager.net, onedscolprdwus05.westus.cloudapp.azure.com
                                                                                                                                                                                • Not all processes where analyzed, report is missing behavior information
                                                                                                                                                                                • Report creation exceeded maximum time and may have missing disassembly code information.
                                                                                                                                                                                • Report size exceeded maximum capacity and may have missing behavior information.
                                                                                                                                                                                • Report size exceeded maximum capacity and may have missing disassembly code.
                                                                                                                                                                                • Report size getting too big, too many NtEnumerateKey calls found.
                                                                                                                                                                                • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                                                                                                                                • Report size getting too big, too many NtQueryValueKey calls found.
                                                                                                                                                                                • Report size getting too big, too many NtReadVirtualMemory calls found.

                                                                                                                                                                                Simulations

                                                                                                                                                                                Behavior and APIs

                                                                                                                                                                                TimeTypeDescription
                                                                                                                                                                                18:55:06API Interceptor4x Sleep call for process: svchost.exe modified
                                                                                                                                                                                18:56:01API Interceptor943x Sleep call for process: explorer.exe modified

                                                                                                                                                                                Joe Sandbox View / Context

                                                                                                                                                                                IPs

                                                                                                                                                                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                                                185.85.0.29http://5.188.86.237Get hashmaliciousUnknownBrowse
                                                                                                                                                                                • php.net/phpnetimprovedsearch.src

                                                                                                                                                                                Domains

                                                                                                                                                                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                                                www-php-net.ax4z.comhttp://5.188.86.237Get hashmaliciousUnknownBrowse
                                                                                                                                                                                • 185.85.0.29
                                                                                                                                                                                Qgc2Nreer3.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                • 185.85.0.29
                                                                                                                                                                                s-part-0035.t-0009.t-msedge.netWRD1792.docx.docGet hashmaliciousDynamerBrowse
                                                                                                                                                                                • 13.107.246.63
                                                                                                                                                                                0zBsv1tnt4.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                • 13.107.246.63
                                                                                                                                                                                pVbAZEFIpI.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                • 13.107.246.63
                                                                                                                                                                                GxX48twWHA.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                • 13.107.246.63
                                                                                                                                                                                ERTL09tA59.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                • 13.107.246.63
                                                                                                                                                                                90m2xwxCOf.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                • 13.107.246.63
                                                                                                                                                                                tFDKSN3TdH.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                • 13.107.246.63
                                                                                                                                                                                V2s8yjvIJw.exeGet hashmaliciousIris StealerBrowse
                                                                                                                                                                                • 13.107.246.63
                                                                                                                                                                                z3IxCpcpg4.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                • 13.107.246.63
                                                                                                                                                                                GtEVo1eO2p.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                • 13.107.246.63
                                                                                                                                                                                fp2e7a.wpc.phicdn.netsetup.msiGet hashmaliciousUnknownBrowse
                                                                                                                                                                                • 192.229.221.95
                                                                                                                                                                                ERTL09tA59.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                • 192.229.221.95
                                                                                                                                                                                vJPhYDClT5.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                • 192.229.221.95
                                                                                                                                                                                V2s8yjvIJw.exeGet hashmaliciousIris StealerBrowse
                                                                                                                                                                                • 192.229.221.95
                                                                                                                                                                                k6olCJyvIj.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                • 192.229.221.95
                                                                                                                                                                                G6xnfES308.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                • 192.229.221.95
                                                                                                                                                                                XM6cn2uNux.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                • 192.229.221.95
                                                                                                                                                                                bG89JAQXz2.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                • 192.229.221.95
                                                                                                                                                                                q8b3OisMC4.dllGet hashmaliciousUnknownBrowse
                                                                                                                                                                                • 192.229.221.95
                                                                                                                                                                                eszstwQPwq.ps1Get hashmaliciousLockBit ransomware, MetasploitBrowse
                                                                                                                                                                                • 192.229.221.95
                                                                                                                                                                                default.qdr.p1.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.comWRD1792.docx.docGet hashmaliciousDynamerBrowse
                                                                                                                                                                                • 217.20.58.99
                                                                                                                                                                                GtEVo1eO2p.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                • 217.20.58.98
                                                                                                                                                                                0442.pdf.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                • 217.20.58.100
                                                                                                                                                                                #U5b89#U88c5#U7a0b#U5e8f_1.1.0.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                • 217.20.58.100
                                                                                                                                                                                wUSt04rfJ0.exeGet hashmaliciousQuasarBrowse
                                                                                                                                                                                • 217.20.58.101
                                                                                                                                                                                #U5b89#U88c5#U52a9#U624b1.0.2.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                • 217.20.58.99
                                                                                                                                                                                AxoPac.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                • 217.20.58.100
                                                                                                                                                                                [External] 120112 Manual Policies Overview Guide_ 8VM8-WZPT3L-LYH1.emlGet hashmaliciousUnknownBrowse
                                                                                                                                                                                • 217.20.58.99
                                                                                                                                                                                PLEASE SIGN THIS DOCUMENT - Reference number(s) 0598190575 DPR.msgGet hashmaliciousUnknownBrowse
                                                                                                                                                                                • 217.20.58.101
                                                                                                                                                                                lKin1m7Pf2.lnkGet hashmaliciousUnknownBrowse
                                                                                                                                                                                • 217.20.58.99

                                                                                                                                                                                ASNs

                                                                                                                                                                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                                                SOPRADO-ANYDEJosho.x86.elfGet hashmaliciousUnknownBrowse
                                                                                                                                                                                • 103.51.166.55
                                                                                                                                                                                apep.x86.elfGet hashmaliciousMiraiBrowse
                                                                                                                                                                                • 103.51.166.74
                                                                                                                                                                                la.bot.sh4.elfGet hashmaliciousUnknownBrowse
                                                                                                                                                                                • 103.51.166.54
                                                                                                                                                                                2NkFwDDoDy.elfGet hashmaliciousMiraiBrowse
                                                                                                                                                                                • 103.51.167.220
                                                                                                                                                                                na.elfGet hashmaliciousMirai, OkiruBrowse
                                                                                                                                                                                • 103.51.167.240
                                                                                                                                                                                hoho.arm7.elfGet hashmaliciousMiraiBrowse
                                                                                                                                                                                • 103.51.167.254
                                                                                                                                                                                MacKeeper.6.7.1.pkgGet hashmaliciousUnknownBrowse
                                                                                                                                                                                • 185.5.82.77
                                                                                                                                                                                skyljne.arm7-20240113-1800.elfGet hashmaliciousMiraiBrowse
                                                                                                                                                                                • 103.51.167.239
                                                                                                                                                                                x86.elfGet hashmaliciousMiraiBrowse
                                                                                                                                                                                • 103.51.167.234
                                                                                                                                                                                GnV3mIBVzc.elfGet hashmaliciousUnknownBrowse
                                                                                                                                                                                • 103.51.167.244

                                                                                                                                                                                JA3 Fingerprints

                                                                                                                                                                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                                                a0e9f5d64349fb13191bc781f81f42e1installer_1.05_36.4.zipGet hashmaliciousNetSupport RAT, LummaC, LummaC StealerBrowse
                                                                                                                                                                                • 185.85.0.29
                                                                                                                                                                                0zBsv1tnt4.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                • 185.85.0.29
                                                                                                                                                                                cqHMm0ykDG.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                • 185.85.0.29
                                                                                                                                                                                pVbAZEFIpI.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                • 185.85.0.29
                                                                                                                                                                                GxX48twWHA.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                • 185.85.0.29
                                                                                                                                                                                RUUSfr6dVm.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                • 185.85.0.29
                                                                                                                                                                                9idglWFv95.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                • 185.85.0.29
                                                                                                                                                                                tJd3ArrDAm.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                • 185.85.0.29
                                                                                                                                                                                gdtJGo7jH3.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                • 185.85.0.29
                                                                                                                                                                                oQSTpQfzz5.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                • 185.85.0.29

                                                                                                                                                                                Dropped Files

                                                                                                                                                                                No context

                                                                                                                                                                                Created / dropped Files

                                                                                                                                                                                C:\Users\user\AppData\Roaming\Microsoft\Avicprov\adsnrans.dll

                                                                                                                                                                                Download File
                                                                                                                                                                                Process:C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                                File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                Category:modified
                                                                                                                                                                                Size (bytes):467968
                                                                                                                                                                                Entropy (8bit):6.117622107850484
                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                SSDEEP:12288:s0/eyQTPl2tZrqu9MxbrWDRt3SaLPIEfG28wK6t:s0/8sbj6W91SgYJwK
                                                                                                                                                                                MD5:28A6DF75F54F6B40FF2B7B2920001BCB
                                                                                                                                                                                SHA1:261ADAC029E864D5480468313319539F3DBD951A
                                                                                                                                                                                SHA-256:C3B6BE96582DC92249E78DB51D0ABE50E78B623F9BCC09405B587D736D6DC451
                                                                                                                                                                                SHA-512:BE312A7D8FBEBF546B292A62DD8E247397277D5A552208D7A1C8D728EFB6C56518A76E8551DDF8185BC109ACF9C187616B254A375D65868B22751ADD5ED82651
                                                                                                                                                                                Malicious:true
                                                                                                                                                                                Antivirus:
                                                                                                                                                                                • Antivirus: Avira, Detection: 100%
                                                                                                                                                                                • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                                                                                • Antivirus: ReversingLabs, Detection: 58%
                                                                                                                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......P...........!................&.....................................................@.........................k...S....7......................................................................................T...h............................text............................... ....rsrc...............................@..@.reloc............... ..............@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\prefs.js

                                                                                                                                                                                Download File
                                                                                                                                                                                Process:C:\Windows\explorer.exe
                                                                                                                                                                                File Type:ASCII text, with very long lines (1809), with CRLF line terminators
                                                                                                                                                                                Category:modified
                                                                                                                                                                                Size (bytes):9619
                                                                                                                                                                                Entropy (8bit):5.534937682091679
                                                                                                                                                                                Encrypted:false
                                                                                                                                                                                SSDEEP:192:qnaRt+YbBp6ihj4qyaaX86KKkfGNBw8DJSwM:yegqumcwQG
                                                                                                                                                                                MD5:865C52C5B0DD6A198C8857C3FC27F1EB
                                                                                                                                                                                SHA1:2395E4C4CC07741179C63419808B4CE09E705284
                                                                                                                                                                                SHA-256:715783998DD7FCD0DA3032AC7C02936AC2730B2B988E61AA1F2BCA788895B4D8
                                                                                                                                                                                SHA-512:6E1EFD0CF5873DBB72B6DB250567B90BD532626ADD460C0DC1F0634714A48BAEA92071E01C61A22F8A3765CEBFD159D2BB986A72C0FF4BEEC52F86906978BF46
                                                                                                                                                                                Malicious:true
                                                                                                                                                                                Preview:// Mozilla User Preferences....// DO NOT EDIT THIS FILE...//..// If you make changes to this file while the application is running,..// the changes will be overwritten when the application exits...//..// To change a preference value, you can either:..// - modify it via the UI (e.g. via about:config in the browser); or..// - set it within a user.js file in your profile.....user_pref("app.normandy.first_run", false);..user_pref("app.normandy.migrationsApplied", 12);..user_pref("app.normandy.user_id", "57f16a19-e119-4073-bf01-28f88011f783");..user_pref("app.update.auto.migrated", true);..user_pref("app.update.background.rolledout", true);..user_pref("app.update.lastUpdateTime.browser-cleanup-thumbnails", 0);..user_pref("app.update.lastUpdateTime.recipe-client-addon-run", 1696333830);..user_pref("app.update.lastUpdateTime.region-update-timer", 0);..user_pref("app.update.lastUpdateTime.rs-experiment-loader-timer", 1696333856);..user_pref("app.update.lastUpdateTime.xpi-signature-verification

                                                                                                                                                                                Static File Info

                                                                                                                                                                                General

                                                                                                                                                                                File type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                Entropy (8bit):6.117622107850484
                                                                                                                                                                                TrID:
                                                                                                                                                                                • Win32 Dynamic Link Library (generic) (1002004/3) 98.12%
                                                                                                                                                                                • Windows Screen Saver (13104/52) 1.28%
                                                                                                                                                                                • Win16/32 Executable Delphi generic (2074/23) 0.20%
                                                                                                                                                                                • Generic Win/DOS Executable (2004/3) 0.20%
                                                                                                                                                                                • DOS Executable Generic (2002/1) 0.20%
                                                                                                                                                                                File name:atw3.dll
                                                                                                                                                                                File size:467'968 bytes
                                                                                                                                                                                MD5:28a6df75f54f6b40ff2b7b2920001bcb
                                                                                                                                                                                SHA1:261adac029e864d5480468313319539f3dbd951a
                                                                                                                                                                                SHA256:c3b6be96582dc92249e78db51d0abe50e78b623f9bcc09405b587d736d6dc451
                                                                                                                                                                                SHA512:be312a7d8fbebf546b292a62dd8e247397277d5a552208d7a1c8d728efb6c56518a76e8551ddf8185bc109acf9c187616b254a375d65868b22751add5ed82651
                                                                                                                                                                                SSDEEP:12288:s0/eyQTPl2tZrqu9MxbrWDRt3SaLPIEfG28wK6t:s0/8sbj6W91SgYJwK
                                                                                                                                                                                TLSH:57A4235BDDB0CF1BE392AC35CCB44AA7591FDA14E6B0E8F7A3071A5C84154BD230946E
                                                                                                                                                                                File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......P...........!................&.....................................................@.........................k...S..

                                                                                                                                                                                File Icon

                                                                                                                                                                                Icon Hash:7ae282899bbab082

                                                                                                                                                                                Static PE Info

                                                                                                                                                                                General

                                                                                                                                                                                Entrypoint:0x10071d26
                                                                                                                                                                                Entrypoint Section:.text
                                                                                                                                                                                Digitally signed:false
                                                                                                                                                                                Imagebase:0x10000000
                                                                                                                                                                                Subsystem:windows gui
                                                                                                                                                                                Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE, DLL
                                                                                                                                                                                DLL Characteristics:DYNAMIC_BASE
                                                                                                                                                                                Time Stamp:0x50B68B8E [Wed Nov 28 22:09:18 2012 UTC]
                                                                                                                                                                                TLS Callbacks:
                                                                                                                                                                                CLR (.Net) Version:
                                                                                                                                                                                OS Version Major:5
                                                                                                                                                                                OS Version Minor:0
                                                                                                                                                                                File Version Major:5
                                                                                                                                                                                File Version Minor:0
                                                                                                                                                                                Subsystem Version Major:5
                                                                                                                                                                                Subsystem Version Minor:0
                                                                                                                                                                                Import Hash:067c9eaf965ff911e0d45a66ba273628

                                                                                                                                                                                Entrypoint Preview

                                                                                                                                                                                Instruction
                                                                                                                                                                                push ebp
                                                                                                                                                                                mov ebp, esp
                                                                                                                                                                                sub esp, 30h
                                                                                                                                                                                push esi
                                                                                                                                                                                push edi
                                                                                                                                                                                push dword ptr [10071678h]
                                                                                                                                                                                push 00000100h
                                                                                                                                                                                push 00000200h
                                                                                                                                                                                call 00007FB1BCCA74FFh
                                                                                                                                                                                push dword ptr [1007169Ch]
                                                                                                                                                                                mov edx, dword ptr [1007176Ch]
                                                                                                                                                                                add dword ptr [100715C8h], edi
                                                                                                                                                                                call 00007FB1BCCA7733h
                                                                                                                                                                                push eax
                                                                                                                                                                                mov edx, 9516C5E7h
                                                                                                                                                                                dec edx
                                                                                                                                                                                mov ecx, dword ptr [100716B4h]
                                                                                                                                                                                push ecx
                                                                                                                                                                                push dword ptr [1007169Ch]
                                                                                                                                                                                mov ecx, dword ptr [10071750h]
                                                                                                                                                                                sub edx, dword ptr [ebp-2Ch]
                                                                                                                                                                                mov ecx, dword ptr [100716E8h]
                                                                                                                                                                                sub edx, ebx
                                                                                                                                                                                shr ecx, 02h
                                                                                                                                                                                mov dword ptr [100716DCh], ecx
                                                                                                                                                                                push dword ptr [100716DCh]
                                                                                                                                                                                mov ecx, dword ptr [100715F4h]
                                                                                                                                                                                sub edx, dword ptr [ebp-1Ch]
                                                                                                                                                                                push eax
                                                                                                                                                                                mov dword ptr [10071648h], eax
                                                                                                                                                                                dec dword ptr [100715C8h]
                                                                                                                                                                                push dword ptr [10071648h]
                                                                                                                                                                                mov edx, dword ptr [10071750h]
                                                                                                                                                                                and edx, eax
                                                                                                                                                                                call 00007FB1BCCA75DFh
                                                                                                                                                                                pop eax
                                                                                                                                                                                mov dword ptr [ebp-04h], eax
                                                                                                                                                                                xor ecx, ecx
                                                                                                                                                                                mov dword ptr [ebp-24h], 7E991A78h
                                                                                                                                                                                neg dword ptr [ebp-24h]
                                                                                                                                                                                cmp dword ptr [ebp-24h], ecx
                                                                                                                                                                                jnl 00007FB1BCCA7356h
                                                                                                                                                                                xor ecx, ecx
                                                                                                                                                                                mov dword ptr [ebp-0Ch], DCDA01CCh
                                                                                                                                                                                neg dword ptr [ebp-0Ch]
                                                                                                                                                                                je 00007FB1BCCA7348h
                                                                                                                                                                                mov edx, dword ptr [ebp-0Ch]
                                                                                                                                                                                mov dword ptr [ebp-28h], 4BE163AFh
                                                                                                                                                                                xor edx, dword ptr [100716B4h]
                                                                                                                                                                                push 2014A854h

                                                                                                                                                                                Data Directories

                                                                                                                                                                                NameVirtual AddressVirtual Size Is in Section
                                                                                                                                                                                IMAGE_DIRECTORY_ENTRY_EXPORT0x70c6b0x53.text
                                                                                                                                                                                IMAGE_DIRECTORY_ENTRY_IMPORT0x37940x8c.text
                                                                                                                                                                                IMAGE_DIRECTORY_ENTRY_RESOURCE0x7a0000x2ec.rsrc
                                                                                                                                                                                IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                                                                                                                IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                                                                                                                IMAGE_DIRECTORY_ENTRY_BASERELOC0x7b0000x208.reloc
                                                                                                                                                                                IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                                                                                                                                IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                                                                                                                IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                                                                                                                IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                                                                                                                IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                                                                                                                                IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                                                                                                                IMAGE_DIRECTORY_ENTRY_IAT0x714540x168.text
                                                                                                                                                                                IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                                                                                                                IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                                                                                                                                IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                                                                                                                Sections

                                                                                                                                                                                NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                                                                                                                .text0x10000x786180x7180082dbf1bf4e5127b0fa585103a95b8aaeFalse0.8217472294878855OpenPGP Public Key Version 4, Created Mon Feb 16 02:56:53 2015, Unknown Algorithm (0x32)6.132989428960455IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                                                                                                .rsrc0x7a0000x2ec0x4004f143518631d8a483f3bdbd6c540fe61False0.36328125data2.5817040117719223IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                                                                                                .reloc0x7b0000x2080x40033eb48e2c53f8cbc676b01f738858df6False0.5data4.142168842856963IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                                                                                                                                Resources

                                                                                                                                                                                NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                                                                                                                                RT_VERSION0x7a0580x294OpenPGP Secret KeyEnglishUnited States0.5121212121212121

                                                                                                                                                                                Imports

                                                                                                                                                                                DLLImport
                                                                                                                                                                                RPCRT4.dllRpcObjectSetInqFn, RpcServerUseProtseqEpA, NdrMesProcEncodeDecode, MesHandleFree, RpcBindingInqAuthClientExA, RpcServerUseAllProtseqs
                                                                                                                                                                                ADVAPI32.dllSaferSetLevelInformation, GetTraceEnableFlags, RegOpenKeyW, GetNamedSecurityInfoA, WmiSetSingleInstanceA, RegSaveKeyA, GetTraceLoggerHandle, WmiNotificationRegistrationA, UnregisterTraceGuids, GetTraceEnableLevel, RegisterTraceGuidsW, ConvertStringSDToSDDomainW, EnumServiceGroupW, GetInheritanceSourceA, NotifyBootConfigStatus
                                                                                                                                                                                SHLWAPI.dllStrCatChainW, PathIsFileSpecW, SHRegGetPathA, SHEnumKeyExA, PathIsUNCServerShareA, StrCmpNIW
                                                                                                                                                                                KERNEL32.dllGetLocalTime, GetFileAttributesW, GetProcessHeap, FileTimeToSystemTime, lstrcpynW, GetCommandLineA, lstrcmpiW, VirtualAlloc, HeapAlloc, Heap32ListNext, GetModuleFileNameA, EnumResourceTypesA, CreateFileA, SetFilePointerEx, FreeEnvironmentStringsA, WaitForSingleObject, Heap32ListFirst, GetEnvironmentStrings, GetFullPathNameA, HeapFree, GetEnvironmentStringsA, WritePrivateProfileStringA, GetWindowsDirectoryW, GetWindowsDirectoryA
                                                                                                                                                                                USER32.dllDlgDirSelectExW, DdeConnectList, DlgDirSelectComboBoxExW, DlgDirListComboBoxW, IsIconic, DlgDirListW, MessageBoxA, UnpackDDElParam
                                                                                                                                                                                COMDLG32.dllFindTextW, GetSaveFileNameA, dwLBSubclass, GetFileTitleW, GetSaveFileNameW, dwOKSubclass, PrintDlgW, Ssync_ANSI_UNICODE_Struct_For_WOW, PageSetupDlgW, LoadAlterBitmap, PrintDlgExA, GetOpenFileNameA, ReplaceTextA, ChooseColorA, ChooseFontW, ChooseFontA, PrintDlgExW, WantArrows, CommDlgExtendedError, FindTextA, GetOpenFileNameW, ChooseColorW, ReplaceTextW, PageSetupDlgA, PrintDlgA

                                                                                                                                                                                Exports

                                                                                                                                                                                NameOrdinalAddress
                                                                                                                                                                                DllRegisterServer10x1000112f

                                                                                                                                                                                Possible Origin

                                                                                                                                                                                Language of compilation systemCountry where language is spokenMap
                                                                                                                                                                                EnglishUnited States

                                                                                                                                                                                Network Behavior

                                                                                                                                                                                Suricata IDS Alerts

                                                                                                                                                                                TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                                                                                                                                                2024-12-27T00:55:06.266479+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.449733185.85.0.29443TCP
                                                                                                                                                                                2024-12-27T00:55:06.267697+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.449734185.85.0.29443TCP
                                                                                                                                                                                2024-12-27T00:55:06.272999+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.449735185.85.0.29443TCP
                                                                                                                                                                                2024-12-27T00:55:08.663954+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.449738185.85.0.29443TCP
                                                                                                                                                                                2024-12-27T00:55:10.184929+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.449739185.85.0.29443TCP
                                                                                                                                                                                2024-12-27T00:59:46.108893+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.449753185.85.0.29443TCP

                                                                                                                                                                                Network Port Distribution

                                                                                                                                                                                TCP Packets

                                                                                                                                                                                TimestampSource PortDest PortSource IPDest IP
                                                                                                                                                                                Dec 27, 2024 00:55:02.228096008 CET4973080192.168.2.4185.85.0.29
                                                                                                                                                                                Dec 27, 2024 00:55:02.230865955 CET4973180192.168.2.4185.85.0.29
                                                                                                                                                                                Dec 27, 2024 00:55:02.269284964 CET4973280192.168.2.4185.85.0.29
                                                                                                                                                                                Dec 27, 2024 00:55:02.347661018 CET8049730185.85.0.29192.168.2.4
                                                                                                                                                                                Dec 27, 2024 00:55:02.347762108 CET4973080192.168.2.4185.85.0.29
                                                                                                                                                                                Dec 27, 2024 00:55:02.350323915 CET8049731185.85.0.29192.168.2.4
                                                                                                                                                                                Dec 27, 2024 00:55:02.351314068 CET4973180192.168.2.4185.85.0.29
                                                                                                                                                                                Dec 27, 2024 00:55:02.353965998 CET4973080192.168.2.4185.85.0.29
                                                                                                                                                                                Dec 27, 2024 00:55:02.354156971 CET4973180192.168.2.4185.85.0.29
                                                                                                                                                                                Dec 27, 2024 00:55:02.388848066 CET8049732185.85.0.29192.168.2.4
                                                                                                                                                                                Dec 27, 2024 00:55:02.389000893 CET4973280192.168.2.4185.85.0.29
                                                                                                                                                                                Dec 27, 2024 00:55:02.390163898 CET4973280192.168.2.4185.85.0.29
                                                                                                                                                                                Dec 27, 2024 00:55:02.473402023 CET8049730185.85.0.29192.168.2.4
                                                                                                                                                                                Dec 27, 2024 00:55:02.473577976 CET8049731185.85.0.29192.168.2.4
                                                                                                                                                                                Dec 27, 2024 00:55:02.509591103 CET8049732185.85.0.29192.168.2.4
                                                                                                                                                                                Dec 27, 2024 00:55:03.610471964 CET8049730185.85.0.29192.168.2.4
                                                                                                                                                                                Dec 27, 2024 00:55:03.697037935 CET8049731185.85.0.29192.168.2.4
                                                                                                                                                                                Dec 27, 2024 00:55:03.731762886 CET4973080192.168.2.4185.85.0.29
                                                                                                                                                                                Dec 27, 2024 00:55:03.734925985 CET8049732185.85.0.29192.168.2.4
                                                                                                                                                                                Dec 27, 2024 00:55:03.748676062 CET4973180192.168.2.4185.85.0.29
                                                                                                                                                                                Dec 27, 2024 00:55:03.766895056 CET49733443192.168.2.4185.85.0.29
                                                                                                                                                                                Dec 27, 2024 00:55:03.767000914 CET44349733185.85.0.29192.168.2.4
                                                                                                                                                                                Dec 27, 2024 00:55:03.767102003 CET49733443192.168.2.4185.85.0.29
                                                                                                                                                                                Dec 27, 2024 00:55:03.841160059 CET4973280192.168.2.4185.85.0.29
                                                                                                                                                                                Dec 27, 2024 00:55:03.853372097 CET49733443192.168.2.4185.85.0.29
                                                                                                                                                                                Dec 27, 2024 00:55:03.853427887 CET44349733185.85.0.29192.168.2.4
                                                                                                                                                                                Dec 27, 2024 00:55:03.858397007 CET49734443192.168.2.4185.85.0.29
                                                                                                                                                                                Dec 27, 2024 00:55:03.858432055 CET49735443192.168.2.4185.85.0.29
                                                                                                                                                                                Dec 27, 2024 00:55:03.858459949 CET44349734185.85.0.29192.168.2.4
                                                                                                                                                                                Dec 27, 2024 00:55:03.858460903 CET44349735185.85.0.29192.168.2.4
                                                                                                                                                                                Dec 27, 2024 00:55:03.858546972 CET49735443192.168.2.4185.85.0.29
                                                                                                                                                                                Dec 27, 2024 00:55:03.858551979 CET49734443192.168.2.4185.85.0.29
                                                                                                                                                                                Dec 27, 2024 00:55:03.859425068 CET49734443192.168.2.4185.85.0.29
                                                                                                                                                                                Dec 27, 2024 00:55:03.859457970 CET44349734185.85.0.29192.168.2.4
                                                                                                                                                                                Dec 27, 2024 00:55:03.861612082 CET49735443192.168.2.4185.85.0.29
                                                                                                                                                                                Dec 27, 2024 00:55:03.861639977 CET44349735185.85.0.29192.168.2.4
                                                                                                                                                                                Dec 27, 2024 00:55:04.606770039 CET4973680192.168.2.4185.85.0.29
                                                                                                                                                                                Dec 27, 2024 00:55:04.726495981 CET8049736185.85.0.29192.168.2.4
                                                                                                                                                                                Dec 27, 2024 00:55:04.726603031 CET4973680192.168.2.4185.85.0.29
                                                                                                                                                                                Dec 27, 2024 00:55:04.726728916 CET4973680192.168.2.4185.85.0.29
                                                                                                                                                                                Dec 27, 2024 00:55:05.091154099 CET4973680192.168.2.4185.85.0.29
                                                                                                                                                                                Dec 27, 2024 00:55:05.450516939 CET4973680192.168.2.4185.85.0.29
                                                                                                                                                                                Dec 27, 2024 00:55:05.844881058 CET8049736185.85.0.29192.168.2.4
                                                                                                                                                                                Dec 27, 2024 00:55:05.844901085 CET8049736185.85.0.29192.168.2.4
                                                                                                                                                                                Dec 27, 2024 00:55:05.844908953 CET8049736185.85.0.29192.168.2.4
                                                                                                                                                                                Dec 27, 2024 00:55:05.844918013 CET8049736185.85.0.29192.168.2.4
                                                                                                                                                                                Dec 27, 2024 00:55:05.844986916 CET4973680192.168.2.4185.85.0.29
                                                                                                                                                                                Dec 27, 2024 00:55:06.266362906 CET44349733185.85.0.29192.168.2.4
                                                                                                                                                                                Dec 27, 2024 00:55:06.266479015 CET49733443192.168.2.4185.85.0.29
                                                                                                                                                                                Dec 27, 2024 00:55:06.267617941 CET44349734185.85.0.29192.168.2.4
                                                                                                                                                                                Dec 27, 2024 00:55:06.267697096 CET49734443192.168.2.4185.85.0.29
                                                                                                                                                                                Dec 27, 2024 00:55:06.272919893 CET44349735185.85.0.29192.168.2.4
                                                                                                                                                                                Dec 27, 2024 00:55:06.272999048 CET49735443192.168.2.4185.85.0.29
                                                                                                                                                                                Dec 27, 2024 00:55:06.392690897 CET49733443192.168.2.4185.85.0.29
                                                                                                                                                                                Dec 27, 2024 00:55:06.392748117 CET44349733185.85.0.29192.168.2.4
                                                                                                                                                                                Dec 27, 2024 00:55:06.393038988 CET44349733185.85.0.29192.168.2.4
                                                                                                                                                                                Dec 27, 2024 00:55:06.396953106 CET49734443192.168.2.4185.85.0.29
                                                                                                                                                                                Dec 27, 2024 00:55:06.396985054 CET44349734185.85.0.29192.168.2.4
                                                                                                                                                                                Dec 27, 2024 00:55:06.397211075 CET44349734185.85.0.29192.168.2.4
                                                                                                                                                                                Dec 27, 2024 00:55:06.411658049 CET49735443192.168.2.4185.85.0.29
                                                                                                                                                                                Dec 27, 2024 00:55:06.411674976 CET44349735185.85.0.29192.168.2.4
                                                                                                                                                                                Dec 27, 2024 00:55:06.412555933 CET44349735185.85.0.29192.168.2.4
                                                                                                                                                                                Dec 27, 2024 00:55:06.435050964 CET49733443192.168.2.4185.85.0.29
                                                                                                                                                                                Dec 27, 2024 00:55:06.446397066 CET49734443192.168.2.4185.85.0.29
                                                                                                                                                                                Dec 27, 2024 00:55:06.458019972 CET49733443192.168.2.4185.85.0.29
                                                                                                                                                                                Dec 27, 2024 00:55:06.466145992 CET49735443192.168.2.4185.85.0.29
                                                                                                                                                                                Dec 27, 2024 00:55:06.485418081 CET49735443192.168.2.4185.85.0.29
                                                                                                                                                                                Dec 27, 2024 00:55:06.487329960 CET44349734185.85.0.29192.168.2.4
                                                                                                                                                                                Dec 27, 2024 00:55:06.499368906 CET44349733185.85.0.29192.168.2.4
                                                                                                                                                                                Dec 27, 2024 00:55:06.531362057 CET44349735185.85.0.29192.168.2.4
                                                                                                                                                                                Dec 27, 2024 00:55:06.966305017 CET44349734185.85.0.29192.168.2.4
                                                                                                                                                                                Dec 27, 2024 00:55:06.966320992 CET44349734185.85.0.29192.168.2.4
                                                                                                                                                                                Dec 27, 2024 00:55:06.966362953 CET44349734185.85.0.29192.168.2.4
                                                                                                                                                                                Dec 27, 2024 00:55:06.966403961 CET49734443192.168.2.4185.85.0.29
                                                                                                                                                                                Dec 27, 2024 00:55:06.966439962 CET49734443192.168.2.4185.85.0.29
                                                                                                                                                                                Dec 27, 2024 00:55:06.968893051 CET49734443192.168.2.4185.85.0.29
                                                                                                                                                                                Dec 27, 2024 00:55:06.968913078 CET44349734185.85.0.29192.168.2.4
                                                                                                                                                                                Dec 27, 2024 00:55:06.968924999 CET49734443192.168.2.4185.85.0.29
                                                                                                                                                                                Dec 27, 2024 00:55:06.968931913 CET44349734185.85.0.29192.168.2.4
                                                                                                                                                                                Dec 27, 2024 00:55:06.970163107 CET44349733185.85.0.29192.168.2.4
                                                                                                                                                                                Dec 27, 2024 00:55:06.970185995 CET44349733185.85.0.29192.168.2.4
                                                                                                                                                                                Dec 27, 2024 00:55:06.970267057 CET49733443192.168.2.4185.85.0.29
                                                                                                                                                                                Dec 27, 2024 00:55:06.970288992 CET44349733185.85.0.29192.168.2.4
                                                                                                                                                                                Dec 27, 2024 00:55:06.970314980 CET44349733185.85.0.29192.168.2.4
                                                                                                                                                                                Dec 27, 2024 00:55:06.970334053 CET49733443192.168.2.4185.85.0.29
                                                                                                                                                                                Dec 27, 2024 00:55:06.970362902 CET49733443192.168.2.4185.85.0.29
                                                                                                                                                                                Dec 27, 2024 00:55:06.970455885 CET49733443192.168.2.4185.85.0.29
                                                                                                                                                                                Dec 27, 2024 00:55:06.970474958 CET44349733185.85.0.29192.168.2.4
                                                                                                                                                                                Dec 27, 2024 00:55:06.970503092 CET49733443192.168.2.4185.85.0.29
                                                                                                                                                                                Dec 27, 2024 00:55:06.970509052 CET44349733185.85.0.29192.168.2.4
                                                                                                                                                                                Dec 27, 2024 00:55:06.986015081 CET44349735185.85.0.29192.168.2.4
                                                                                                                                                                                Dec 27, 2024 00:55:06.986066103 CET44349735185.85.0.29192.168.2.4
                                                                                                                                                                                Dec 27, 2024 00:55:06.986120939 CET49735443192.168.2.4185.85.0.29
                                                                                                                                                                                Dec 27, 2024 00:55:06.986131907 CET44349735185.85.0.29192.168.2.4
                                                                                                                                                                                Dec 27, 2024 00:55:06.986165047 CET49735443192.168.2.4185.85.0.29
                                                                                                                                                                                Dec 27, 2024 00:55:06.986217976 CET44349735185.85.0.29192.168.2.4
                                                                                                                                                                                Dec 27, 2024 00:55:06.986264944 CET49735443192.168.2.4185.85.0.29
                                                                                                                                                                                Dec 27, 2024 00:55:06.986797094 CET49735443192.168.2.4185.85.0.29
                                                                                                                                                                                Dec 27, 2024 00:55:06.986797094 CET49735443192.168.2.4185.85.0.29
                                                                                                                                                                                Dec 27, 2024 00:55:06.986804962 CET44349735185.85.0.29192.168.2.4
                                                                                                                                                                                Dec 27, 2024 00:55:06.986824036 CET44349735185.85.0.29192.168.2.4
                                                                                                                                                                                Dec 27, 2024 00:55:07.183002949 CET4973780192.168.2.4185.85.0.29
                                                                                                                                                                                Dec 27, 2024 00:55:07.279345989 CET8049736185.85.0.29192.168.2.4
                                                                                                                                                                                Dec 27, 2024 00:55:07.282268047 CET49738443192.168.2.4185.85.0.29
                                                                                                                                                                                Dec 27, 2024 00:55:07.282362938 CET44349738185.85.0.29192.168.2.4
                                                                                                                                                                                Dec 27, 2024 00:55:07.282438993 CET49738443192.168.2.4185.85.0.29
                                                                                                                                                                                Dec 27, 2024 00:55:07.282911062 CET4973080192.168.2.4185.85.0.29
                                                                                                                                                                                Dec 27, 2024 00:55:07.286777020 CET49738443192.168.2.4185.85.0.29
                                                                                                                                                                                Dec 27, 2024 00:55:07.286812067 CET44349738185.85.0.29192.168.2.4
                                                                                                                                                                                Dec 27, 2024 00:55:07.302474976 CET8049737185.85.0.29192.168.2.4
                                                                                                                                                                                Dec 27, 2024 00:55:07.302541971 CET4973780192.168.2.4185.85.0.29
                                                                                                                                                                                Dec 27, 2024 00:55:07.302719116 CET4973780192.168.2.4185.85.0.29
                                                                                                                                                                                Dec 27, 2024 00:55:07.325519085 CET4973680192.168.2.4185.85.0.29
                                                                                                                                                                                Dec 27, 2024 00:55:07.422143936 CET8049737185.85.0.29192.168.2.4
                                                                                                                                                                                Dec 27, 2024 00:55:08.653554916 CET8049737185.85.0.29192.168.2.4
                                                                                                                                                                                Dec 27, 2024 00:55:08.663876057 CET44349738185.85.0.29192.168.2.4
                                                                                                                                                                                Dec 27, 2024 00:55:08.663954020 CET49738443192.168.2.4185.85.0.29
                                                                                                                                                                                Dec 27, 2024 00:55:08.700545073 CET4973780192.168.2.4185.85.0.29
                                                                                                                                                                                Dec 27, 2024 00:55:08.706818104 CET49739443192.168.2.4185.85.0.29
                                                                                                                                                                                Dec 27, 2024 00:55:08.706880093 CET44349739185.85.0.29192.168.2.4
                                                                                                                                                                                Dec 27, 2024 00:55:08.707010031 CET49739443192.168.2.4185.85.0.29
                                                                                                                                                                                Dec 27, 2024 00:55:08.708344936 CET49738443192.168.2.4185.85.0.29
                                                                                                                                                                                Dec 27, 2024 00:55:08.708395004 CET44349738185.85.0.29192.168.2.4
                                                                                                                                                                                Dec 27, 2024 00:55:08.708591938 CET49739443192.168.2.4185.85.0.29
                                                                                                                                                                                Dec 27, 2024 00:55:08.708616972 CET44349739185.85.0.29192.168.2.4
                                                                                                                                                                                Dec 27, 2024 00:55:08.708690882 CET44349738185.85.0.29192.168.2.4
                                                                                                                                                                                Dec 27, 2024 00:55:08.763046980 CET49738443192.168.2.4185.85.0.29
                                                                                                                                                                                Dec 27, 2024 00:55:08.790597916 CET49738443192.168.2.4185.85.0.29
                                                                                                                                                                                Dec 27, 2024 00:55:08.831357002 CET44349738185.85.0.29192.168.2.4
                                                                                                                                                                                Dec 27, 2024 00:55:09.293981075 CET44349738185.85.0.29192.168.2.4
                                                                                                                                                                                Dec 27, 2024 00:55:09.294009924 CET44349738185.85.0.29192.168.2.4
                                                                                                                                                                                Dec 27, 2024 00:55:09.294083118 CET44349738185.85.0.29192.168.2.4
                                                                                                                                                                                Dec 27, 2024 00:55:09.294148922 CET49738443192.168.2.4185.85.0.29
                                                                                                                                                                                Dec 27, 2024 00:55:09.295293093 CET49738443192.168.2.4185.85.0.29
                                                                                                                                                                                Dec 27, 2024 00:55:09.295351982 CET44349738185.85.0.29192.168.2.4
                                                                                                                                                                                Dec 27, 2024 00:55:09.295386076 CET49738443192.168.2.4185.85.0.29
                                                                                                                                                                                Dec 27, 2024 00:55:09.295402050 CET44349738185.85.0.29192.168.2.4
                                                                                                                                                                                Dec 27, 2024 00:55:09.708961964 CET4973680192.168.2.4185.85.0.29
                                                                                                                                                                                Dec 27, 2024 00:55:10.168060064 CET4973180192.168.2.4185.85.0.29
                                                                                                                                                                                Dec 27, 2024 00:55:10.184818029 CET44349739185.85.0.29192.168.2.4
                                                                                                                                                                                Dec 27, 2024 00:55:10.184928894 CET49739443192.168.2.4185.85.0.29
                                                                                                                                                                                Dec 27, 2024 00:55:10.186288118 CET49739443192.168.2.4185.85.0.29
                                                                                                                                                                                Dec 27, 2024 00:55:10.186304092 CET44349739185.85.0.29192.168.2.4
                                                                                                                                                                                Dec 27, 2024 00:55:10.187062979 CET44349739185.85.0.29192.168.2.4
                                                                                                                                                                                Dec 27, 2024 00:55:10.198270082 CET49739443192.168.2.4185.85.0.29
                                                                                                                                                                                Dec 27, 2024 00:55:10.243339062 CET44349739185.85.0.29192.168.2.4
                                                                                                                                                                                Dec 27, 2024 00:55:10.646698952 CET4973280192.168.2.4185.85.0.29
                                                                                                                                                                                Dec 27, 2024 00:55:10.820580006 CET44349739185.85.0.29192.168.2.4
                                                                                                                                                                                Dec 27, 2024 00:55:10.820697069 CET44349739185.85.0.29192.168.2.4
                                                                                                                                                                                Dec 27, 2024 00:55:10.820771933 CET49739443192.168.2.4185.85.0.29
                                                                                                                                                                                Dec 27, 2024 00:55:10.820801973 CET44349739185.85.0.29192.168.2.4
                                                                                                                                                                                Dec 27, 2024 00:55:10.820857048 CET49739443192.168.2.4185.85.0.29
                                                                                                                                                                                Dec 27, 2024 00:55:10.820949078 CET44349739185.85.0.29192.168.2.4
                                                                                                                                                                                Dec 27, 2024 00:55:10.821008921 CET49739443192.168.2.4185.85.0.29
                                                                                                                                                                                Dec 27, 2024 00:55:10.821053982 CET49739443192.168.2.4185.85.0.29
                                                                                                                                                                                Dec 27, 2024 00:55:10.821104050 CET44349739185.85.0.29192.168.2.4
                                                                                                                                                                                Dec 27, 2024 00:55:10.821127892 CET49739443192.168.2.4185.85.0.29
                                                                                                                                                                                Dec 27, 2024 00:55:10.821142912 CET44349739185.85.0.29192.168.2.4
                                                                                                                                                                                Dec 27, 2024 00:56:04.846543074 CET8049737185.85.0.29192.168.2.4
                                                                                                                                                                                Dec 27, 2024 00:56:04.846668005 CET4973780192.168.2.4185.85.0.29
                                                                                                                                                                                Dec 27, 2024 00:56:05.342550039 CET4973780192.168.2.4185.85.0.29
                                                                                                                                                                                Dec 27, 2024 00:56:05.828035116 CET8049737185.85.0.29192.168.2.4
                                                                                                                                                                                Dec 27, 2024 00:59:43.064390898 CET4975280192.168.2.4185.85.0.29
                                                                                                                                                                                Dec 27, 2024 00:59:43.183875084 CET8049752185.85.0.29192.168.2.4
                                                                                                                                                                                Dec 27, 2024 00:59:43.183928013 CET4975280192.168.2.4185.85.0.29
                                                                                                                                                                                Dec 27, 2024 00:59:43.201736927 CET4975280192.168.2.4185.85.0.29
                                                                                                                                                                                Dec 27, 2024 00:59:43.321217060 CET8049752185.85.0.29192.168.2.4
                                                                                                                                                                                Dec 27, 2024 00:59:44.438922882 CET8049752185.85.0.29192.168.2.4
                                                                                                                                                                                Dec 27, 2024 00:59:44.592385054 CET49753443192.168.2.4185.85.0.29
                                                                                                                                                                                Dec 27, 2024 00:59:44.592406988 CET44349753185.85.0.29192.168.2.4
                                                                                                                                                                                Dec 27, 2024 00:59:44.592480898 CET49753443192.168.2.4185.85.0.29
                                                                                                                                                                                Dec 27, 2024 00:59:44.639518976 CET49753443192.168.2.4185.85.0.29
                                                                                                                                                                                Dec 27, 2024 00:59:44.639533043 CET44349753185.85.0.29192.168.2.4
                                                                                                                                                                                Dec 27, 2024 00:59:44.654459000 CET4975280192.168.2.4185.85.0.29
                                                                                                                                                                                Dec 27, 2024 00:59:46.108717918 CET44349753185.85.0.29192.168.2.4
                                                                                                                                                                                Dec 27, 2024 00:59:46.108892918 CET49753443192.168.2.4185.85.0.29
                                                                                                                                                                                Dec 27, 2024 00:59:46.112421989 CET49753443192.168.2.4185.85.0.29
                                                                                                                                                                                Dec 27, 2024 00:59:46.112428904 CET44349753185.85.0.29192.168.2.4
                                                                                                                                                                                Dec 27, 2024 00:59:46.112654924 CET44349753185.85.0.29192.168.2.4
                                                                                                                                                                                Dec 27, 2024 00:59:46.125489950 CET49753443192.168.2.4185.85.0.29
                                                                                                                                                                                Dec 27, 2024 00:59:46.167368889 CET44349753185.85.0.29192.168.2.4
                                                                                                                                                                                Dec 27, 2024 00:59:46.753283978 CET44349753185.85.0.29192.168.2.4
                                                                                                                                                                                Dec 27, 2024 00:59:46.753310919 CET44349753185.85.0.29192.168.2.4
                                                                                                                                                                                Dec 27, 2024 00:59:46.753355980 CET49753443192.168.2.4185.85.0.29
                                                                                                                                                                                Dec 27, 2024 00:59:46.753365993 CET44349753185.85.0.29192.168.2.4
                                                                                                                                                                                Dec 27, 2024 00:59:46.753376961 CET44349753185.85.0.29192.168.2.4
                                                                                                                                                                                Dec 27, 2024 00:59:46.753412008 CET49753443192.168.2.4185.85.0.29
                                                                                                                                                                                Dec 27, 2024 00:59:46.764533043 CET49753443192.168.2.4185.85.0.29
                                                                                                                                                                                Dec 27, 2024 00:59:46.764548063 CET44349753185.85.0.29192.168.2.4
                                                                                                                                                                                Dec 27, 2024 00:59:46.764560938 CET49753443192.168.2.4185.85.0.29
                                                                                                                                                                                Dec 27, 2024 00:59:46.764566898 CET44349753185.85.0.29192.168.2.4

                                                                                                                                                                                UDP Packets

                                                                                                                                                                                TimestampSource PortDest PortSource IPDest IP
                                                                                                                                                                                Dec 27, 2024 00:55:02.068237066 CET5054753192.168.2.41.1.1.1
                                                                                                                                                                                Dec 27, 2024 00:55:02.207521915 CET53505471.1.1.1192.168.2.4
                                                                                                                                                                                Dec 27, 2024 00:55:07.181823015 CET5137353192.168.2.41.1.1.1
                                                                                                                                                                                Dec 27, 2024 00:55:07.504097939 CET53513731.1.1.1192.168.2.4
                                                                                                                                                                                Dec 27, 2024 00:59:39.824073076 CET4933853192.168.2.41.1.1.1
                                                                                                                                                                                Dec 27, 2024 00:59:39.962538958 CET53493381.1.1.1192.168.2.4

                                                                                                                                                                                DNS Queries

                                                                                                                                                                                TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                                                                                                                Dec 27, 2024 00:55:02.068237066 CET192.168.2.41.1.1.10xd91aStandard query (0)www.php.netA (IP address)IN (0x0001)false
                                                                                                                                                                                Dec 27, 2024 00:55:07.181823015 CET192.168.2.41.1.1.10xfa1dStandard query (0)ardshinbank.atA (IP address)IN (0x0001)false
                                                                                                                                                                                Dec 27, 2024 00:59:39.824073076 CET192.168.2.41.1.1.10xf71cStandard query (0)www.php.netA (IP address)IN (0x0001)false

                                                                                                                                                                                DNS Answers

                                                                                                                                                                                TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                                                                                                                Dec 27, 2024 00:55:02.207521915 CET1.1.1.1192.168.2.40xd91aNo error (0)www.php.netwww-php-net.ax4z.comCNAME (Canonical name)IN (0x0001)false
                                                                                                                                                                                Dec 27, 2024 00:55:02.207521915 CET1.1.1.1192.168.2.40xd91aNo error (0)www-php-net.ax4z.com185.85.0.29A (IP address)IN (0x0001)false
                                                                                                                                                                                Dec 27, 2024 00:55:07.504097939 CET1.1.1.1192.168.2.40xfa1dName error (3)ardshinbank.atnonenoneA (IP address)IN (0x0001)false
                                                                                                                                                                                Dec 27, 2024 00:59:39.266352892 CET1.1.1.1192.168.2.40x208No error (0)fp2e7a.wpc.2be4.phicdn.netfp2e7a.wpc.phicdn.netCNAME (Canonical name)IN (0x0001)false
                                                                                                                                                                                Dec 27, 2024 00:59:39.266352892 CET1.1.1.1192.168.2.40x208No error (0)fp2e7a.wpc.phicdn.net192.229.221.95A (IP address)IN (0x0001)false
                                                                                                                                                                                Dec 27, 2024 00:59:39.503139973 CET1.1.1.1192.168.2.40xacebNo error (0)shed.dual-low.s-part-0035.t-0009.t-msedge.nets-part-0035.t-0009.t-msedge.netCNAME (Canonical name)IN (0x0001)false
                                                                                                                                                                                Dec 27, 2024 00:59:39.503139973 CET1.1.1.1192.168.2.40xacebNo error (0)s-part-0035.t-0009.t-msedge.net13.107.246.63A (IP address)IN (0x0001)false
                                                                                                                                                                                Dec 27, 2024 00:59:39.962538958 CET1.1.1.1192.168.2.40xf71cNo error (0)www.php.netwww-php-net.ax4z.comCNAME (Canonical name)IN (0x0001)false
                                                                                                                                                                                Dec 27, 2024 00:59:39.962538958 CET1.1.1.1192.168.2.40xf71cNo error (0)www-php-net.ax4z.com185.85.0.29A (IP address)IN (0x0001)false
                                                                                                                                                                                Dec 27, 2024 00:59:41.022269964 CET1.1.1.1192.168.2.40x9669No error (0)edge.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.comdefault.qdr.p1.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.comCNAME (Canonical name)IN (0x0001)false
                                                                                                                                                                                Dec 27, 2024 00:59:41.022269964 CET1.1.1.1192.168.2.40x9669No error (0)default.qdr.p1.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.com217.20.58.100A (IP address)IN (0x0001)false
                                                                                                                                                                                Dec 27, 2024 00:59:41.022269964 CET1.1.1.1192.168.2.40x9669No error (0)default.qdr.p1.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.com217.20.58.98A (IP address)IN (0x0001)false
                                                                                                                                                                                Dec 27, 2024 00:59:41.022269964 CET1.1.1.1192.168.2.40x9669No error (0)default.qdr.p1.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.com217.20.58.99A (IP address)IN (0x0001)false
                                                                                                                                                                                Dec 27, 2024 00:59:41.022269964 CET1.1.1.1192.168.2.40x9669No error (0)default.qdr.p1.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.com217.20.58.101A (IP address)IN (0x0001)false

                                                                                                                                                                                HTTP Request Dependency Graph

                                                                                                                                                                                • www.php.net

                                                                                                                                                                                HTTP Packets

                                                                                                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                0192.168.2.449730185.85.0.29802720C:\Windows\System32\svchost.exe
                                                                                                                                                                                TimestampBytes transferredDirectionData
                                                                                                                                                                                Dec 27, 2024 00:55:02.353965998 CET119OUTGET /license/3_0.txt HTTP/1.1
                                                                                                                                                                                Cache-Control: no-cache
                                                                                                                                                                                Connection: Keep-Alive
                                                                                                                                                                                Pragma: no-cache
                                                                                                                                                                                Host: www.php.net
                                                                                                                                                                                Dec 27, 2024 00:55:03.610471964 CET368INHTTP/1.1 301 Moved Permanently
                                                                                                                                                                                Server: myracloud
                                                                                                                                                                                Date: Thu, 26 Dec 2024 23:55:03 GMT
                                                                                                                                                                                Content-Type: text/html
                                                                                                                                                                                Content-Length: 161
                                                                                                                                                                                Connection: keep-alive
                                                                                                                                                                                Location: https://www.php.net/license/3_0.txt
                                                                                                                                                                                Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 4d 79 72 61 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                                                                                                                Data Ascii: <html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>Myra</center></body></html>


                                                                                                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                1192.168.2.449731185.85.0.29802344C:\Windows\System32\svchost.exe
                                                                                                                                                                                TimestampBytes transferredDirectionData
                                                                                                                                                                                Dec 27, 2024 00:55:02.354156971 CET119OUTGET /license/3_0.txt HTTP/1.1
                                                                                                                                                                                Cache-Control: no-cache
                                                                                                                                                                                Connection: Keep-Alive
                                                                                                                                                                                Pragma: no-cache
                                                                                                                                                                                Host: www.php.net
                                                                                                                                                                                Dec 27, 2024 00:55:03.697037935 CET368INHTTP/1.1 301 Moved Permanently
                                                                                                                                                                                Server: myracloud
                                                                                                                                                                                Date: Thu, 26 Dec 2024 23:55:03 GMT
                                                                                                                                                                                Content-Type: text/html
                                                                                                                                                                                Content-Length: 161
                                                                                                                                                                                Connection: keep-alive
                                                                                                                                                                                Location: https://www.php.net/license/3_0.txt
                                                                                                                                                                                Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 4d 79 72 61 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                                                                                                                Data Ascii: <html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>Myra</center></body></html>


                                                                                                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                2192.168.2.449732185.85.0.29803760C:\Windows\System32\svchost.exe
                                                                                                                                                                                TimestampBytes transferredDirectionData
                                                                                                                                                                                Dec 27, 2024 00:55:02.390163898 CET119OUTGET /license/3_0.txt HTTP/1.1
                                                                                                                                                                                Cache-Control: no-cache
                                                                                                                                                                                Connection: Keep-Alive
                                                                                                                                                                                Pragma: no-cache
                                                                                                                                                                                Host: www.php.net
                                                                                                                                                                                Dec 27, 2024 00:55:03.734925985 CET368INHTTP/1.1 301 Moved Permanently
                                                                                                                                                                                Server: myracloud
                                                                                                                                                                                Date: Thu, 26 Dec 2024 23:55:03 GMT
                                                                                                                                                                                Content-Type: text/html
                                                                                                                                                                                Content-Length: 161
                                                                                                                                                                                Connection: keep-alive
                                                                                                                                                                                Location: https://www.php.net/license/3_0.txt
                                                                                                                                                                                Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 4d 79 72 61 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                                                                                                                Data Ascii: <html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>Myra</center></body></html>


                                                                                                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                3192.168.2.449736185.85.0.29806148C:\Windows\System32\svchost.exe
                                                                                                                                                                                TimestampBytes transferredDirectionData
                                                                                                                                                                                Dec 27, 2024 00:55:04.726728916 CET119OUTGET /license/3_0.txt HTTP/1.1
                                                                                                                                                                                Cache-Control: no-cache
                                                                                                                                                                                Connection: Keep-Alive
                                                                                                                                                                                Pragma: no-cache
                                                                                                                                                                                Host: www.php.net
                                                                                                                                                                                Dec 27, 2024 00:55:05.091154099 CET119OUTGET /license/3_0.txt HTTP/1.1
                                                                                                                                                                                Cache-Control: no-cache
                                                                                                                                                                                Connection: Keep-Alive
                                                                                                                                                                                Pragma: no-cache
                                                                                                                                                                                Host: www.php.net
                                                                                                                                                                                Dec 27, 2024 00:55:05.450516939 CET119OUTGET /license/3_0.txt HTTP/1.1
                                                                                                                                                                                Cache-Control: no-cache
                                                                                                                                                                                Connection: Keep-Alive
                                                                                                                                                                                Pragma: no-cache
                                                                                                                                                                                Host: www.php.net
                                                                                                                                                                                Dec 27, 2024 00:55:07.279345989 CET368INHTTP/1.1 301 Moved Permanently
                                                                                                                                                                                Server: myracloud
                                                                                                                                                                                Date: Thu, 26 Dec 2024 23:55:06 GMT
                                                                                                                                                                                Content-Type: text/html
                                                                                                                                                                                Content-Length: 161
                                                                                                                                                                                Connection: keep-alive
                                                                                                                                                                                Location: https://www.php.net/license/3_0.txt
                                                                                                                                                                                Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 4d 79 72 61 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                                                                                                                Data Ascii: <html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>Myra</center></body></html>


                                                                                                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                4192.168.2.449737185.85.0.29802580C:\Windows\explorer.exe
                                                                                                                                                                                TimestampBytes transferredDirectionData
                                                                                                                                                                                Dec 27, 2024 00:55:07.302719116 CET119OUTGET /license/3_0.txt HTTP/1.1
                                                                                                                                                                                Cache-Control: no-cache
                                                                                                                                                                                Connection: Keep-Alive
                                                                                                                                                                                Pragma: no-cache
                                                                                                                                                                                Host: www.php.net
                                                                                                                                                                                Dec 27, 2024 00:55:08.653554916 CET368INHTTP/1.1 301 Moved Permanently
                                                                                                                                                                                Server: myracloud
                                                                                                                                                                                Date: Thu, 26 Dec 2024 23:55:08 GMT
                                                                                                                                                                                Content-Type: text/html
                                                                                                                                                                                Content-Length: 161
                                                                                                                                                                                Connection: keep-alive
                                                                                                                                                                                Location: https://www.php.net/license/3_0.txt
                                                                                                                                                                                Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 4d 79 72 61 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                                                                                                                Data Ascii: <html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>Myra</center></body></html>


                                                                                                                                                                                Session IDSource IPSource PortDestination IPDestination Port
                                                                                                                                                                                5192.168.2.449752185.85.0.2980
                                                                                                                                                                                TimestampBytes transferredDirectionData
                                                                                                                                                                                Dec 27, 2024 00:59:43.201736927 CET119OUTGET /license/3_0.txt HTTP/1.1
                                                                                                                                                                                Cache-Control: no-cache
                                                                                                                                                                                Connection: Keep-Alive
                                                                                                                                                                                Pragma: no-cache
                                                                                                                                                                                Host: www.php.net
                                                                                                                                                                                Dec 27, 2024 00:59:44.438922882 CET368INHTTP/1.1 301 Moved Permanently
                                                                                                                                                                                Server: myracloud
                                                                                                                                                                                Date: Thu, 26 Dec 2024 23:59:44 GMT
                                                                                                                                                                                Content-Type: text/html
                                                                                                                                                                                Content-Length: 161
                                                                                                                                                                                Connection: keep-alive
                                                                                                                                                                                Location: https://www.php.net/license/3_0.txt
                                                                                                                                                                                Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 4d 79 72 61 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                                                                                                                Data Ascii: <html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>Myra</center></body></html>


                                                                                                                                                                                HTTPS Proxied Packets

                                                                                                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                0192.168.2.449734185.85.0.294432344C:\Windows\System32\svchost.exe
                                                                                                                                                                                TimestampBytes transferredDirectionData
                                                                                                                                                                                2024-12-26 23:55:06 UTC119OUTGET /license/3_0.txt HTTP/1.1
                                                                                                                                                                                Cache-Control: no-cache
                                                                                                                                                                                Connection: Keep-Alive
                                                                                                                                                                                Pragma: no-cache
                                                                                                                                                                                Host: www.php.net
                                                                                                                                                                                2024-12-26 23:55:06 UTC238INHTTP/1.1 200 OK
                                                                                                                                                                                Server: myracloud
                                                                                                                                                                                Date: Thu, 26 Dec 2024 23:55:06 GMT
                                                                                                                                                                                Content-Type: text/plain
                                                                                                                                                                                Transfer-Encoding: chunked
                                                                                                                                                                                Connection: close
                                                                                                                                                                                Last-Modified: Wed, 07 Feb 2024 16:03:35 GMT
                                                                                                                                                                                ETag: "65c3a9d7-ea2"
                                                                                                                                                                                Accept-Ranges: bytes
                                                                                                                                                                                2024-12-26 23:55:06 UTC3758INData Raw: 65 61 32 0d 0a 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 20 41 6e 20 65 78 61 6d 70 6c 65 20 50 48 50 20 4c 69 63 65 6e 73 65 2c 20 76 65 72 73 69 6f 6e 20 33 2e 30 20 66 69 6c 65 20 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 0a 0a 54 68 69 73 20 69 73 20 74 68 65 20 6f 72 69 67 69 6e 61 6c 20 50 48 50 20 4c 69 63 65 6e 73 65 2c 20 76 65 72 73 69 6f 6e 20 33 2e 30 20 77 68 69 63 68 20 61 70 70 6c 69 65 73 20 6f 6e 6c 79 20 74 6f 0a 76 65 72 79 20 6f 6c 64 20 76 65 72 73 69 6f 6e 73 20 6f 66 20 50 48 50 20 73 6f 66 74 77 61 72 65 20 28 73 75 63 68 20 61 73 20 76 65 72 73 69 6f 6e 73 20 35 2e 31 2e 31 2c 20 34 2e 34 2e 31 2c 20 61 6e 64 0a 65 61 72 6c 69 65 72 29 2e 0a 0a 54 68 65 20 50 48 50 20 4c 69 63 65 6e 73 65 2c 20 76 65 72 73 69 6f 6e 20 33 2e 30 20 69 73
                                                                                                                                                                                Data Ascii: ea2============= An example PHP License, version 3.0 file =============This is the original PHP License, version 3.0 which applies only tovery old versions of PHP software (such as versions 5.1.1, 4.4.1, andearlier).The PHP License, version 3.0 is


                                                                                                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                1192.168.2.449733185.85.0.294432720C:\Windows\System32\svchost.exe
                                                                                                                                                                                TimestampBytes transferredDirectionData
                                                                                                                                                                                2024-12-26 23:55:06 UTC119OUTGET /license/3_0.txt HTTP/1.1
                                                                                                                                                                                Cache-Control: no-cache
                                                                                                                                                                                Connection: Keep-Alive
                                                                                                                                                                                Pragma: no-cache
                                                                                                                                                                                Host: www.php.net
                                                                                                                                                                                2024-12-26 23:55:06 UTC238INHTTP/1.1 200 OK
                                                                                                                                                                                Server: myracloud
                                                                                                                                                                                Date: Thu, 26 Dec 2024 23:55:06 GMT
                                                                                                                                                                                Content-Type: text/plain
                                                                                                                                                                                Transfer-Encoding: chunked
                                                                                                                                                                                Connection: close
                                                                                                                                                                                Last-Modified: Wed, 07 Feb 2024 16:03:35 GMT
                                                                                                                                                                                ETag: "65c3a9d7-ea2"
                                                                                                                                                                                Accept-Ranges: bytes
                                                                                                                                                                                2024-12-26 23:55:06 UTC3758INData Raw: 65 61 32 0d 0a 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 20 41 6e 20 65 78 61 6d 70 6c 65 20 50 48 50 20 4c 69 63 65 6e 73 65 2c 20 76 65 72 73 69 6f 6e 20 33 2e 30 20 66 69 6c 65 20 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 0a 0a 54 68 69 73 20 69 73 20 74 68 65 20 6f 72 69 67 69 6e 61 6c 20 50 48 50 20 4c 69 63 65 6e 73 65 2c 20 76 65 72 73 69 6f 6e 20 33 2e 30 20 77 68 69 63 68 20 61 70 70 6c 69 65 73 20 6f 6e 6c 79 20 74 6f 0a 76 65 72 79 20 6f 6c 64 20 76 65 72 73 69 6f 6e 73 20 6f 66 20 50 48 50 20 73 6f 66 74 77 61 72 65 20 28 73 75 63 68 20 61 73 20 76 65 72 73 69 6f 6e 73 20 35 2e 31 2e 31 2c 20 34 2e 34 2e 31 2c 20 61 6e 64 0a 65 61 72 6c 69 65 72 29 2e 0a 0a 54 68 65 20 50 48 50 20 4c 69 63 65 6e 73 65 2c 20 76 65 72 73 69 6f 6e 20 33 2e 30 20 69 73
                                                                                                                                                                                Data Ascii: ea2============= An example PHP License, version 3.0 file =============This is the original PHP License, version 3.0 which applies only tovery old versions of PHP software (such as versions 5.1.1, 4.4.1, andearlier).The PHP License, version 3.0 is


                                                                                                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                2192.168.2.449735185.85.0.294433760C:\Windows\System32\svchost.exe
                                                                                                                                                                                TimestampBytes transferredDirectionData
                                                                                                                                                                                2024-12-26 23:55:06 UTC119OUTGET /license/3_0.txt HTTP/1.1
                                                                                                                                                                                Cache-Control: no-cache
                                                                                                                                                                                Connection: Keep-Alive
                                                                                                                                                                                Pragma: no-cache
                                                                                                                                                                                Host: www.php.net
                                                                                                                                                                                2024-12-26 23:55:06 UTC238INHTTP/1.1 200 OK
                                                                                                                                                                                Server: myracloud
                                                                                                                                                                                Date: Thu, 26 Dec 2024 23:55:06 GMT
                                                                                                                                                                                Content-Type: text/plain
                                                                                                                                                                                Transfer-Encoding: chunked
                                                                                                                                                                                Connection: close
                                                                                                                                                                                Last-Modified: Wed, 07 Feb 2024 16:03:35 GMT
                                                                                                                                                                                ETag: "65c3a9d7-ea2"
                                                                                                                                                                                Accept-Ranges: bytes
                                                                                                                                                                                2024-12-26 23:55:06 UTC3758INData Raw: 65 61 32 0d 0a 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 20 41 6e 20 65 78 61 6d 70 6c 65 20 50 48 50 20 4c 69 63 65 6e 73 65 2c 20 76 65 72 73 69 6f 6e 20 33 2e 30 20 66 69 6c 65 20 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 0a 0a 54 68 69 73 20 69 73 20 74 68 65 20 6f 72 69 67 69 6e 61 6c 20 50 48 50 20 4c 69 63 65 6e 73 65 2c 20 76 65 72 73 69 6f 6e 20 33 2e 30 20 77 68 69 63 68 20 61 70 70 6c 69 65 73 20 6f 6e 6c 79 20 74 6f 0a 76 65 72 79 20 6f 6c 64 20 76 65 72 73 69 6f 6e 73 20 6f 66 20 50 48 50 20 73 6f 66 74 77 61 72 65 20 28 73 75 63 68 20 61 73 20 76 65 72 73 69 6f 6e 73 20 35 2e 31 2e 31 2c 20 34 2e 34 2e 31 2c 20 61 6e 64 0a 65 61 72 6c 69 65 72 29 2e 0a 0a 54 68 65 20 50 48 50 20 4c 69 63 65 6e 73 65 2c 20 76 65 72 73 69 6f 6e 20 33 2e 30 20 69 73
                                                                                                                                                                                Data Ascii: ea2============= An example PHP License, version 3.0 file =============This is the original PHP License, version 3.0 which applies only tovery old versions of PHP software (such as versions 5.1.1, 4.4.1, andearlier).The PHP License, version 3.0 is


                                                                                                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                3192.168.2.449738185.85.0.294436148C:\Windows\System32\svchost.exe
                                                                                                                                                                                TimestampBytes transferredDirectionData
                                                                                                                                                                                2024-12-26 23:55:08 UTC119OUTGET /license/3_0.txt HTTP/1.1
                                                                                                                                                                                Cache-Control: no-cache
                                                                                                                                                                                Connection: Keep-Alive
                                                                                                                                                                                Pragma: no-cache
                                                                                                                                                                                Host: www.php.net
                                                                                                                                                                                2024-12-26 23:55:09 UTC238INHTTP/1.1 200 OK
                                                                                                                                                                                Server: myracloud
                                                                                                                                                                                Date: Thu, 26 Dec 2024 23:55:09 GMT
                                                                                                                                                                                Content-Type: text/plain
                                                                                                                                                                                Transfer-Encoding: chunked
                                                                                                                                                                                Connection: close
                                                                                                                                                                                Last-Modified: Wed, 07 Feb 2024 16:03:35 GMT
                                                                                                                                                                                ETag: "65c3a9d7-ea2"
                                                                                                                                                                                Accept-Ranges: bytes
                                                                                                                                                                                2024-12-26 23:55:09 UTC3758INData Raw: 65 61 32 0d 0a 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 20 41 6e 20 65 78 61 6d 70 6c 65 20 50 48 50 20 4c 69 63 65 6e 73 65 2c 20 76 65 72 73 69 6f 6e 20 33 2e 30 20 66 69 6c 65 20 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 0a 0a 54 68 69 73 20 69 73 20 74 68 65 20 6f 72 69 67 69 6e 61 6c 20 50 48 50 20 4c 69 63 65 6e 73 65 2c 20 76 65 72 73 69 6f 6e 20 33 2e 30 20 77 68 69 63 68 20 61 70 70 6c 69 65 73 20 6f 6e 6c 79 20 74 6f 0a 76 65 72 79 20 6f 6c 64 20 76 65 72 73 69 6f 6e 73 20 6f 66 20 50 48 50 20 73 6f 66 74 77 61 72 65 20 28 73 75 63 68 20 61 73 20 76 65 72 73 69 6f 6e 73 20 35 2e 31 2e 31 2c 20 34 2e 34 2e 31 2c 20 61 6e 64 0a 65 61 72 6c 69 65 72 29 2e 0a 0a 54 68 65 20 50 48 50 20 4c 69 63 65 6e 73 65 2c 20 76 65 72 73 69 6f 6e 20 33 2e 30 20 69 73
                                                                                                                                                                                Data Ascii: ea2============= An example PHP License, version 3.0 file =============This is the original PHP License, version 3.0 which applies only tovery old versions of PHP software (such as versions 5.1.1, 4.4.1, andearlier).The PHP License, version 3.0 is


                                                                                                                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                4192.168.2.449739185.85.0.294432580C:\Windows\explorer.exe
                                                                                                                                                                                TimestampBytes transferredDirectionData
                                                                                                                                                                                2024-12-26 23:55:10 UTC119OUTGET /license/3_0.txt HTTP/1.1
                                                                                                                                                                                Cache-Control: no-cache
                                                                                                                                                                                Connection: Keep-Alive
                                                                                                                                                                                Pragma: no-cache
                                                                                                                                                                                Host: www.php.net
                                                                                                                                                                                2024-12-26 23:55:10 UTC238INHTTP/1.1 200 OK
                                                                                                                                                                                Server: myracloud
                                                                                                                                                                                Date: Thu, 26 Dec 2024 23:55:10 GMT
                                                                                                                                                                                Content-Type: text/plain
                                                                                                                                                                                Transfer-Encoding: chunked
                                                                                                                                                                                Connection: close
                                                                                                                                                                                Last-Modified: Wed, 07 Feb 2024 16:03:35 GMT
                                                                                                                                                                                ETag: "65c3a9d7-ea2"
                                                                                                                                                                                Accept-Ranges: bytes
                                                                                                                                                                                2024-12-26 23:55:10 UTC3758INData Raw: 65 61 32 0d 0a 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 20 41 6e 20 65 78 61 6d 70 6c 65 20 50 48 50 20 4c 69 63 65 6e 73 65 2c 20 76 65 72 73 69 6f 6e 20 33 2e 30 20 66 69 6c 65 20 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 0a 0a 54 68 69 73 20 69 73 20 74 68 65 20 6f 72 69 67 69 6e 61 6c 20 50 48 50 20 4c 69 63 65 6e 73 65 2c 20 76 65 72 73 69 6f 6e 20 33 2e 30 20 77 68 69 63 68 20 61 70 70 6c 69 65 73 20 6f 6e 6c 79 20 74 6f 0a 76 65 72 79 20 6f 6c 64 20 76 65 72 73 69 6f 6e 73 20 6f 66 20 50 48 50 20 73 6f 66 74 77 61 72 65 20 28 73 75 63 68 20 61 73 20 76 65 72 73 69 6f 6e 73 20 35 2e 31 2e 31 2c 20 34 2e 34 2e 31 2c 20 61 6e 64 0a 65 61 72 6c 69 65 72 29 2e 0a 0a 54 68 65 20 50 48 50 20 4c 69 63 65 6e 73 65 2c 20 76 65 72 73 69 6f 6e 20 33 2e 30 20 69 73
                                                                                                                                                                                Data Ascii: ea2============= An example PHP License, version 3.0 file =============This is the original PHP License, version 3.0 which applies only tovery old versions of PHP software (such as versions 5.1.1, 4.4.1, andearlier).The PHP License, version 3.0 is


                                                                                                                                                                                Session IDSource IPSource PortDestination IPDestination Port
                                                                                                                                                                                5192.168.2.449753185.85.0.29443
                                                                                                                                                                                TimestampBytes transferredDirectionData
                                                                                                                                                                                2024-12-26 23:59:46 UTC119OUTGET /license/3_0.txt HTTP/1.1
                                                                                                                                                                                Cache-Control: no-cache
                                                                                                                                                                                Connection: Keep-Alive
                                                                                                                                                                                Pragma: no-cache
                                                                                                                                                                                Host: www.php.net
                                                                                                                                                                                2024-12-26 23:59:46 UTC238INHTTP/1.1 200 OK
                                                                                                                                                                                Server: myracloud
                                                                                                                                                                                Date: Thu, 26 Dec 2024 23:59:46 GMT
                                                                                                                                                                                Content-Type: text/plain
                                                                                                                                                                                Transfer-Encoding: chunked
                                                                                                                                                                                Connection: close
                                                                                                                                                                                Last-Modified: Wed, 07 Feb 2024 16:03:35 GMT
                                                                                                                                                                                ETag: "65c3a9d7-ea2"
                                                                                                                                                                                Accept-Ranges: bytes
                                                                                                                                                                                2024-12-26 23:59:46 UTC3758INData Raw: 65 61 32 0d 0a 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 20 41 6e 20 65 78 61 6d 70 6c 65 20 50 48 50 20 4c 69 63 65 6e 73 65 2c 20 76 65 72 73 69 6f 6e 20 33 2e 30 20 66 69 6c 65 20 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 0a 0a 54 68 69 73 20 69 73 20 74 68 65 20 6f 72 69 67 69 6e 61 6c 20 50 48 50 20 4c 69 63 65 6e 73 65 2c 20 76 65 72 73 69 6f 6e 20 33 2e 30 20 77 68 69 63 68 20 61 70 70 6c 69 65 73 20 6f 6e 6c 79 20 74 6f 0a 76 65 72 79 20 6f 6c 64 20 76 65 72 73 69 6f 6e 73 20 6f 66 20 50 48 50 20 73 6f 66 74 77 61 72 65 20 28 73 75 63 68 20 61 73 20 76 65 72 73 69 6f 6e 73 20 35 2e 31 2e 31 2c 20 34 2e 34 2e 31 2c 20 61 6e 64 0a 65 61 72 6c 69 65 72 29 2e 0a 0a 54 68 65 20 50 48 50 20 4c 69 63 65 6e 73 65 2c 20 76 65 72 73 69 6f 6e 20 33 2e 30 20 69 73
                                                                                                                                                                                Data Ascii: ea2============= An example PHP License, version 3.0 file =============This is the original PHP License, version 3.0 which applies only tovery old versions of PHP software (such as versions 5.1.1, 4.4.1, andearlier).The PHP License, version 3.0 is


                                                                                                                                                                                Code Manipulations

                                                                                                                                                                                User Modules

                                                                                                                                                                                Hook Summary

                                                                                                                                                                                Function NameHook TypeActive in Processes
                                                                                                                                                                                RtlExitUserThreadINLINEexplorer.exe
                                                                                                                                                                                api-ms-win-core-processthreads-l1-1-0.dll:CreateProcessWIATexplorer.exe
                                                                                                                                                                                api-ms-win-core-registry-l1-1-0.dll:RegGetValueWIATexplorer.exe
                                                                                                                                                                                CreateProcessAsUserWEATexplorer.exe
                                                                                                                                                                                CreateProcessAsUserWINLINEexplorer.exe
                                                                                                                                                                                CreateProcessWEATexplorer.exe
                                                                                                                                                                                CreateProcessWINLINEexplorer.exe
                                                                                                                                                                                CreateProcessAEATexplorer.exe
                                                                                                                                                                                CreateProcessAINLINEexplorer.exe

                                                                                                                                                                                Processes

                                                                                                                                                                                Process: explorer.exe, Module: ntdll.dll
                                                                                                                                                                                Function NameHook TypeNew Data
                                                                                                                                                                                RtlExitUserThreadINLINE0xEB 0xBF 0xFE 0xEC 0xCC 0xCC
                                                                                                                                                                                Process: explorer.exe, Module: user32.dll
                                                                                                                                                                                Function NameHook TypeNew Data
                                                                                                                                                                                api-ms-win-core-processthreads-l1-1-0.dll:CreateProcessWIAT7FFE216DE400
                                                                                                                                                                                api-ms-win-core-registry-l1-1-0.dll:RegGetValueWIATFBE8DCC
                                                                                                                                                                                Process: explorer.exe, Module: KERNEL32.DLL
                                                                                                                                                                                Function NameHook TypeNew Data
                                                                                                                                                                                CreateProcessAsUserWEAT7FFE216DE41C
                                                                                                                                                                                CreateProcessAsUserWINLINE0xFF 0xF2 0x25 0x50 0x00 0x00
                                                                                                                                                                                CreateProcessWEAT7FFE216DE400
                                                                                                                                                                                CreateProcessWINLINE0xFF 0xF2 0x25 0x50 0x00 0x00
                                                                                                                                                                                CreateProcessAEAT7FFE216DE40E
                                                                                                                                                                                CreateProcessAINLINE0xFF 0xF2 0x25 0x50 0x00 0x00
                                                                                                                                                                                Process: explorer.exe, Module: WININET.dll
                                                                                                                                                                                Function NameHook TypeNew Data
                                                                                                                                                                                api-ms-win-core-registry-l1-1-0.dll:RegGetValueWIATFBE8DCC

                                                                                                                                                                                Statistics

                                                                                                                                                                                CPU Usage

                                                                                                                                                                                Click to jump to process

                                                                                                                                                                                Memory Usage

                                                                                                                                                                                Click to jump to process

                                                                                                                                                                                High Level Behavior Distribution

                                                                                                                                                                                Click to dive into process behavior distribution

                                                                                                                                                                                Behavior

                                                                                                                                                                                Click to jump to process

                                                                                                                                                                                System Behavior

                                                                                                                                                                                General

                                                                                                                                                                                Target ID:0
                                                                                                                                                                                Start time:18:54:58
                                                                                                                                                                                Start date:26/12/2024
                                                                                                                                                                                Path:C:\Windows\System32\loaddll32.exe
                                                                                                                                                                                Wow64 process (32bit):true
                                                                                                                                                                                Commandline:loaddll32.exe "C:\Users\user\Desktop\atw3.dll"
                                                                                                                                                                                Imagebase:0xfa0000
                                                                                                                                                                                File size:126'464 bytes
                                                                                                                                                                                MD5 hash:51E6071F9CBA48E79F10C84515AAE618
                                                                                                                                                                                Has elevated privileges:true
                                                                                                                                                                                Has administrator privileges:true
                                                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                                                Yara matches:
                                                                                                                                                                                • Rule: JoeSecurity_Ursnif_1, Description: Yara detected Ursnif, Source: 00000000.00000002.1740443411.0000000000DA0000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                • Rule: JoeSecurity_Ursnif_1, Description: Yara detected Ursnif, Source: 00000000.00000003.1734980952.0000000002D69000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                • Rule: JoeSecurity_Ursnif_1, Description: Yara detected Ursnif, Source: 00000000.00000003.1739987325.0000000002D69000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                Reputation:high
                                                                                                                                                                                Has exited:true

                                                                                                                                                                                General

                                                                                                                                                                                Target ID:1
                                                                                                                                                                                Start time:18:54:58
                                                                                                                                                                                Start date:26/12/2024
                                                                                                                                                                                Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                Wow64 process (32bit):false
                                                                                                                                                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                Imagebase:0x7ff7699e0000
                                                                                                                                                                                File size:862'208 bytes
                                                                                                                                                                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                Has elevated privileges:true
                                                                                                                                                                                Has administrator privileges:true
                                                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                                                Reputation:high
                                                                                                                                                                                Has exited:true

                                                                                                                                                                                General

                                                                                                                                                                                Target ID:2
                                                                                                                                                                                Start time:18:54:58
                                                                                                                                                                                Start date:26/12/2024
                                                                                                                                                                                Path:C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                Wow64 process (32bit):true
                                                                                                                                                                                Commandline:cmd.exe /C rundll32.exe "C:\Users\user\Desktop\atw3.dll",#1
                                                                                                                                                                                Imagebase:0x240000
                                                                                                                                                                                File size:236'544 bytes
                                                                                                                                                                                MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                                                                                                                                Has elevated privileges:true
                                                                                                                                                                                Has administrator privileges:true
                                                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                                                Reputation:high
                                                                                                                                                                                Has exited:true

                                                                                                                                                                                General

                                                                                                                                                                                Target ID:3
                                                                                                                                                                                Start time:18:54:58
                                                                                                                                                                                Start date:26/12/2024
                                                                                                                                                                                Path:C:\Windows\SysWOW64\regsvr32.exe
                                                                                                                                                                                Wow64 process (32bit):true
                                                                                                                                                                                Commandline:regsvr32.exe /s C:\Users\user\Desktop\atw3.dll
                                                                                                                                                                                Imagebase:0x2f0000
                                                                                                                                                                                File size:20'992 bytes
                                                                                                                                                                                MD5 hash:878E47C8656E53AE8A8A21E927C6F7E0
                                                                                                                                                                                Has elevated privileges:true
                                                                                                                                                                                Has administrator privileges:true
                                                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                                                Yara matches:
                                                                                                                                                                                • Rule: JoeSecurity_Ursnif_1, Description: Yara detected Ursnif, Source: 00000003.00000003.1713752147.00000000055D9000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                • Rule: JoeSecurity_Ursnif_1, Description: Yara detected Ursnif, Source: 00000003.00000002.1715716468.00000000034B0000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                • Rule: JoeSecurity_Ursnif_1, Description: Yara detected Ursnif, Source: 00000003.00000003.1697742809.00000000055D9000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                Reputation:high
                                                                                                                                                                                Has exited:true

                                                                                                                                                                                General

                                                                                                                                                                                Target ID:4
                                                                                                                                                                                Start time:18:54:58
                                                                                                                                                                                Start date:26/12/2024
                                                                                                                                                                                Path:C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                                Wow64 process (32bit):true
                                                                                                                                                                                Commandline:rundll32.exe C:\Users\user\Desktop\atw3.dll,DllRegisterServer
                                                                                                                                                                                Imagebase:0xf0000
                                                                                                                                                                                File size:61'440 bytes
                                                                                                                                                                                MD5 hash:889B99C52A60DD49227C5E485A016679
                                                                                                                                                                                Has elevated privileges:true
                                                                                                                                                                                Has administrator privileges:true
                                                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                                                Yara matches:
                                                                                                                                                                                • Rule: JoeSecurity_Ursnif_1, Description: Yara detected Ursnif, Source: 00000004.00000002.1717418718.0000000003FA0000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                • Rule: JoeSecurity_Ursnif_1, Description: Yara detected Ursnif, Source: 00000004.00000003.1701139079.0000000004749000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                • Rule: JoeSecurity_Ursnif_1, Description: Yara detected Ursnif, Source: 00000004.00000003.1716382978.0000000004749000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                Reputation:high
                                                                                                                                                                                Has exited:true

                                                                                                                                                                                General

                                                                                                                                                                                Target ID:5
                                                                                                                                                                                Start time:18:54:58
                                                                                                                                                                                Start date:26/12/2024
                                                                                                                                                                                Path:C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                                Wow64 process (32bit):true
                                                                                                                                                                                Commandline:rundll32.exe "C:\Users\user\Desktop\atw3.dll",#1
                                                                                                                                                                                Imagebase:0xf0000
                                                                                                                                                                                File size:61'440 bytes
                                                                                                                                                                                MD5 hash:889B99C52A60DD49227C5E485A016679
                                                                                                                                                                                Has elevated privileges:true
                                                                                                                                                                                Has administrator privileges:true
                                                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                                                Yara matches:
                                                                                                                                                                                • Rule: JoeSecurity_Ursnif_1, Description: Yara detected Ursnif, Source: 00000005.00000003.1698401383.0000000004AE9000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                • Rule: JoeSecurity_Ursnif_1, Description: Yara detected Ursnif, Source: 00000005.00000002.1716335740.00000000042D0000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                • Rule: JoeSecurity_Ursnif_1, Description: Yara detected Ursnif, Source: 00000005.00000003.1714696706.0000000004AE9000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                Reputation:high
                                                                                                                                                                                Has exited:true

                                                                                                                                                                                General

                                                                                                                                                                                Target ID:6
                                                                                                                                                                                Start time:18:54:59
                                                                                                                                                                                Start date:26/12/2024
                                                                                                                                                                                Path:C:\Windows\System32\svchost.exe
                                                                                                                                                                                Wow64 process (32bit):false
                                                                                                                                                                                Commandline:C:\Windows\system32\svchost.exe
                                                                                                                                                                                Imagebase:0x7ff6eef20000
                                                                                                                                                                                File size:55'320 bytes
                                                                                                                                                                                MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                                                                                                                                                                Has elevated privileges:true
                                                                                                                                                                                Has administrator privileges:true
                                                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                                                Yara matches:
                                                                                                                                                                                • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000006.00000002.1794583919.0000000000BA0000.00000004.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                • Rule: Windows_Trojan_Gozi_261f5ac5, Description: unknown, Source: 00000006.00000002.1794583919.0000000000BA0000.00000004.80000000.00040000.00000000.sdmp, Author: unknown
                                                                                                                                                                                • Rule: JoeSecurity_Ursnif_1, Description: Yara detected Ursnif, Source: 00000006.00000002.1794641096.0000000000BA3000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                Reputation:high
                                                                                                                                                                                Has exited:true

                                                                                                                                                                                General

                                                                                                                                                                                Target ID:7
                                                                                                                                                                                Start time:18:55:00
                                                                                                                                                                                Start date:26/12/2024
                                                                                                                                                                                Path:C:\Windows\System32\svchost.exe
                                                                                                                                                                                Wow64 process (32bit):false
                                                                                                                                                                                Commandline:C:\Windows\system32\svchost.exe
                                                                                                                                                                                Imagebase:0x7ff6eef20000
                                                                                                                                                                                File size:55'320 bytes
                                                                                                                                                                                MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                                                                                                                                                                Has elevated privileges:true
                                                                                                                                                                                Has administrator privileges:true
                                                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                                                Yara matches:
                                                                                                                                                                                • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000007.00000002.1765483170.00000000002E0000.00000004.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                • Rule: Windows_Trojan_Gozi_261f5ac5, Description: unknown, Source: 00000007.00000002.1765483170.00000000002E0000.00000004.80000000.00040000.00000000.sdmp, Author: unknown
                                                                                                                                                                                • Rule: JoeSecurity_Ursnif_1, Description: Yara detected Ursnif, Source: 00000007.00000002.1765530141.00000000002E3000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                Reputation:high
                                                                                                                                                                                Has exited:true

                                                                                                                                                                                General

                                                                                                                                                                                Target ID:8
                                                                                                                                                                                Start time:18:55:00
                                                                                                                                                                                Start date:26/12/2024
                                                                                                                                                                                Path:C:\Windows\System32\svchost.exe
                                                                                                                                                                                Wow64 process (32bit):false
                                                                                                                                                                                Commandline:C:\Windows\system32\svchost.exe
                                                                                                                                                                                Imagebase:0x7ff6eef20000
                                                                                                                                                                                File size:55'320 bytes
                                                                                                                                                                                MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                                                                                                                                                                Has elevated privileges:true
                                                                                                                                                                                Has administrator privileges:true
                                                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                                                Yara matches:
                                                                                                                                                                                • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000008.00000002.1799435534.0000000000230000.00000004.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                • Rule: Windows_Trojan_Gozi_261f5ac5, Description: unknown, Source: 00000008.00000002.1799435534.0000000000230000.00000004.80000000.00040000.00000000.sdmp, Author: unknown
                                                                                                                                                                                • Rule: JoeSecurity_Ursnif_1, Description: Yara detected Ursnif, Source: 00000008.00000002.1799489416.0000000000233000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                Reputation:high
                                                                                                                                                                                Has exited:true

                                                                                                                                                                                General

                                                                                                                                                                                Target ID:9
                                                                                                                                                                                Start time:18:55:03
                                                                                                                                                                                Start date:26/12/2024
                                                                                                                                                                                Path:C:\Windows\System32\svchost.exe
                                                                                                                                                                                Wow64 process (32bit):false
                                                                                                                                                                                Commandline:C:\Windows\system32\svchost.exe
                                                                                                                                                                                Imagebase:0x7ff6eef20000
                                                                                                                                                                                File size:55'320 bytes
                                                                                                                                                                                MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                                                                                                                                                                Has elevated privileges:true
                                                                                                                                                                                Has administrator privileges:true
                                                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                                                Yara matches:
                                                                                                                                                                                • Rule: JoeSecurity_Ursnif_1, Description: Yara detected Ursnif, Source: 00000009.00000002.1789075538.00000000008F3000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000009.00000002.1788993940.00000000008F0000.00000004.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                • Rule: Windows_Trojan_Gozi_261f5ac5, Description: unknown, Source: 00000009.00000002.1788993940.00000000008F0000.00000004.80000000.00040000.00000000.sdmp, Author: unknown
                                                                                                                                                                                Has exited:true

                                                                                                                                                                                General

                                                                                                                                                                                Target ID:10
                                                                                                                                                                                Start time:18:55:06
                                                                                                                                                                                Start date:26/12/2024
                                                                                                                                                                                Path:C:\Windows\explorer.exe
                                                                                                                                                                                Wow64 process (32bit):false
                                                                                                                                                                                Commandline:C:\Windows\Explorer.EXE
                                                                                                                                                                                Imagebase:0x7ff72b770000
                                                                                                                                                                                File size:5'141'208 bytes
                                                                                                                                                                                MD5 hash:662F4F92FDE3557E86D110526BB578D5
                                                                                                                                                                                Has elevated privileges:false
                                                                                                                                                                                Has administrator privileges:false
                                                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                                                Yara matches:
                                                                                                                                                                                • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 0000000A.00000002.4584529450.0000000011110000.00000004.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                • Rule: Windows_Trojan_Gozi_261f5ac5, Description: unknown, Source: 0000000A.00000002.4584529450.0000000011110000.00000004.80000000.00040000.00000000.sdmp, Author: unknown
                                                                                                                                                                                • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 0000000A.00000002.4583903329.0000000011050000.00000004.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                • Rule: Windows_Trojan_Gozi_261f5ac5, Description: unknown, Source: 0000000A.00000002.4583903329.0000000011050000.00000004.80000000.00040000.00000000.sdmp, Author: unknown
                                                                                                                                                                                • Rule: JoeSecurity_Ursnif_1, Description: Yara detected Ursnif, Source: 0000000A.00000002.4584103095.0000000011053000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                • Rule: JoeSecurity_Ursnif_1, Description: Yara detected Ursnif, Source: 0000000A.00000002.4583025983.000000000FC23000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                • Rule: JoeSecurity_Ursnif_1, Description: Yara detected Ursnif, Source: 0000000A.00000000.1785007984.000000000FC23000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 0000000A.00000000.1784927308.000000000FC20000.00000004.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                • Rule: Windows_Trojan_Gozi_261f5ac5, Description: unknown, Source: 0000000A.00000000.1784927308.000000000FC20000.00000004.80000000.00040000.00000000.sdmp, Author: unknown
                                                                                                                                                                                • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 0000000A.00000002.4582957265.000000000FC20000.00000004.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                • Rule: Windows_Trojan_Gozi_261f5ac5, Description: unknown, Source: 0000000A.00000002.4582957265.000000000FC20000.00000004.80000000.00040000.00000000.sdmp, Author: unknown
                                                                                                                                                                                • Rule: JoeSecurity_Ursnif_1, Description: Yara detected Ursnif, Source: 0000000A.00000002.4584617538.0000000011113000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                Has exited:false

                                                                                                                                                                                General

                                                                                                                                                                                Target ID:11
                                                                                                                                                                                Start time:18:55:10
                                                                                                                                                                                Start date:26/12/2024
                                                                                                                                                                                Path:C:\Windows\System32\RuntimeBroker.exe
                                                                                                                                                                                Wow64 process (32bit):false
                                                                                                                                                                                Commandline:C:\Windows\System32\RuntimeBroker.exe -Embedding
                                                                                                                                                                                Imagebase:0x7ff71e800000
                                                                                                                                                                                File size:103'288 bytes
                                                                                                                                                                                MD5 hash:BA4CFE6461AFA1004C52F19C8F2169DC
                                                                                                                                                                                Has elevated privileges:false
                                                                                                                                                                                Has administrator privileges:false
                                                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                                                Yara matches:
                                                                                                                                                                                • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 0000000B.00000002.4500037251.000001ECFC6D0000.00000004.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                • Rule: Windows_Trojan_Gozi_261f5ac5, Description: unknown, Source: 0000000B.00000002.4500037251.000001ECFC6D0000.00000004.80000000.00040000.00000000.sdmp, Author: unknown
                                                                                                                                                                                • Rule: JoeSecurity_Ursnif_1, Description: Yara detected Ursnif, Source: 0000000B.00000002.4500307838.000001ECFC6D3000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                Has exited:false

                                                                                                                                                                                General

                                                                                                                                                                                Target ID:12
                                                                                                                                                                                Start time:18:55:12
                                                                                                                                                                                Start date:26/12/2024
                                                                                                                                                                                Path:C:\Windows\System32\RuntimeBroker.exe
                                                                                                                                                                                Wow64 process (32bit):false
                                                                                                                                                                                Commandline:C:\Windows\System32\RuntimeBroker.exe -Embedding
                                                                                                                                                                                Imagebase:0x7ff71e800000
                                                                                                                                                                                File size:103'288 bytes
                                                                                                                                                                                MD5 hash:BA4CFE6461AFA1004C52F19C8F2169DC
                                                                                                                                                                                Has elevated privileges:false
                                                                                                                                                                                Has administrator privileges:false
                                                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                                                Yara matches:
                                                                                                                                                                                • Rule: JoeSecurity_Ursnif_1, Description: Yara detected Ursnif, Source: 0000000C.00000002.4499716991.000001D178783000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 0000000C.00000002.4499540202.000001D178780000.00000004.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                • Rule: Windows_Trojan_Gozi_261f5ac5, Description: unknown, Source: 0000000C.00000002.4499540202.000001D178780000.00000004.80000000.00040000.00000000.sdmp, Author: unknown
                                                                                                                                                                                Has exited:false

                                                                                                                                                                                General

                                                                                                                                                                                Target ID:13
                                                                                                                                                                                Start time:18:55:13
                                                                                                                                                                                Start date:26/12/2024
                                                                                                                                                                                Path:C:\Windows\System32\rundll32.exe
                                                                                                                                                                                Wow64 process (32bit):false
                                                                                                                                                                                Commandline:"C:\Windows\system32\rundll32.exe" "C:\Users\user\AppData\Roaming\Microsoft\Avicprov\adsnrans.dll",DllRegisterServer
                                                                                                                                                                                Imagebase:0x7ff760ad0000
                                                                                                                                                                                File size:71'680 bytes
                                                                                                                                                                                MD5 hash:EF3179D498793BF4234F708D3BE28633
                                                                                                                                                                                Has elevated privileges:false
                                                                                                                                                                                Has administrator privileges:false
                                                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                                                Yara matches:
                                                                                                                                                                                • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 0000000D.00000002.4491591462.0000018F767A0000.00000004.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                • Rule: Windows_Trojan_Gozi_261f5ac5, Description: unknown, Source: 0000000D.00000002.4491591462.0000018F767A0000.00000004.80000000.00040000.00000000.sdmp, Author: unknown
                                                                                                                                                                                • Rule: JoeSecurity_Ursnif_1, Description: Yara detected Ursnif, Source: 0000000D.00000002.4491795198.0000018F767A3000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                Has exited:false

                                                                                                                                                                                General

                                                                                                                                                                                Target ID:16
                                                                                                                                                                                Start time:18:57:04
                                                                                                                                                                                Start date:26/12/2024
                                                                                                                                                                                Path:C:\Windows\System32\RuntimeBroker.exe
                                                                                                                                                                                Wow64 process (32bit):false
                                                                                                                                                                                Commandline:C:\Windows\System32\RuntimeBroker.exe -Embedding
                                                                                                                                                                                Imagebase:0x7ff71e800000
                                                                                                                                                                                File size:103'288 bytes
                                                                                                                                                                                MD5 hash:BA4CFE6461AFA1004C52F19C8F2169DC
                                                                                                                                                                                Has elevated privileges:false
                                                                                                                                                                                Has administrator privileges:false
                                                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                                                Yara matches:
                                                                                                                                                                                • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000010.00000002.4494674655.0000023B60320000.00000004.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                • Rule: Windows_Trojan_Gozi_261f5ac5, Description: unknown, Source: 00000010.00000002.4494674655.0000023B60320000.00000004.80000000.00040000.00000000.sdmp, Author: unknown
                                                                                                                                                                                • Rule: JoeSecurity_Ursnif_1, Description: Yara detected Ursnif, Source: 00000010.00000002.4494737876.0000023B60323000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                Has exited:false

                                                                                                                                                                                General

                                                                                                                                                                                Target ID:17
                                                                                                                                                                                Start time:18:57:38
                                                                                                                                                                                Start date:26/12/2024
                                                                                                                                                                                Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                Wow64 process (32bit):false
                                                                                                                                                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                Imagebase:0x7ff7699e0000
                                                                                                                                                                                File size:862'208 bytes
                                                                                                                                                                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                Has elevated privileges:true
                                                                                                                                                                                Has administrator privileges:false
                                                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                                                Has exited:false

                                                                                                                                                                                General

                                                                                                                                                                                Target ID:18
                                                                                                                                                                                Start time:18:59:10
                                                                                                                                                                                Start date:26/12/2024
                                                                                                                                                                                Path:C:\Windows\System32\RuntimeBroker.exe
                                                                                                                                                                                Wow64 process (32bit):false
                                                                                                                                                                                Commandline:C:\Windows\System32\RuntimeBroker.exe -Embedding
                                                                                                                                                                                Imagebase:0x7ff71e800000
                                                                                                                                                                                File size:103'288 bytes
                                                                                                                                                                                MD5 hash:BA4CFE6461AFA1004C52F19C8F2169DC
                                                                                                                                                                                Has elevated privileges:false
                                                                                                                                                                                Has administrator privileges:false
                                                                                                                                                                                Programmed in:C, C++ or other language
                                                                                                                                                                                Has exited:false

                                                                                                                                                                                Disassembly

                                                                                                                                                                                Reset < >

                                                                                                                                                                                  Execution Graph

                                                                                                                                                                                  Execution Coverage:28.5%
                                                                                                                                                                                  Dynamic/Decrypted Code Coverage:1.1%
                                                                                                                                                                                  Signature Coverage:25.3%
                                                                                                                                                                                  Total number of Nodes:958
                                                                                                                                                                                  Total number of Limit Nodes:87
                                                                                                                                                                                  execution_graph 3638 810000 3639 8103e6 3638->3639 3640 8104f0 NtProtectVirtualMemory 3639->3640 3641 810542 NtAllocateVirtualMemory 3640->3641 3646 81065b 3640->3646 3642 81057e 3641->3642 3641->3646 3642->3646 3647 810dd2 3642->3647 3645 810821 NtProtectVirtualMemory 3645->3646 3650 810df8 3647->3650 3648 81080d 3648->3645 3648->3646 3649 810e58 LdrLoadDll 3649->3650 3650->3648 3650->3649 3739 6cbf733c 3740 6cbf7344 3739->3740 3742 6cbf73f8 3740->3742 3745 6cbf755d 3740->3745 3744 6cbf737d 3744->3742 3749 6cbf7448 RtlUnwind 3744->3749 3747 6cbf7572 3745->3747 3748 6cbf758e 3745->3748 3746 6cbf75fd NtQueryVirtualMemory 3746->3748 3747->3746 3747->3748 3748->3744 3750 6cbf7460 3749->3750 3750->3744 3705 6cbf2bf8 3706 6cbf2c02 3705->3706 3707 6cbf2c09 VirtualFree 3706->3707 3708 6cbf2c18 3706->3708 3707->3708 3762 6cbf6c74 3767 6cbf6c7d 3762->3767 3763 6cbf5760 5 API calls 3764 6cbf6fd5 3763->3764 3765 6cbf5810 8 API calls 3764->3765 3769 6cbf6fe6 3765->3769 3766 6cbf700f 3767->3763 3768 6cbf7032 RegisterClassExW 3768->3766 3771 6cbf70ab CreateWindowExW 3768->3771 3769->3766 3769->3768 3770 6cbf5190 3 API calls 3769->3770 3772 6cbf7026 3770->3772 3773 6cbf70df 3771->3773 3787 6cbf70e8 3771->3787 3772->3768 3775 6cbf51f0 2 API calls 3773->3775 3774 6cbf714e CreateThread 3776 6cbf72a7 UnregisterClassW VirtualFree 3774->3776 3777 6cbf7182 WaitForSingleObject 3774->3777 3789 6cbf5e30 67 API calls 3774->3789 3775->3787 3776->3766 3778 6cbf71a8 3777->3778 3779 6cbf71b7 TerminateThread 3777->3779 3778->3779 3780 6cbf71da WaitForSingleObject TerminateThread 3779->3780 3781 6cbf7206 3779->3781 3780->3781 3782 6cbf7215 WaitForSingleObject TerminateThread 3781->3782 3783 6cbf7241 RemoveFontResourceExW 3781->3783 3782->3783 3784 6cbf725b 3783->3784 3785 6cbf7259 3783->3785 3786 6cbf5240 UnregisterClassW 3784->3786 3785->3783 3788 6cbf7260 UnregisterClassW UnregisterClassW UnregisterClassW 3786->3788 3787->3766 3787->3774 3788->3776 3790 6cbf5973 3791 6cbf59c6 DestroyWindow DestroyWindow 3790->3791 3792 6cbf59dd 3791->3792 2621 6cbf112f 2622 6cbf1134 2621->2622 2625 6cbf16b2 2622->2625 2692 6cbf1a53 CreateEventA 2625->2692 2627 6cbf113a ExitProcess 2628 6cbf16f1 GetCursorInfo 2699 6cbf345b lstrcpynA 2628->2699 2630 6cbf16d8 2630->2627 2630->2628 2631 6cbf172b 2630->2631 2631->2627 2701 6cbf22c9 2631->2701 2634 6cbf17b2 CreateFileA 2635 6cbf17fd 2634->2635 2636 6cbf17da ReadFile 2634->2636 2640 6cbf1808 2635->2640 2724 6cbf1000 SetupDiGetClassDevsA 2635->2724 2638 6cbf17f6 CloseHandle 2636->2638 2639 6cbf17f2 2636->2639 2638->2635 2639->2638 2640->2627 2739 6cbf389c 2640->2739 2643 6cbf176f GetLongPathNameW 2645 6cbf17a7 2643->2645 2646 6cbf1783 2643->2646 2645->2634 2722 6cbf11b2 RtlAllocateHeap 2646->2722 2647 6cbf182a 2744 6cbf150f LoadLibraryA 2647->2744 2650 6cbf178d 2650->2645 2652 6cbf1796 GetLongPathNameW 2650->2652 2723 6cbf11c7 RtlFreeHeap 2652->2723 2656 6cbf1878 2660 6cbf1a40 GetLastError 2656->2660 2752 6cbf2e82 GetModuleHandleA 2656->2752 2657 6cbf1b96 9 API calls 2657->2656 2660->2627 2661 6cbf1a3b 2661->2627 2661->2660 2664 6cbf18b8 2668 6cbf190b 2664->2668 2785 6cbf2f05 2664->2785 2798 6cbf137f memset 2668->2798 2674 6cbf18fb 2850 6cbf1ddb memset CoInitializeEx 2674->2850 2675 6cbf196c GetLastError 2679 6cbf198f CloseHandle 2675->2679 2680 6cbf1976 SetEvent Sleep ResetEvent 2675->2680 2676 6cbf1996 2805 6cbf3349 RegOpenKeyExA 2676->2805 2679->2676 2680->2679 2684 6cbf19e2 2818 6cbf2d19 2684->2818 2686 6cbf1a2f LocalFree 2686->2661 2687 6cbf19c8 DeleteFileW 2687->2684 2689 6cbf19d3 MoveFileExW 2687->2689 2688 6cbf19ec 2688->2661 2690 6cbf19f2 CreateWaitableTimerA 2688->2690 2689->2684 2690->2686 2691 6cbf1a0b SetWaitableTimer CloseHandle 2690->2691 2691->2686 2693 6cbf1ac5 GetLastError 2692->2693 2694 6cbf1a71 GetVersion 2692->2694 2695 6cbf1a7b 2694->2695 2696 6cbf1a88 GetCurrentProcessId OpenProcess 2695->2696 2697 6cbf1ac0 2695->2697 2698 6cbf1ab5 2696->2698 2697->2630 2698->2630 2700 6cbf34a0 2699->2700 2700->2630 2702 6cbf22de GetModuleHandleA GetProcAddress 2701->2702 2703 6cbf2303 2701->2703 2702->2703 2704 6cbf173e 2702->2704 2705 6cbf2319 2703->2705 2706 6cbf2308 OpenProcess 2703->2706 2704->2634 2710 6cbf2c92 2704->2710 2705->2704 2707 6cbf231d IsWow64Process 2705->2707 2706->2705 2708 6cbf232c 2707->2708 2708->2704 2709 6cbf2334 CloseHandle 2708->2709 2709->2704 2869 6cbf11b2 RtlAllocateHeap 2710->2869 2712 6cbf2cad 2713 6cbf2cb8 GetModuleFileNameW 2712->2713 2714 6cbf2cc0 GetModuleFileNameA 2712->2714 2716 6cbf2ca7 2713->2716 2714->2716 2715 6cbf2cec 2718 6cbf2cfe GetLastError 2715->2718 2721 6cbf176b 2715->2721 2716->2712 2716->2715 2716->2721 2870 6cbf11c7 RtlFreeHeap 2716->2870 2871 6cbf11b2 RtlAllocateHeap 2716->2871 2872 6cbf11c7 RtlFreeHeap 2718->2872 2721->2634 2721->2643 2722->2650 2723->2645 2725 6cbf1036 SetupDiEnumDeviceInfo 2724->2725 2726 6cbf10e0 2724->2726 2727 6cbf10d7 SetupDiDestroyDeviceInfoList 2725->2727 2728 6cbf1051 SetupDiGetDeviceRegistryPropertyA 2725->2728 2726->2640 2727->2726 2728->2727 2729 6cbf106f 2728->2729 2873 6cbf11b2 RtlAllocateHeap 2729->2873 2731 6cbf1077 2731->2727 2732 6cbf107d SetupDiGetDeviceRegistryPropertyA 2731->2732 2733 6cbf1098 StrStrIA 2732->2733 2734 6cbf10ce 2732->2734 2733->2734 2735 6cbf10aa StrStrIA 2733->2735 2874 6cbf11c7 RtlFreeHeap 2734->2874 2735->2734 2737 6cbf10b6 StrStrIA 2735->2737 2737->2734 2738 6cbf10c2 StrStrIA 2737->2738 2738->2734 2741 6cbf38b6 2739->2741 2740 6cbf398a 2740->2647 2741->2740 2742 6cbf394e lstrcmpA 2741->2742 2743 6cbf395a lstrlenA 2741->2743 2742->2741 2743->2741 2745 6cbf1528 GetProcAddress 2744->2745 2748 6cbf1560 2744->2748 2746 6cbf153e GetModuleHandleA GetProcAddress 2745->2746 2745->2748 2747 6cbf1553 FindWindowA 2746->2747 2746->2748 2747->2748 2749 6cbf1b96 2748->2749 2875 6cbf1acc ZwOpenProcess 2749->2875 2753 6cbf1894 2752->2753 2754 6cbf2ea3 GetModuleHandleA 2752->2754 2753->2661 2758 6cbf11dc 2753->2758 2756 6cbf2eaf 2754->2756 2755 6cbf389c 2 API calls 2755->2756 2756->2755 2757 6cbf2ee7 2756->2757 2757->2753 2889 6cbf3260 2758->2889 2761 6cbf1288 2761->2627 2761->2664 2772 6cbf128f 2761->2772 2762 6cbf1204 lstrcatW 2898 6cbf3723 2762->2898 2765 6cbf3723 6 API calls 2766 6cbf1246 2765->2766 2766->2761 2767 6cbf3723 6 API calls 2766->2767 2768 6cbf125a 2767->2768 2768->2761 2769 6cbf3723 6 API calls 2768->2769 2770 6cbf126b HeapFree 2769->2770 2770->2761 2773 6cbf12ae 2772->2773 2963 6cbf32ee 2773->2963 2776 6cbf12cf RegOpenKeyExA 2778 6cbf136b RtlFreeHeap 2776->2778 2779 6cbf12f6 lstrlenW HeapAlloc 2776->2779 2777 6cbf1378 2777->2664 2778->2777 2780 6cbf131a RegQueryValueExW 2779->2780 2781 6cbf1362 RegCloseKey 2779->2781 2782 6cbf1358 HeapFree 2780->2782 2783 6cbf1337 lstrcmpiW 2780->2783 2781->2778 2782->2781 2783->2782 2784 6cbf1351 2783->2784 2784->2782 2786 6cbf18c6 2785->2786 2787 6cbf2f26 OpenProcessToken 2785->2787 2786->2668 2826 6cbf14c3 2786->2826 2787->2786 2788 6cbf2f41 GetTokenInformation GetTokenInformation 2787->2788 2789 6cbf2f6e 2788->2789 2790 6cbf2fb4 CloseHandle 2788->2790 2968 6cbf11b2 RtlAllocateHeap 2789->2968 2790->2786 2792 6cbf2f77 2793 6cbf2f7d GetTokenInformation 2792->2793 2794 6cbf2fb3 2792->2794 2795 6cbf2fad 2793->2795 2796 6cbf2f90 GetSidSubAuthorityCount GetSidSubAuthority 2793->2796 2794->2790 2969 6cbf11c7 RtlFreeHeap 2795->2969 2796->2795 2970 6cbf379a 2798->2970 2801 6cbf13e0 ConvertStringSecurityDescriptorToSecurityDescriptorA CreateEventA 2801->2675 2801->2676 2802 6cbf379a 3 API calls 2803 6cbf13cb 2802->2803 2803->2801 2804 6cbf13cf HeapFree 2803->2804 2804->2801 2806 6cbf19b7 2805->2806 2807 6cbf3380 2805->2807 2806->2684 2806->2686 2806->2687 2978 6cbf11b2 RtlAllocateHeap 2807->2978 2809 6cbf3449 RegCloseKey 2809->2806 2810 6cbf339d RegEnumKeyExA 2813 6cbf338f 2810->2813 2811 6cbf33f6 3023 6cbf11c7 RtlFreeHeap 2811->3023 2813->2809 2813->2810 2813->2811 2815 6cbf341d WaitForSingleObject 2813->2815 2979 6cbf1f0f 2813->2979 3021 6cbf11c7 RtlFreeHeap 2813->3021 3022 6cbf11b2 RtlAllocateHeap 2813->3022 2815->2810 2815->2811 2819 6cbf2d28 2818->2819 2822 6cbf2d40 NtQuerySystemInformation 2819->2822 2825 6cbf2d5a 2819->2825 3068 6cbf11b2 RtlAllocateHeap 2819->3068 3082 6cbf11c7 RtlFreeHeap 2819->3082 2822->2819 2822->2825 2823 6cbf2d82 RtlNtStatusToDosError 2823->2688 2825->2823 3069 6cbf157a 2825->3069 2827 6cbf14fc 2826->2827 2828 6cbf14d6 2826->2828 3412 6cbf68c0 Sleep VirtualAlloc 2827->3412 2830 6cbf137f 5 API calls 2828->2830 2832 6cbf14de 2830->2832 2831 6cbf14f0 2831->2668 2831->2674 2834 6cbf1d2e 2831->2834 2832->2831 2833 6cbf13e7 94 API calls 2832->2833 2833->2831 2835 6cbf1d3e 2834->2835 2838 6cbf18f2 2834->2838 2835->2838 3604 6cbf3b95 2835->3604 2838->2668 2838->2674 2840 6cbf1d64 2840->2838 2841 6cbf1d68 lstrlenW 2840->2841 3618 6cbf11b2 RtlAllocateHeap 2841->3618 2843 6cbf1d79 2844 6cbf1d7f PathFindFileNameW lstrcpyW lstrcpyW lstrcatW 2843->2844 2845 6cbf1dc7 2843->2845 2846 6cbf3ac5 6 API calls 2844->2846 3620 6cbf11c7 RtlFreeHeap 2845->3620 2848 6cbf1dbc 2846->2848 2848->2845 3619 6cbf11c7 RtlFreeHeap 2848->3619 2851 6cbf3b95 11 API calls 2850->2851 2852 6cbf1e14 2851->2852 2853 6cbf1e1e PathFindExtensionW 2852->2853 2865 6cbf1ec8 2852->2865 2854 6cbf1e2a 2853->2854 2855 6cbf1e78 2853->2855 2858 6cbf1e2e lstrcpyW 2854->2858 2859 6cbf1e3a lstrlenW lstrlenW lstrlenA 2854->2859 2856 6cbf1e7c lstrcpyW 2855->2856 2857 6cbf1e88 lstrlenW lstrlenW 2855->2857 2856->2857 3635 6cbf11b2 RtlAllocateHeap 2857->3635 2858->2859 3634 6cbf11b2 RtlAllocateHeap 2859->3634 2862 6cbf1ec2 3636 6cbf11c7 RtlFreeHeap 2862->3636 2863 6cbf1e63 2863->2862 2864 6cbf1eb8 wsprintfW 2863->2864 2864->2862 2866 6cbf1f02 CoUninitialize 2865->2866 3637 6cbf11c7 RtlFreeHeap 2865->3637 2866->2627 2869->2716 2870->2716 2871->2716 2872->2721 2873->2731 2874->2727 2876 6cbf1b1e ZwOpenProcessToken 2875->2876 2877 6cbf1864 2875->2877 2878 6cbf1b84 ZwClose 2876->2878 2879 6cbf1b31 ZwQueryInformationToken 2876->2879 2877->2656 2877->2657 2878->2877 2887 6cbf11b2 RtlAllocateHeap 2879->2887 2881 6cbf1b4c 2882 6cbf1b7b ZwClose 2881->2882 2883 6cbf1b52 ZwQueryInformationToken 2881->2883 2882->2878 2884 6cbf1b75 2883->2884 2885 6cbf1b65 memcpy 2883->2885 2888 6cbf11c7 RtlFreeHeap 2884->2888 2885->2884 2887->2881 2888->2882 2913 6cbf2344 2889->2913 2892 6cbf3278 2893 6cbf32a2 2892->2893 2896 6cbf32a4 HeapFree 2892->2896 2916 6cbf2fce HeapAlloc 2892->2916 2940 6cbf361f lstrlenA 2892->2940 2895 6cbf2344 GetProcAddress 2893->2895 2897 6cbf11fc 2895->2897 2896->2893 2897->2761 2897->2762 2899 6cbf3739 2898->2899 2957 6cbf11b2 RtlAllocateHeap 2899->2957 2901 6cbf373f 2902 6cbf1224 2901->2902 2958 6cbf36c4 2901->2958 2902->2761 2902->2765 2904 6cbf3751 2905 6cbf3756 lstrlenA 2904->2905 2906 6cbf3764 2904->2906 2905->2906 2961 6cbf11b2 RtlAllocateHeap 2906->2961 2908 6cbf376a 2909 6cbf378b 2908->2909 2910 6cbf3779 lstrcpyA 2908->2910 2911 6cbf3783 lstrcatA 2908->2911 2962 6cbf11c7 RtlFreeHeap 2909->2962 2910->2911 2911->2909 2914 6cbf234d GetProcAddress 2913->2914 2915 6cbf2367 2913->2915 2914->2915 2915->2892 2917 6cbf3256 2916->2917 2918 6cbf3006 HeapAlloc 2916->2918 2917->2892 2919 6cbf302a memset 2918->2919 2920 6cbf3246 HeapFree 2918->2920 2946 6cbf3585 ExpandEnvironmentStringsA 2919->2946 2920->2917 2923 6cbf3236 HeapFree 2923->2920 2924 6cbf3052 CreateFileA 2925 6cbf309d StrRChrA lstrcatA FindFirstFileA 2924->2925 2926 6cbf3079 GetFileTime CloseHandle 2924->2926 2927 6cbf3234 2925->2927 2928 6cbf3100 CompareFileTime 2925->2928 2926->2925 2927->2923 2929 6cbf3162 2928->2929 2930 6cbf311b FindNextFileA 2929->2930 2936 6cbf3166 2929->2936 2931 6cbf312f FindClose FindFirstFileA 2930->2931 2932 6cbf3155 CompareFileTime 2930->2932 2931->2932 2932->2929 2933 6cbf321c FindClose 2933->2920 2934 6cbf318a StrChrA 2934->2936 2935 6cbf31d7 FindNextFileA 2938 6cbf31ff CompareFileTime 2935->2938 2939 6cbf31eb FindClose FindFirstFileA 2935->2939 2936->2933 2936->2934 2936->2935 2937 6cbf31bd memcpy 2936->2937 2937->2935 2938->2935 2938->2936 2939->2938 2941 6cbf3634 2940->2941 2956 6cbf11b2 RtlAllocateHeap 2941->2956 2943 6cbf3640 2944 6cbf3669 2943->2944 2945 6cbf3646 mbstowcs memset 2943->2945 2944->2892 2945->2944 2947 6cbf359e 2946->2947 2953 6cbf3047 2946->2953 2954 6cbf11b2 RtlAllocateHeap 2947->2954 2949 6cbf35a4 2950 6cbf35aa ExpandEnvironmentStringsA 2949->2950 2949->2953 2951 6cbf35b6 2950->2951 2950->2953 2955 6cbf11c7 RtlFreeHeap 2951->2955 2953->2923 2953->2924 2954->2949 2955->2953 2956->2943 2957->2901 2959 6cbf36d6 wsprintfA 2958->2959 2960 6cbf36d1 2958->2960 2959->2904 2960->2959 2961->2908 2962->2902 2964 6cbf32f9 2963->2964 2965 6cbf12c4 2963->2965 2964->2965 2966 6cbf32fe lstrlenW lstrlenA HeapAlloc 2964->2966 2965->2776 2965->2777 2966->2965 2967 6cbf332d wsprintfW 2966->2967 2967->2965 2968->2792 2969->2794 2975 6cbf37d5 2970->2975 2971 6cbf13a4 2971->2801 2971->2802 2973 6cbf3845 memcpy 2973->2971 2973->2975 2975->2971 2975->2973 2976 6cbf11b2 RtlAllocateHeap 2975->2976 2977 6cbf11c7 RtlFreeHeap 2975->2977 2976->2975 2977->2975 2978->2813 2980 6cbf1f2c 2979->2980 2981 6cbf2277 2980->2981 2982 6cbf1f4d StrChrA 2980->2982 2981->2813 2982->2981 2983 6cbf1f60 lstrcpyA lstrcatA lstrcatA RegOpenKeyA 2982->2983 2983->2981 2984 6cbf1fae RegQueryValueExW 2983->2984 2985 6cbf2267 2984->2985 2986 6cbf1fd1 lstrlenW HeapAlloc 2984->2986 2988 6cbf226e RegCloseKey 2985->2988 2986->2985 2987 6cbf1fff RegQueryValueExW 2986->2987 2989 6cbf201b 6 API calls 2987->2989 2990 6cbf2257 HeapFree 2987->2990 2988->2981 2991 6cbf206e 2989->2991 2992 6cbf2247 2989->2992 2990->2988 2993 6cbf2078 2991->2993 2994 6cbf2081 2991->2994 2992->2990 2995 6cbf32ee 4 API calls 2993->2995 3048 6cbf35c6 lstrlenW 2994->3048 2997 6cbf207f 2995->2997 2997->2992 2998 6cbf2092 lstrcpyA RegOpenKeyExA 2997->2998 2999 6cbf20cd lstrlenW RegSetValueExW RegCloseKey 2998->2999 3000 6cbf2105 2998->3000 2999->3000 3001 6cbf2235 HeapFree 2999->3001 3002 6cbf2116 3000->3002 3024 6cbf1be5 3000->3024 3001->2990 3006 6cbf222f 3002->3006 3033 6cbf1c30 3002->3033 3006->3001 3007 6cbf21de 3007->3006 3009 6cbf21e3 RegOpenKeyExA 3007->3009 3008 6cbf2139 3010 6cbf2147 lstrcpyA RegCreateKeyA 3008->3010 3012 6cbf35c6 4 API calls 3008->3012 3009->3006 3011 6cbf21ff RegOpenKeyW 3009->3011 3010->3006 3013 6cbf217a RegQueryValueExA 3010->3013 3014 6cbf221a RegDeleteValueW RegCloseKey 3011->3014 3015 6cbf21d3 RegCloseKey 3011->3015 3016 6cbf2145 3012->3016 3017 6cbf219f 3013->3017 3018 6cbf21bb 3013->3018 3014->3015 3015->3006 3016->3010 3017->3018 3019 6cbf21a5 RegSetValueExA 3017->3019 3018->3015 3020 6cbf21c2 RegSetValueExA 3018->3020 3019->3018 3020->3015 3021->2813 3022->2813 3023->2809 3053 6cbf3a18 CreateFileW 3024->3053 3027 6cbf1c29 3027->3002 3028 6cbf2344 GetProcAddress 3029 6cbf1c12 3028->3029 3030 6cbf3a18 7 API calls 3029->3030 3031 6cbf1c20 3030->3031 3032 6cbf2344 GetProcAddress 3031->3032 3032->3027 3034 6cbf1c4f CreateFileW 3033->3034 3035 6cbf1c4c 3033->3035 3036 6cbf1cce GetLastError 3034->3036 3037 6cbf1c7c WriteFile 3034->3037 3035->3034 3040 6cbf1cd7 3036->3040 3038 6cbf1c98 WriteFile 3037->3038 3039 6cbf1cb1 GetLastError 3037->3039 3038->3039 3041 6cbf1cba SetEndOfFile CloseHandle 3038->3041 3039->3041 3042 6cbf1cde CreateFileW 3040->3042 3043 6cbf1d24 3040->3043 3041->3040 3044 6cbf1d1b GetLastError 3042->3044 3045 6cbf1cf6 WriteFile 3042->3045 3043->3007 3043->3008 3044->3043 3046 6cbf1d09 GetLastError 3045->3046 3047 6cbf1d12 FlushFileBuffers 3045->3047 3046->3047 3047->3043 3067 6cbf11b2 RtlAllocateHeap 3048->3067 3050 6cbf35e9 3051 6cbf3616 3050->3051 3052 6cbf35f0 memcpy memset 3050->3052 3051->2997 3052->3051 3054 6cbf3a97 GetLastError 3053->3054 3055 6cbf3a44 GetFileSize 3053->3055 3057 6cbf3a52 3054->3057 3056 6cbf3a59 3055->3056 3055->3057 3065 6cbf11b2 RtlAllocateHeap 3056->3065 3058 6cbf3aa5 CloseHandle 3057->3058 3061 6cbf3aae 3057->3061 3058->3061 3060 6cbf1bfb 3060->3027 3060->3028 3061->3060 3066 6cbf11c7 RtlFreeHeap 3061->3066 3062 6cbf3a62 3062->3054 3063 6cbf3a68 ReadFile 3062->3063 3063->3054 3063->3057 3065->3062 3066->3060 3067->3050 3068->2819 3070 6cbf162e 3069->3070 3071 6cbf1591 3069->3071 3070->2825 3071->3070 3072 6cbf159e RtlUpcaseUnicodeString 3071->3072 3072->3070 3073 6cbf15b0 3072->3073 3074 6cbf1618 3073->3074 3077 6cbf15e2 3073->3077 3075 6cbf45f3 90 API calls 3074->3075 3076 6cbf1623 RtlFreeUnicodeString 3075->3076 3076->3070 3077->3076 3083 6cbf45f3 3077->3083 3082->2819 3084 6cbf22c9 5 API calls 3083->3084 3085 6cbf4613 OpenProcess 3084->3085 3086 6cbf462f 3085->3086 3087 6cbf46b4 GetLastError 3085->3087 3089 6cbf4633 3086->3089 3090 6cbf4641 GetProcAddress GetProcAddress 3086->3090 3088 6cbf1606 3087->3088 3088->3076 3098 6cbf13e7 memset 3088->3098 3089->3090 3092 6cbf463c 3089->3092 3091 6cbf4667 3090->3091 3090->3092 3091->3092 3094 6cbf469a GetLastError 3091->3094 3095 6cbf4681 3091->3095 3093 6cbf46a9 CloseHandle 3092->3093 3093->3088 3094->3093 3114 6cbf449e memset 3095->3114 3097 6cbf468d CloseHandle 3097->3093 3099 6cbf3585 4 API calls 3098->3099 3100 6cbf1419 3099->3100 3101 6cbf14b2 3100->3101 3102 6cbf2344 GetProcAddress 3100->3102 3101->3076 3103 6cbf1430 CreateProcessA 3102->3103 3104 6cbf2344 GetProcAddress 3103->3104 3105 6cbf1453 3104->3105 3106 6cbf1499 GetLastError 3105->3106 3107 6cbf1457 3105->3107 3109 6cbf14a2 HeapFree 3106->3109 3108 6cbf449e 83 API calls 3107->3108 3110 6cbf1463 3108->3110 3109->3101 3111 6cbf146b WaitForSingleObject 3110->3111 3112 6cbf1487 CloseHandle CloseHandle 3110->3112 3111->3112 3113 6cbf147b GetExitCodeProcess 3111->3113 3112->3109 3113->3112 3115 6cbf22c9 5 API calls 3114->3115 3116 6cbf44dd 3115->3116 3117 6cbf44e5 3116->3117 3118 6cbf45ad 3116->3118 3123 6cbf4507 3117->3123 3137 6cbf3ca4 3117->3137 3166 6cbf4341 memset 3118->3166 3122 6cbf45b5 3125 6cbf45d9 GetLastError 3122->3125 3126 6cbf45e1 ResumeThread 3122->3126 3152 6cbf2db0 3123->3152 3125->3126 3126->3097 3129 6cbf4549 ResumeThread WaitForSingleObject 3130 6cbf456a SuspendThread 3129->3130 3132 6cbf4544 3129->3132 3162 6cbf2d8f 3130->3162 3132->3129 3132->3130 3133 6cbf4594 3132->3133 3134 6cbf4599 3133->3134 3183 6cbf3ed3 3133->3183 3136 6cbf3c49 5 API calls 3134->3136 3136->3122 3207 6cbf11b2 RtlAllocateHeap 3137->3207 3139 6cbf3cbc 3140 6cbf3d7d 3139->3140 3208 6cbf2c25 memset ZwQueryInformationProcess 3139->3208 3140->3123 3144 6cbf2db0 2 API calls 3145 6cbf3ce7 3144->3145 3146 6cbf2db0 2 API calls 3145->3146 3151 6cbf3d6a 3145->3151 3147 6cbf3d03 3146->3147 3148 6cbf2db0 2 API calls 3147->3148 3147->3151 3149 6cbf3d4f 3148->3149 3150 6cbf2db0 2 API calls 3149->3150 3149->3151 3150->3151 3212 6cbf11c7 RtlFreeHeap 3151->3212 3153 6cbf2dbf 3152->3153 3154 6cbf2ddc RtlNtStatusToDosError SetLastError 3153->3154 3155 6cbf2dd4 3153->3155 3154->3155 3155->3125 3156 6cbf3c49 VirtualProtectEx 3155->3156 3157 6cbf3c9c 3156->3157 3158 6cbf3c6c 3156->3158 3157->3125 3157->3132 3213 6cbf2df1 3158->3213 3163 6cbf2dad 3162->3163 3164 6cbf2d9c RtlNtStatusToDosError 3162->3164 3163->3132 3164->3163 3218 6cbf26ae 3166->3218 3171 6cbf4494 3171->3122 3175 6cbf43dc 3175->3171 3176 6cbf43f6 ResumeThread WaitForSingleObject 3175->3176 3177 6cbf4417 Wow64SuspendThread 3175->3177 3180 6cbf4460 3175->3180 3176->3175 3176->3177 3258 6cbf4b80 3177->3258 3179 6cbf446c 3182 6cbf40cd 19 API calls 3179->3182 3180->3179 3181 6cbf3ed3 59 API calls 3180->3181 3181->3179 3182->3171 3185 6cbf3ef8 3183->3185 3184 6cbf3f1b 3184->3134 3185->3184 3314 6cbf4943 NtCreateSection 3185->3314 3188 6cbf40b5 3188->3184 3191 6cbf40bb CloseHandle 3188->3191 3189 6cbf40a3 NtUnmapViewOfSection RtlNtStatusToDosError 3189->3188 3191->3184 3192 6cbf3f8d 3206 6cbf409a 3192->3206 3324 6cbf4a02 memcpy 3192->3324 3195 6cbf3fb8 memcpy 3198 6cbf3fc4 memcpy 3195->3198 3197 6cbf401b 3199 6cbf4064 3197->3199 3201 6cbf4057 3197->3201 3198->3197 3338 6cbf3d87 3199->3338 3328 6cbf3e34 3201->3328 3202 6cbf4062 3204 6cbf4071 memcpy 3202->3204 3202->3206 3350 6cbf29aa 3204->3350 3206->3188 3206->3189 3207->3139 3209 6cbf2c81 3208->3209 3210 6cbf2c66 3208->3210 3209->3144 3209->3151 3211 6cbf2db0 2 API calls 3210->3211 3211->3209 3212->3140 3214 6cbf2e18 3213->3214 3215 6cbf2e00 NtWriteVirtualMemory 3213->3215 3216 6cbf2e1d RtlNtStatusToDosError SetLastError 3214->3216 3215->3216 3217 6cbf2e15 VirtualProtectEx 3215->3217 3216->3217 3217->3157 3219 6cbf26bc 3218->3219 3227 6cbf271d 3218->3227 3261 6cbf2b4b 3219->3261 3221 6cbf26cc 3222 6cbf2b4b 18 API calls 3221->3222 3223 6cbf26e7 3222->3223 3224 6cbf2b4b 18 API calls 3223->3224 3225 6cbf2702 3224->3225 3226 6cbf2b4b 18 API calls 3225->3226 3226->3227 3228 6cbf41ba 3227->3228 3308 6cbf11b2 RtlAllocateHeap 3228->3308 3230 6cbf41e0 3231 6cbf430a 3230->3231 3232 6cbf41ea memset 3230->3232 3233 6cbf4337 3231->3233 3313 6cbf11c7 RtlFreeHeap 3231->3313 3309 6cbf2286 3232->3309 3233->3171 3246 6cbf2471 3233->3246 3237 6cbf422c 3237->3231 3239 6cbf2471 2 API calls 3237->3239 3238 6cbf241d 2 API calls 3238->3237 3240 6cbf4267 3239->3240 3240->3231 3241 6cbf2471 2 API calls 3240->3241 3242 6cbf4289 3241->3242 3242->3231 3243 6cbf2471 2 API calls 3242->3243 3244 6cbf42ed 3243->3244 3244->3231 3245 6cbf2471 2 API calls 3244->3245 3245->3231 3247 6cbf241d 2 API calls 3246->3247 3248 6cbf2487 3247->3248 3248->3171 3249 6cbf40cd 3248->3249 3250 6cbf26ae 18 API calls 3249->3250 3251 6cbf40f6 3250->3251 3252 6cbf4b80 NtWriteVirtualMemory 3251->3252 3253 6cbf4145 3252->3253 3254 6cbf41ad 3253->3254 3255 6cbf4b80 NtWriteVirtualMemory 3253->3255 3254->3175 3256 6cbf4173 3255->3256 3257 6cbf4b80 NtWriteVirtualMemory 3256->3257 3257->3254 3259 6cbf4b98 3258->3259 3260 6cbf4bb8 NtWriteVirtualMemory 3259->3260 3260->3175 3262 6cbf2b57 3261->3262 3273 6cbf2a18 3262->3273 3265 6cbf2b7c VirtualAlloc 3266 6cbf2b94 3265->3266 3272 6cbf2bda 3265->3272 3270 6cbf2bc8 3266->3270 3286 6cbf241d 3266->3286 3267 6cbf2c09 VirtualFree 3268 6cbf2c18 3267->3268 3268->3221 3271 6cbf389c 2 API calls 3270->3271 3271->3272 3272->3267 3272->3268 3290 6cbf2492 GetProcAddress 3273->3290 3276 6cbf2492 7 API calls 3277 6cbf2a5d 3276->3277 3277->3276 3280 6cbf2a7b VirtualFree VirtualAlloc 3277->3280 3281 6cbf2a9b 3277->3281 3278 6cbf2b2f VirtualFree 3279 6cbf2b3d 3278->3279 3279->3265 3279->3272 3280->3277 3280->3281 3282 6cbf2abc lstrcmpiA 3281->3282 3283 6cbf2afe 3281->3283 3282->3283 3284 6cbf2ad0 StrChrA 3282->3284 3283->3278 3283->3279 3284->3281 3285 6cbf2add lstrcmpiA 3284->3285 3285->3281 3285->3283 3287 6cbf244e NtWow64ReadVirtualMemory64 3286->3287 3288 6cbf2434 GetProcAddress 3286->3288 3289 6cbf2467 3287->3289 3288->3287 3288->3289 3289->3266 3291 6cbf24be NtWow64QueryInformationProcess64 3290->3291 3295 6cbf268b VirtualAlloc 3290->3295 3292 6cbf24d6 3291->3292 3291->3295 3293 6cbf11b2 RtlAllocateHeap 3292->3293 3294 6cbf24e0 3293->3294 3294->3295 3296 6cbf11b2 RtlAllocateHeap 3294->3296 3295->3277 3295->3283 3297 6cbf24f5 3296->3297 3298 6cbf266a 3297->3298 3299 6cbf241d GetProcAddress NtWow64ReadVirtualMemory64 3297->3299 3300 6cbf11c7 RtlFreeHeap 3298->3300 3301 6cbf250d 3299->3301 3302 6cbf2681 3300->3302 3301->3298 3304 6cbf241d GetProcAddress NtWow64ReadVirtualMemory64 3301->3304 3302->3295 3303 6cbf11c7 RtlFreeHeap 3302->3303 3303->3295 3306 6cbf2529 3304->3306 3305 6cbf241d GetProcAddress NtWow64ReadVirtualMemory64 3305->3306 3306->3298 3306->3305 3307 6cbf2629 StrRChrA 3306->3307 3307->3306 3308->3230 3310 6cbf22af NtWow64QueryInformationProcess64 3309->3310 3311 6cbf2295 GetProcAddress 3309->3311 3312 6cbf22c3 3310->3312 3311->3310 3311->3312 3312->3237 3312->3238 3313->3233 3315 6cbf49de RtlNtStatusToDosError 3314->3315 3316 6cbf49a8 3314->3316 3322 6cbf49d7 3315->3322 3362 6cbf4904 NtMapViewOfSection RtlNtStatusToDosError 3316->3362 3318 6cbf49b6 3320 6cbf49bc memset 3318->3320 3318->3322 3319 6cbf3f5d 3319->3206 3323 6cbf4904 NtMapViewOfSection RtlNtStatusToDosError 3319->3323 3320->3322 3321 6cbf49f0 ZwClose 3321->3319 3322->3319 3322->3321 3323->3192 3325 6cbf4a4d 3324->3325 3327 6cbf3fa6 3324->3327 3326 6cbf4a67 memcpy 3325->3326 3325->3327 3326->3325 3327->3195 3327->3198 3327->3206 3329 6cbf3e44 3328->3329 3330 6cbf2b4b 18 API calls 3329->3330 3331 6cbf3eba memcpy 3329->3331 3332 6cbf3e6f 3330->3332 3333 6cbf3ecd 3331->3333 3332->3333 3334 6cbf2b4b 18 API calls 3332->3334 3333->3202 3335 6cbf3e8c 3334->3335 3335->3333 3336 6cbf2b4b 18 API calls 3335->3336 3337 6cbf3ea9 3336->3337 3337->3331 3337->3333 3339 6cbf3db2 GetModuleHandleA 3338->3339 3342 6cbf3d98 3338->3342 3340 6cbf3e2d 3339->3340 3341 6cbf3dc6 3339->3341 3340->3202 3363 6cbf236c 3341->3363 3342->3339 3344 6cbf3e1a memcpy 3342->3344 3344->3340 3346 6cbf236c 11 API calls 3347 6cbf3dec 3346->3347 3347->3340 3348 6cbf236c 11 API calls 3347->3348 3349 6cbf3e08 3348->3349 3349->3340 3349->3344 3377 6cbf11b2 RtlAllocateHeap 3350->3377 3352 6cbf29bf 3353 6cbf2a0e 3352->3353 3354 6cbf29c5 memset 3352->3354 3353->3206 3355 6cbf29fe 3354->3355 3356 6cbf29eb 3354->3356 3393 6cbf2885 memset 3355->3393 3356->3355 3358 6cbf29f4 3356->3358 3378 6cbf272f memset 3358->3378 3360 6cbf29fc 3407 6cbf11c7 RtlFreeHeap 3360->3407 3362->3318 3364 6cbf2c92 5 API calls 3363->3364 3365 6cbf2386 3364->3365 3366 6cbf2414 3365->3366 3367 6cbf389c 2 API calls 3365->3367 3366->3340 3366->3346 3369 6cbf2398 3367->3369 3368 6cbf240b 3376 6cbf11c7 RtlFreeHeap 3368->3376 3369->3368 3371 6cbf23ad CreateFileA 3369->3371 3371->3368 3372 6cbf23ce SetFilePointer 3371->3372 3373 6cbf23dc ReadFile 3372->3373 3374 6cbf2402 CloseHandle 3372->3374 3373->3374 3375 6cbf23f4 3373->3375 3374->3368 3375->3374 3376->3366 3377->3352 3379 6cbf26ae 18 API calls 3378->3379 3380 6cbf2762 memcpy 3379->3380 3408 6cbf2e32 3380->3408 3383 6cbf279f 3386 6cbf4b80 NtWriteVirtualMemory 3383->3386 3384 6cbf2794 GetLastError 3385 6cbf2865 3384->3385 3387 6cbf27c9 3385->3387 3388 6cbf2877 GetLastError 3385->3388 3389 6cbf27c2 3386->3389 3387->3360 3388->3387 3389->3387 3390 6cbf2df1 3 API calls 3389->3390 3391 6cbf281d 3390->3391 3391->3388 3392 6cbf4b80 NtWriteVirtualMemory 3391->3392 3392->3385 3394 6cbf28be 3393->3394 3395 6cbf2982 3393->3395 3396 6cbf2e32 3 API calls 3394->3396 3398 6cbf299a GetLastError 3395->3398 3400 6cbf29a3 3395->3400 3397 6cbf28cf 3396->3397 3397->3398 3399 6cbf2d8f RtlNtStatusToDosError 3397->3399 3398->3400 3401 6cbf28e8 3399->3401 3400->3360 3401->3395 3402 6cbf28f3 memcpy 3401->3402 3403 6cbf2935 3402->3403 3404 6cbf2df1 3 API calls 3403->3404 3405 6cbf295d 3404->3405 3405->3395 3405->3400 3406 6cbf297b RtlNtStatusToDosError 3405->3406 3406->3395 3407->3353 3409 6cbf278c 3408->3409 3410 6cbf2e44 NtAllocateVirtualMemory 3408->3410 3409->3383 3409->3384 3410->3409 3411 6cbf2e69 RtlNtStatusToDosError SetLastError 3410->3411 3411->3409 3413 6cbf692b memset GetModuleHandleA InitializeCriticalSection LoadLibraryW 3412->3413 3438 6cbf6924 3412->3438 3414 6cbf6976 LoadLibraryW 3413->3414 3413->3438 3415 6cbf698c 3414->3415 3414->3438 3453 6cbf4fc0 GetVersionExW 3415->3453 3418 6cbf7032 RegisterClassExW 3419 6cbf70ab CreateWindowExW 3418->3419 3418->3438 3421 6cbf70df 3419->3421 3424 6cbf70e8 3419->3424 3481 6cbf51f0 3421->3481 3422 6cbf714e CreateThread 3426 6cbf72a7 UnregisterClassW VirtualFree 3422->3426 3427 6cbf7182 WaitForSingleObject 3422->3427 3492 6cbf5e30 3422->3492 3424->3422 3424->3438 3425 6cbf6a81 IsWow64Process 3439 6cbf6a91 3425->3439 3426->3438 3428 6cbf71a8 3427->3428 3429 6cbf71b7 TerminateThread 3427->3429 3428->3429 3430 6cbf71da WaitForSingleObject TerminateThread 3429->3430 3431 6cbf7206 3429->3431 3430->3431 3433 6cbf7215 WaitForSingleObject TerminateThread 3431->3433 3434 6cbf7241 RemoveFontResourceExW 3431->3434 3432 6cbf69bf 3432->3425 3432->3438 3433->3434 3435 6cbf725b 3434->3435 3436 6cbf7259 3434->3436 3485 6cbf5240 3435->3485 3436->3434 3438->2831 3439->3438 3441 6cbf6bfe LoadLibraryExW 3439->3441 3442 6cbf6c12 3439->3442 3443 6cbf6c2e 3441->3443 3442->3443 3444 6cbf6c1c LoadLibraryExW 3442->3444 3445 6cbf6c38 GetProcAddress 3443->3445 3452 6cbf6c54 3443->3452 3444->3443 3445->3452 3457 6cbf5760 CreateWindowExW 3452->3457 3454 6cbf4fe4 3453->3454 3454->3418 3454->3432 3455 6cbf5020 GetModuleHandleW 3454->3455 3456 6cbf503a 3455->3456 3456->3432 3458 6cbf5804 3457->3458 3459 6cbf57a1 3457->3459 3465 6cbf5810 RegisterClassExW 3458->3465 3460 6cbf51f0 2 API calls 3459->3460 3461 6cbf57aa 3460->3461 3462 6cbf57fa DestroyWindow 3461->3462 3463 6cbf57b3 SetWindowLongW 3461->3463 3462->3458 3464 6cbf57cd 3463->3464 3464->3462 3466 6cbf58ae CreateWindowExW 3465->3466 3473 6cbf58a7 3465->3473 3467 6cbf58ea RegisterClassExW 3466->3467 3466->3473 3468 6cbf5910 CreateWindowExW 3467->3468 3467->3473 3469 6cbf594b 3468->3469 3468->3473 3470 6cbf51f0 2 API calls 3469->3470 3471 6cbf5954 3470->3471 3472 6cbf51f0 2 API calls 3471->3472 3474 6cbf5960 3472->3474 3473->3418 3473->3438 3476 6cbf5190 3473->3476 3474->3473 3475 6cbf59c6 DestroyWindow DestroyWindow 3474->3475 3475->3473 3489 6cbf5070 LoadLibraryW GetProcAddress 3476->3489 3478 6cbf51a0 3479 6cbf51d2 3478->3479 3480 6cbf51a9 GetCurrentProcess 3478->3480 3479->3418 3480->3479 3482 6cbf5209 3481->3482 3483 6cbf5204 3481->3483 3482->3424 3490 6cbf5090 LoadLibraryW GetProcAddress 3483->3490 3486 6cbf5254 3485->3486 3487 6cbf526e UnregisterClassW 3486->3487 3488 6cbf52a6 UnregisterClassW UnregisterClassW UnregisterClassW 3486->3488 3487->3486 3488->3426 3489->3478 3491 6cbf50b9 3490->3491 3491->3482 3493 6cbf5e9f 3492->3493 3494 6cbf5eae 3492->3494 3493->3494 3495 6cbf5eb5 VirtualAlloc 3493->3495 3496 6cbf5edc SHGetFolderPathW 3495->3496 3497 6cbf6162 3495->3497 3496->3497 3499 6cbf5f0b wcslen 3496->3499 3497->3494 3498 6cbf6174 RegisterClassExW 3497->3498 3498->3494 3500 6cbf6211 memset 3498->3500 3501 6cbf5f6d memset memcpy memcpy AddFontResourceExW 3499->3501 3502 6cbf5f36 3499->3502 3503 6cbf6233 3500->3503 3504 6cbf5fdf RemoveFontResourceExW 3501->3504 3505 6cbf5ff9 3501->3505 3502->3501 3506 6cbf624e CreateWindowExW 3503->3506 3513 6cbf6297 3503->3513 3504->3505 3505->3497 3507 6cbf6003 memset memcpy FindFirstFileW 3505->3507 3506->3503 3506->3513 3508 6cbf6127 3507->3508 3509 6cbf6073 FindNextFileW 3507->3509 3508->3497 3510 6cbf6130 AddFontResourceExW 3508->3510 3509->3508 3511 6cbf608f 3509->3511 3510->3497 3512 6cbf6148 RemoveFontResourceExW 3510->3512 3511->3509 3514 6cbf60aa memset memcpy wcslen memcpy 3511->3514 3512->3497 3516 6cbf51f0 2 API calls 3513->3516 3517 6cbf6419 3513->3517 3514->3511 3515 6cbf6525 3515->3494 3518 6cbf6549 SetParent SetWindowLongW GetWindowLongW 3515->3518 3519 6cbf6308 3516->3519 3517->3515 3520 6cbf650f DestroyWindow 3517->3520 3518->3494 3521 6cbf6598 SetWindowLongW 3518->3521 3522 6cbf51f0 2 API calls 3519->3522 3520->3517 3523 6cbf65d3 EnterCriticalSection CreateThread CreateThread SetThreadAffinityMask 3521->3523 3529 6cbf6324 3522->3529 3523->3494 3524 6cbf664a SetThreadAffinityMask 3523->3524 3585 6cbf5500 memcpy 3523->3585 3596 6cbf53f0 3523->3596 3524->3494 3525 6cbf667f SetThreadAffinityMask 3524->3525 3526 6cbf6698 7 API calls 3525->3526 3527 6cbf6706 7 API calls 3525->3527 3528 6cbf6772 ResumeThread ResumeThread Sleep 3526->3528 3527->3528 3534 6cbf679f 3528->3534 3529->3517 3533 6cbf51f0 2 API calls 3529->3533 3530 6cbf67c5 LeaveCriticalSection 3531 6cbf67f6 AddFontResourceExW EnterCriticalSection GetWindowLongW 3530->3531 3532 6cbf67e5 memset 3530->3532 3531->3534 3532->3531 3535 6cbf63fa 3533->3535 3534->3494 3534->3530 3536 6cbf6854 SetMenu 3534->3536 3537 6cbf6886 3534->3537 3538 6cbf51f0 2 API calls 3535->3538 3536->3534 3540 6cbf5bb0 3537->3540 3538->3517 3568 6cbf5320 SetWindowLongW GetAncestor SetWindowLongW 3540->3568 3542 6cbf5c0b 3569 6cbf5320 SetWindowLongW GetAncestor SetWindowLongW 3542->3569 3544 6cbf5c75 3572 6cbf5320 SetWindowLongW GetAncestor SetWindowLongW 3544->3572 3547 6cbf5c22 3547->3544 3548 6cbf5c5c 3547->3548 3570 6cbf5320 SetWindowLongW GetAncestor SetWindowLongW 3547->3570 3571 6cbf5320 SetWindowLongW GetAncestor SetWindowLongW 3548->3571 3550 6cbf5ddb 3576 6cbf5320 SetWindowLongW GetAncestor SetWindowLongW 3550->3576 3551 6cbf5cf6 GetCurrentProcessId 3552 6cbf5cc1 3551->3552 3552->3551 3555 6cbf5d72 3552->3555 3556 6cbf5320 SetWindowLongW GetAncestor SetWindowLongW 3552->3556 3566 6cbf5d58 3552->3566 3555->3550 3559 6cbf5320 SetWindowLongW GetAncestor SetWindowLongW 3555->3559 3562 6cbf5dc7 3555->3562 3556->3552 3557 6cbf5df1 3577 6cbf59f0 3557->3577 3558 6cbf5c85 3558->3552 3573 6cbf5320 SetWindowLongW GetAncestor SetWindowLongW 3558->3573 3559->3555 3575 6cbf5320 SetWindowLongW GetAncestor SetWindowLongW 3562->3575 3563 6cbf59f0 9 API calls 3564 6cbf5e1c 3563->3564 3564->3494 3574 6cbf5320 SetWindowLongW GetAncestor SetWindowLongW 3566->3574 3568->3542 3569->3547 3570->3547 3571->3544 3572->3558 3573->3558 3574->3555 3575->3550 3576->3557 3578 6cbf5a37 3577->3578 3579 6cbf5a5d VirtualAlloc 3578->3579 3583 6cbf5a50 3578->3583 3584 6cbf5320 SetWindowLongW GetAncestor SetWindowLongW 3578->3584 3581 6cbf5a9a 3579->3581 3582 6cbf5aa1 memset SetWindowLongW SetClassLongW SetWindowLongW VirtualFree 3579->3582 3581->3563 3582->3581 3583->3579 3584->3578 3590 6cbf5592 3585->3590 3586 6cbf5752 3587 6cbf5240 UnregisterClassW 3586->3587 3588 6cbf5757 3587->3588 3589 6cbf564e EnterCriticalSection SuspendThread 3589->3590 3590->3586 3590->3589 3591 6cbf5240 UnregisterClassW 3590->3591 3592 6cbf56bf RegisterClassExW 3590->3592 3593 6cbf56ab RemoveFontResourceExW 3590->3593 3594 6cbf5722 ResumeThread LeaveCriticalSection SwitchToThread 3590->3594 3595 6cbf5240 UnregisterClassW 3590->3595 3591->3590 3592->3590 3593->3592 3594->3590 3595->3594 3599 6cbf53fb 3596->3599 3597 6cbf54f0 3598 6cbf542f RemoveFontResourceExW SetThreadAffinityMask 3598->3599 3599->3597 3599->3598 3600 6cbf5494 SetThreadPriority 3599->3600 3601 6cbf5473 SetThreadAffinityMask 3599->3601 3602 6cbf54e5 SwitchToThread 3599->3602 3603 6cbf54d2 ResumeThread 3599->3603 3600->3599 3601->3599 3602->3599 3603->3602 3621 6cbf3b2b GetTempPathA 3604->3621 3606 6cbf3ba2 3607 6cbf1d52 3606->3607 3608 6cbf361f 4 API calls 3606->3608 3607->2838 3611 6cbf3ac5 CreateFileW 3607->3611 3609 6cbf3bb0 3608->3609 3631 6cbf11c7 RtlFreeHeap 3609->3631 3612 6cbf3aeb GetLastError 3611->3612 3613 6cbf3af5 WriteFile 3611->3613 3614 6cbf3b23 3612->3614 3615 6cbf3b0b SetEndOfFile 3613->3615 3616 6cbf3b14 GetLastError 3613->3616 3614->2840 3617 6cbf3b1c CloseHandle 3615->3617 3616->3617 3617->3614 3618->2843 3619->2845 3620->2838 3622 6cbf3b40 3621->3622 3630 6cbf3b8b 3621->3630 3632 6cbf11b2 RtlAllocateHeap 3622->3632 3624 6cbf3b49 3625 6cbf3b4f GetTempPathA 3624->3625 3624->3630 3626 6cbf3b57 GetTickCount GetTempFileNameA 3625->3626 3627 6cbf3b85 3625->3627 3626->3627 3628 6cbf3b70 PathFindExtensionA lstrcpyA 3626->3628 3633 6cbf11c7 RtlFreeHeap 3627->3633 3628->3630 3630->3606 3631->3607 3632->3624 3633->3630 3634->2863 3635->2863 3636->2865 3637->2866 3658 6cbf62a7 3659 6cbf62b6 3658->3659 3662 6cbf51f0 2 API calls 3659->3662 3663 6cbf6419 3659->3663 3660 6cbf6525 3661 6cbf6542 3660->3661 3664 6cbf6549 SetParent SetWindowLongW GetWindowLongW 3660->3664 3665 6cbf6308 3662->3665 3663->3660 3666 6cbf650f DestroyWindow 3663->3666 3664->3661 3667 6cbf6598 SetWindowLongW 3664->3667 3668 6cbf51f0 2 API calls 3665->3668 3666->3663 3669 6cbf65d3 EnterCriticalSection CreateThread CreateThread SetThreadAffinityMask 3667->3669 3675 6cbf6324 3668->3675 3669->3661 3670 6cbf664a SetThreadAffinityMask 3669->3670 3686 6cbf5500 9 API calls 3669->3686 3687 6cbf53f0 6 API calls 3669->3687 3670->3661 3671 6cbf667f SetThreadAffinityMask 3670->3671 3672 6cbf6698 7 API calls 3671->3672 3673 6cbf6706 7 API calls 3671->3673 3674 6cbf6772 ResumeThread ResumeThread Sleep 3672->3674 3673->3674 3680 6cbf679f 3674->3680 3675->3663 3679 6cbf51f0 2 API calls 3675->3679 3676 6cbf67c5 LeaveCriticalSection 3677 6cbf67f6 AddFontResourceExW EnterCriticalSection GetWindowLongW 3676->3677 3678 6cbf67e5 memset 3676->3678 3677->3680 3678->3677 3681 6cbf63fa 3679->3681 3680->3661 3680->3676 3682 6cbf6854 SetMenu 3680->3682 3683 6cbf6886 3680->3683 3684 6cbf51f0 2 API calls 3681->3684 3682->3680 3685 6cbf5bb0 10 API calls 3683->3685 3684->3663 3685->3661 3688 6cbf70a6 3689 6cbf7139 3688->3689 3690 6cbf714e CreateThread 3689->3690 3691 6cbf7147 3689->3691 3692 6cbf72a7 UnregisterClassW VirtualFree 3690->3692 3693 6cbf7182 WaitForSingleObject 3690->3693 3704 6cbf5e30 67 API calls 3690->3704 3692->3691 3694 6cbf71a8 3693->3694 3695 6cbf71b7 TerminateThread 3693->3695 3694->3695 3696 6cbf71da WaitForSingleObject TerminateThread 3695->3696 3697 6cbf7206 3695->3697 3696->3697 3698 6cbf7215 WaitForSingleObject TerminateThread 3697->3698 3699 6cbf7241 RemoveFontResourceExW 3697->3699 3698->3699 3700 6cbf725b 3699->3700 3701 6cbf7259 3699->3701 3702 6cbf5240 UnregisterClassW 3700->3702 3701->3699 3703 6cbf7260 UnregisterClassW UnregisterClassW UnregisterClassW 3702->3703 3703->3692 3793 6cbf6645 3794 6cbf6772 ResumeThread ResumeThread Sleep 3793->3794 3800 6cbf679f 3794->3800 3795 6cbf67c5 LeaveCriticalSection 3796 6cbf67f6 AddFontResourceExW EnterCriticalSection GetWindowLongW 3795->3796 3797 6cbf67e5 memset 3795->3797 3796->3800 3797->3796 3798 6cbf6854 SetMenu 3798->3800 3799 6cbf6886 3801 6cbf5bb0 10 API calls 3799->3801 3800->3795 3800->3798 3800->3799 3802 6cbf688b 3800->3802 3801->3802 3803 6cbf7344 3804 6cbf73f8 3803->3804 3805 6cbf7362 3803->3805 3806 6cbf755d NtQueryVirtualMemory 3805->3806 3808 6cbf737d 3806->3808 3807 6cbf7448 RtlUnwind 3807->3808 3808->3804 3808->3807 3651 6cbf1142 3652 6cbf114f 3651->3652 3653 6cbf1191 InterlockedDecrement 3651->3653 3654 6cbf1179 3652->3654 3655 6cbf1152 InterlockedIncrement 3652->3655 3653->3654 3656 6cbf11a0 HeapDestroy 3653->3656 3655->3654 3657 6cbf1161 HeapCreate 3655->3657 3656->3654 3657->3654 3751 6cbf5300 DefWindowProcW

                                                                                                                                                                                  Executed Functions

                                                                                                                                                                                  Function 6CBF2FCE Relevance: 47.5, APIs: 23, Strings: 4, Instructions: 209memoryfiletimeCOMMON
                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                  APIs
                                                                                                                                                                                  • HeapAlloc.KERNEL32(00000000,EE553B4E,00000000,6CBFAA50,00000001), ref: 6CBF2FF9
                                                                                                                                                                                  • HeapAlloc.KERNEL32(00000000,EE553B4E), ref: 6CBF301B
                                                                                                                                                                                  • memset.NTDLL ref: 6CBF3035
                                                                                                                                                                                    • Part of subcall function 6CBF3585: ExpandEnvironmentStringsA.KERNEL32(00000000,00000000,00000000,00000000,6CBF0000,EE553B43,6CBF3047,%systemroot%\system32\c_1252.nls), ref: 6CBF3596
                                                                                                                                                                                    • Part of subcall function 6CBF3585: ExpandEnvironmentStringsA.KERNEL32(?,00000000,00000000,00000000), ref: 6CBF35B0
                                                                                                                                                                                  • CreateFileA.KERNELBASE(00000000,80000000,00000001,00000000,00000003,00000080,00000000,%systemroot%\system32\c_1252.nls), ref: 6CBF306C
                                                                                                                                                                                  • GetFileTime.KERNEL32(00000000,?,00000000,00000000), ref: 6CBF3080
                                                                                                                                                                                  • CloseHandle.KERNEL32(?), ref: 6CBF3097
                                                                                                                                                                                  • StrRChrA.KERNELBASE(6CBF11FC,00000000,0000005C), ref: 6CBF30A3
                                                                                                                                                                                  • lstrcatA.KERNEL32(6CBF11FC,\*.dll), ref: 6CBF30DD
                                                                                                                                                                                  • FindFirstFileA.KERNELBASE(6CBF11FC,?), ref: 6CBF30F3
                                                                                                                                                                                  • CompareFileTime.KERNEL32(?,?), ref: 6CBF3111
                                                                                                                                                                                  • FindNextFileA.KERNEL32(?,?), ref: 6CBF3125
                                                                                                                                                                                  • FindClose.KERNEL32(?), ref: 6CBF3132
                                                                                                                                                                                  • FindFirstFileA.KERNEL32(6CBF11FC,?), ref: 6CBF313E
                                                                                                                                                                                  • CompareFileTime.KERNEL32(?,?), ref: 6CBF3160
                                                                                                                                                                                  • StrChrA.SHLWAPI(?,0000002E), ref: 6CBF3193
                                                                                                                                                                                  • memcpy.NTDLL(00000000,?,00000000), ref: 6CBF31CC
                                                                                                                                                                                  • FindNextFileA.KERNELBASE(?,?), ref: 6CBF31E1
                                                                                                                                                                                  • FindClose.KERNEL32(?), ref: 6CBF31EE
                                                                                                                                                                                  • FindFirstFileA.KERNEL32(6CBF11FC,?), ref: 6CBF31FA
                                                                                                                                                                                  • CompareFileTime.KERNEL32(?,?), ref: 6CBF320A
                                                                                                                                                                                  • FindClose.KERNELBASE(?), ref: 6CBF322E
                                                                                                                                                                                  • HeapFree.KERNEL32(00000000,00000000,%systemroot%\system32\c_1252.nls), ref: 6CBF3240
                                                                                                                                                                                  • HeapFree.KERNEL32(00000000,6CBF11FC), ref: 6CBF3250
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000000.00000002.1740519196.000000006CBF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 6CBF0000, based on PE: true
                                                                                                                                                                                  • Associated: 00000000.00000002.1740504253.000000006CBF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000000.00000002.1740519196.000000006CBFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_6cbf0000_loaddll32.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: File$Find$CloseHeapTime$CompareFirst$AllocEnvironmentExpandFreeNextStrings$CreateHandlelstrcatmemcpymemset
                                                                                                                                                                                  • String ID: %systemroot%\system32\c_1252.nls$C;U$N;U$\*.dll
                                                                                                                                                                                  • API String ID: 65366329-1666359264
                                                                                                                                                                                  • Opcode ID: 8bfe85c686b859e32d663bfbdc38469e68eb924290b9e3af41769beda2d7145c
                                                                                                                                                                                  • Instruction ID: 05d5463d24ce46c45770ecb8a2ba2b729a7eeb245f1c4261e05fee7f870330c0
                                                                                                                                                                                  • Opcode Fuzzy Hash: 8bfe85c686b859e32d663bfbdc38469e68eb924290b9e3af41769beda2d7145c
                                                                                                                                                                                  • Instruction Fuzzy Hash: 55815AB1E00159AFDF119FA5DC88AEEBBB9FB4A300F10416AE525E3350D7319A49CF61
                                                                                                                                                                                  Function 6CBF1000 Relevance: 22.8, APIs: 9, Strings: 4, Instructions: 97COMMON
                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                  APIs
                                                                                                                                                                                  • SetupDiGetClassDevsA.SETUPAPI(?,00000000,00000000,00000002), ref: 6CBF1022
                                                                                                                                                                                  • SetupDiEnumDeviceInfo.SETUPAPI(00000000,00000000,?), ref: 6CBF1043
                                                                                                                                                                                  • SetupDiGetDeviceRegistryPropertyA.SETUPAPI(00000000,0000001C,0000000C,?,00000000,00000000,?), ref: 6CBF1068
                                                                                                                                                                                    • Part of subcall function 6CBF11B2: RtlAllocateHeap.NTDLL(00000000,6CBF0000,6CBF1B4C,6CBF0000), ref: 6CBF11BE
                                                                                                                                                                                  • SetupDiGetDeviceRegistryPropertyA.SETUPAPI(?,0000001C,0000000C,?,00000000,?,?), ref: 6CBF1092
                                                                                                                                                                                  • StrStrIA.SHLWAPI(00000000,vbox), ref: 6CBF10A4
                                                                                                                                                                                  • StrStrIA.SHLWAPI(00000000,qemu), ref: 6CBF10B0
                                                                                                                                                                                  • StrStrIA.SHLWAPI(00000000,vmware), ref: 6CBF10BC
                                                                                                                                                                                  • StrStrIA.SHLWAPI(00000000,virtual hd), ref: 6CBF10C8
                                                                                                                                                                                  • SetupDiDestroyDeviceInfoList.SETUPAPI(?), ref: 6CBF10DA
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000000.00000002.1740519196.000000006CBF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 6CBF0000, based on PE: true
                                                                                                                                                                                  • Associated: 00000000.00000002.1740504253.000000006CBF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000000.00000002.1740519196.000000006CBFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_6cbf0000_loaddll32.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: Setup$Device$InfoPropertyRegistry$AllocateClassDestroyDevsEnumHeapList
                                                                                                                                                                                  • String ID: qemu$vbox$virtual hd$vmware
                                                                                                                                                                                  • API String ID: 2901969455-1017834832
                                                                                                                                                                                  • Opcode ID: 8f012ec0d5601a490ebe33426e5b0493e48f26cd71df1a1425a387c5d675511a
                                                                                                                                                                                  • Instruction ID: fd22ef24022785b512a174992cb252a9fd1467c273b143b92da56823b82780ef
                                                                                                                                                                                  • Opcode Fuzzy Hash: 8f012ec0d5601a490ebe33426e5b0493e48f26cd71df1a1425a387c5d675511a
                                                                                                                                                                                  • Instruction Fuzzy Hash: 5B21697190115DBAEF01DAA5CD80DFFBBBCEB06758F140526F920E3640D7719E0A9B61
                                                                                                                                                                                  Function 6CBF150F Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 45libraryloaderCOMMON
                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                  • Executed
                                                                                                                                                                                  • Not Executed
                                                                                                                                                                                  control_flow_graph 199 6cbf150f-6cbf1526 LoadLibraryA 200 6cbf1528-6cbf153c GetProcAddress 199->200 201 6cbf1574-6cbf1579 199->201 202 6cbf153e-6cbf1551 GetModuleHandleA GetProcAddress 200->202 203 6cbf1572-6cbf1573 200->203 202->203 204 6cbf1553-6cbf155e FindWindowA 202->204 203->201 204->203 205 6cbf1560-6cbf1569 204->205 205->203 207 6cbf156b 205->207 207->203
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • LoadLibraryA.KERNEL32(USER32.DLL,6CBF0000,?,?,6CBF1851,00000001,00000000,6CBFA95C), ref: 6CBF151E
                                                                                                                                                                                  • GetProcAddress.KERNEL32(00000000,FindWindowA), ref: 6CBF1536
                                                                                                                                                                                  • GetModuleHandleA.KERNEL32(USER32.DLL,GetWindowThreadProcessId,?,?,6CBF1851,00000001,00000000,6CBFA95C), ref: 6CBF1544
                                                                                                                                                                                  • GetProcAddress.KERNEL32(00000000), ref: 6CBF154B
                                                                                                                                                                                  • FindWindowA.USER32(ProgMan,00000000,?,?,6CBF1851,00000001,00000000,6CBFA95C), ref: 6CBF155A
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000000.00000002.1740519196.000000006CBF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 6CBF0000, based on PE: true
                                                                                                                                                                                  • Associated: 00000000.00000002.1740504253.000000006CBF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000000.00000002.1740519196.000000006CBFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_6cbf0000_loaddll32.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: AddressProc$FindHandleLibraryLoadModuleWindow
                                                                                                                                                                                  • String ID: FindWindowA$GetWindowThreadProcessId$N;U$N;U$ProgMan$USER32.DLL
                                                                                                                                                                                  • API String ID: 2344282417-784344377
                                                                                                                                                                                  • Opcode ID: 422b2af1b541a86876b29d354e38b63c40898ec4c5ad9808d6f57bba39ac3f5d
                                                                                                                                                                                  • Instruction ID: 90303c8af2e5426ee61dd3f30d4da4a227fc22531a4cb19a3f2950c7a1b0db72
                                                                                                                                                                                  • Opcode Fuzzy Hash: 422b2af1b541a86876b29d354e38b63c40898ec4c5ad9808d6f57bba39ac3f5d
                                                                                                                                                                                  • Instruction Fuzzy Hash: 8EF0F6B2E01259B7EF0196B99C46FAF7AECDB06654F60041AA533E3700DA74DD0A86B1
                                                                                                                                                                                  Function 6CBF3ED3 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 166nativeCOMMON
                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                  • Executed
                                                                                                                                                                                  • Not Executed
                                                                                                                                                                                  control_flow_graph 296 6cbf3ed3-6cbf3ef6 297 6cbf3ef8-6cbf3eff 296->297 298 6cbf3f10-6cbf3f15 296->298 297->298 299 6cbf3f01-6cbf3f0e 297->299 300 6cbf3f17-6cbf3f19 298->300 299->300 301 6cbf3f1b-6cbf3f22 300->301 302 6cbf3f27-6cbf3f62 call 6cbf4943 300->302 303 6cbf40c4-6cbf40ca 301->303 306 6cbf409d-6cbf40a1 302->306 307 6cbf3f68-6cbf3f92 call 6cbf4904 302->307 308 6cbf40b5-6cbf40b9 306->308 309 6cbf40a3-6cbf40af NtUnmapViewOfSection RtlNtStatusToDosError 306->309 307->306 313 6cbf3f98-6cbf3fab call 6cbf4a02 307->313 308->303 311 6cbf40bb-6cbf40be CloseHandle 308->311 309->308 311->303 313->306 316 6cbf3fb1-6cbf3fb6 313->316 317 6cbf3fb8-6cbf3fc1 memcpy 316->317 318 6cbf3fc4-6cbf3fc9 316->318 317->318 319 6cbf3fcb-6cbf3fd3 318->319 320 6cbf3ff6-6cbf4019 memcpy 318->320 319->320 321 6cbf3fd5 319->321 322 6cbf402c-6cbf4030 320->322 323 6cbf401b-6cbf4029 320->323 324 6cbf3fda-6cbf3ff4 321->324 325 6cbf4048-6cbf404c 322->325 326 6cbf4032-6cbf4045 322->326 323->322 324->320 327 6cbf3fd7 324->327 328 6cbf404e-6cbf4055 325->328 329 6cbf4064-6cbf4065 call 6cbf3d87 325->329 326->325 327->324 328->329 331 6cbf4057-6cbf405d call 6cbf3e34 328->331 332 6cbf406a-6cbf406f 329->332 335 6cbf4062 331->335 332->306 334 6cbf4071-6cbf4095 memcpy call 6cbf29aa 332->334 337 6cbf409a 334->337 335->332 337->306
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • memcpy.NTDLL(?,CCCCFEEB,?,?,?,6CBF45C5,?,6CBF45C5,6CBF45C5,?,?,?,?,00000000), ref: 6CBF3FBC
                                                                                                                                                                                  • memcpy.NTDLL(?,CCCCFEEB,00000018,?,?,6CBF45C5,?,6CBF45C5,6CBF45C5,?,?,?,?,00000000), ref: 6CBF400D
                                                                                                                                                                                    • Part of subcall function 6CBF3E34: memcpy.NTDLL(CCCCFEEB,6CBFA9DC,00000018,CCCCFEEB,ZwProtectVirtualMemory,CCCCFEEB,LdrGetProcedureAddress,CCCCFEEB,LdrLoadDll,CCCCFEEB,6CBF4062,?,6CBF45C5,?,?,00000000), ref: 6CBF3EC5
                                                                                                                                                                                  • memcpy.NTDLL(?,6CBF46C5,00000800,?,?,?,00000000), ref: 6CBF407D
                                                                                                                                                                                    • Part of subcall function 6CBF29AA: memset.NTDLL ref: 6CBF29C9
                                                                                                                                                                                  • NtUnmapViewOfSection.NTDLL ref: 6CBF40A8
                                                                                                                                                                                  • RtlNtStatusToDosError.NTDLL ref: 6CBF40AF
                                                                                                                                                                                  • CloseHandle.KERNELBASE(00000000,?,?,?,?,00000000), ref: 6CBF40BE
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000000.00000002.1740519196.000000006CBF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 6CBF0000, based on PE: true
                                                                                                                                                                                  • Associated: 00000000.00000002.1740504253.000000006CBF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000000.00000002.1740519196.000000006CBFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_6cbf0000_loaddll32.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: memcpy$CloseErrorHandleSectionStatusUnmapViewmemset
                                                                                                                                                                                  • String ID: N;U
                                                                                                                                                                                  • API String ID: 742001727-3665909347
                                                                                                                                                                                  • Opcode ID: 6a2aff8036133dcb8dda18dd985905ccb66f3271b6975419e560affa78638d94
                                                                                                                                                                                  • Instruction ID: 77e417ceb0d9adca1ac51cfcdb02af875be58890c25355191e9974a46a12a127
                                                                                                                                                                                  • Opcode Fuzzy Hash: 6a2aff8036133dcb8dda18dd985905ccb66f3271b6975419e560affa78638d94
                                                                                                                                                                                  • Instruction Fuzzy Hash: 6D613AB1A0124AEFDF10CFA8C984A9EBBB9FF04308F104569E925A7751D731A64ACF51
                                                                                                                                                                                  Function 6CBF1ACC Relevance: 10.6, APIs: 7, Instructions: 81nativeCOMMON
                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                  APIs
                                                                                                                                                                                  • ZwOpenProcess.NTDLL(6CBF0000,00000400,?,?,?,00000000,00000000), ref: 6CBF1B14
                                                                                                                                                                                  • ZwOpenProcessToken.NTDLL(6CBF0000,00000008,00000000), ref: 6CBF1B27
                                                                                                                                                                                  • ZwQueryInformationToken.NTDLL(00000000,00000001,00000000,00000000,6CBF0000), ref: 6CBF1B42
                                                                                                                                                                                    • Part of subcall function 6CBF11B2: RtlAllocateHeap.NTDLL(00000000,6CBF0000,6CBF1B4C,6CBF0000), ref: 6CBF11BE
                                                                                                                                                                                  • ZwQueryInformationToken.NTDLL(00000000,00000001,00000000,6CBF0000,6CBF0000,6CBF0000), ref: 6CBF1B5F
                                                                                                                                                                                  • memcpy.NTDLL(00000000,00000000,0000001C), ref: 6CBF1B6C
                                                                                                                                                                                  • ZwClose.NTDLL(00000000,6CBF0000), ref: 6CBF1B7E
                                                                                                                                                                                  • ZwClose.NTDLL(6CBF0000), ref: 6CBF1B87
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000000.00000002.1740519196.000000006CBF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 6CBF0000, based on PE: true
                                                                                                                                                                                  • Associated: 00000000.00000002.1740504253.000000006CBF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000000.00000002.1740519196.000000006CBFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_6cbf0000_loaddll32.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: Token$CloseInformationOpenProcessQuery$AllocateHeapmemcpy
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 2575439697-0
                                                                                                                                                                                  • Opcode ID: c48102cee9c17cd9f4ffe5241106520557f460b3a1b033464a67b59e6be0c962
                                                                                                                                                                                  • Instruction ID: 835a9d551e7a3b4cbb89d56226c5fc3c20b14dc4dff64b5f9f73d6a45fe889c3
                                                                                                                                                                                  • Opcode Fuzzy Hash: c48102cee9c17cd9f4ffe5241106520557f460b3a1b033464a67b59e6be0c962
                                                                                                                                                                                  • Instruction Fuzzy Hash: F22119B1A00118BBDF01DFA5CC449DEBFBDEF09750F104066F514E6221D7719A4A9BA0
                                                                                                                                                                                  Function 6CBF2492 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 166librarynativeloaderCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • GetProcAddress.KERNEL32(ZwWow64QueryInformationProcess64,00000318), ref: 6CBF24B0
                                                                                                                                                                                  • NtWow64QueryInformationProcess64.NTDLL(00000000,00000000,?,00000030,00000000), ref: 6CBF24CC
                                                                                                                                                                                    • Part of subcall function 6CBF11B2: RtlAllocateHeap.NTDLL(00000000,6CBF0000,6CBF1B4C,6CBF0000), ref: 6CBF11BE
                                                                                                                                                                                    • Part of subcall function 6CBF241D: GetProcAddress.KERNEL32(ZwWow64ReadVirtualMemory64,00000000), ref: 6CBF243F
                                                                                                                                                                                    • Part of subcall function 6CBF241D: NtWow64ReadVirtualMemory64.NTDLL(00000100,?,?,00000028,00000000,00000000,00000100,00000000,?,?,?,6CBF250D,00000000,00000000,00000028,00000100), ref: 6CBF2461
                                                                                                                                                                                  • StrRChrA.SHLWAPI(00000018,00000000,0000005C,00000000,00000318,?,00000000,00000068,00000098,00000000,00000028,00000040,00000000,00000000,00000028,00000100), ref: 6CBF2636
                                                                                                                                                                                  Strings
                                                                                                                                                                                  • ZwWow64QueryInformationProcess64, xrefs: 6CBF24A3
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000000.00000002.1740519196.000000006CBF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 6CBF0000, based on PE: true
                                                                                                                                                                                  • Associated: 00000000.00000002.1740504253.000000006CBF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000000.00000002.1740519196.000000006CBFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_6cbf0000_loaddll32.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: AddressProcWow64$AllocateHeapInformationMemory64Process64QueryReadVirtual
                                                                                                                                                                                  • String ID: ZwWow64QueryInformationProcess64
                                                                                                                                                                                  • API String ID: 3547194813-1903490642
                                                                                                                                                                                  • Opcode ID: 05f1efe74f99b7656b22f72659955ac0f70f50a459cbac4813125ac03fea6f88
                                                                                                                                                                                  • Instruction ID: bf70ba9ce6e551137f06e5f2f295773d0e82bfd0e0e834d7786fb84ced7a2c54
                                                                                                                                                                                  • Opcode Fuzzy Hash: 05f1efe74f99b7656b22f72659955ac0f70f50a459cbac4813125ac03fea6f88
                                                                                                                                                                                  • Instruction Fuzzy Hash: 62616270A01286EBDF05CFA5D894BEEBBB4FF08304F104529E964A7741D770E959CBA2
                                                                                                                                                                                  Function 6CBF4943 Relevance: 6.1, APIs: 4, Instructions: 79nativeCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • NtCreateSection.NTDLL(?,000F001F,?,?,00000040,08000000,00000000), ref: 6CBF499E
                                                                                                                                                                                  • memset.NTDLL ref: 6CBF49C3
                                                                                                                                                                                  • RtlNtStatusToDosError.NTDLL ref: 6CBF49DF
                                                                                                                                                                                  • ZwClose.NTDLL(?), ref: 6CBF49F3
                                                                                                                                                                                    • Part of subcall function 6CBF4904: NtMapViewOfSection.NTDLL ref: 6CBF4931
                                                                                                                                                                                    • Part of subcall function 6CBF4904: RtlNtStatusToDosError.NTDLL ref: 6CBF4938
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000000.00000002.1740519196.000000006CBF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 6CBF0000, based on PE: true
                                                                                                                                                                                  • Associated: 00000000.00000002.1740504253.000000006CBF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000000.00000002.1740519196.000000006CBFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_6cbf0000_loaddll32.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: ErrorSectionStatus$CloseCreateViewmemset
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 783833395-0
                                                                                                                                                                                  • Opcode ID: 261faad25c5984be6ea00c71347fb2d77715250537ddec8c28c4c14ea1fb5024
                                                                                                                                                                                  • Instruction ID: 73a2bb660cde6f3345ac6d6d02d1d5e594ad71e821b93691309b4e7821b780b6
                                                                                                                                                                                  • Opcode Fuzzy Hash: 261faad25c5984be6ea00c71347fb2d77715250537ddec8c28c4c14ea1fb5024
                                                                                                                                                                                  • Instruction Fuzzy Hash: 55215975A00269AFCF01CFA8CD449EEBBB8EB09720F104516F920E7240D7719A598FA5
                                                                                                                                                                                  Function 6CBF241D Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 33librarynativeloaderCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • GetProcAddress.KERNEL32(ZwWow64ReadVirtualMemory64,00000000), ref: 6CBF243F
                                                                                                                                                                                  • NtWow64ReadVirtualMemory64.NTDLL(00000100,?,?,00000028,00000000,00000000,00000100,00000000,?,?,?,6CBF250D,00000000,00000000,00000028,00000100), ref: 6CBF2461
                                                                                                                                                                                  Strings
                                                                                                                                                                                  • ZwWow64ReadVirtualMemory64, xrefs: 6CBF2434
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000000.00000002.1740519196.000000006CBF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 6CBF0000, based on PE: true
                                                                                                                                                                                  • Associated: 00000000.00000002.1740504253.000000006CBF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000000.00000002.1740519196.000000006CBFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_6cbf0000_loaddll32.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: AddressMemory64ProcReadVirtualWow64
                                                                                                                                                                                  • String ID: ZwWow64ReadVirtualMemory64
                                                                                                                                                                                  • API String ID: 752694512-2880279267
                                                                                                                                                                                  • Opcode ID: 8b80fd60fe25bdc1351b822f87e780fb6ca7762dad24d9f9044d44fe3caa4518
                                                                                                                                                                                  • Instruction ID: 31dffb25bcd454abb4ef14d41b2bda261722909730cd7705e27962e654375083
                                                                                                                                                                                  • Opcode Fuzzy Hash: 8b80fd60fe25bdc1351b822f87e780fb6ca7762dad24d9f9044d44fe3caa4518
                                                                                                                                                                                  • Instruction Fuzzy Hash: EFF03A76600644BFCF068F96DC04C4EFFBAEB89350B108429F96093320D271D956DF21
                                                                                                                                                                                  Function 6CBF2286 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 21librarynativeloaderCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • GetProcAddress.KERNEL32(ZwWow64QueryInformationProcess64,00000000), ref: 6CBF22A0
                                                                                                                                                                                  • NtWow64QueryInformationProcess64.NTDLL(6CBF4211,00000000,00000000,00000030,6CBF4211,00000000,6CBF4211,?,?,C000009A,?,00000000,00000000), ref: 6CBF22BF
                                                                                                                                                                                  Strings
                                                                                                                                                                                  • ZwWow64QueryInformationProcess64, xrefs: 6CBF2295
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000000.00000002.1740519196.000000006CBF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 6CBF0000, based on PE: true
                                                                                                                                                                                  • Associated: 00000000.00000002.1740504253.000000006CBF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000000.00000002.1740519196.000000006CBFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_6cbf0000_loaddll32.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: AddressInformationProcProcess64QueryWow64
                                                                                                                                                                                  • String ID: ZwWow64QueryInformationProcess64
                                                                                                                                                                                  • API String ID: 1650446693-1903490642
                                                                                                                                                                                  • Opcode ID: 03dbfdff6cd75c8ea48697c67881109ea3a60b4359ae4a5203fb201d46f21fe0
                                                                                                                                                                                  • Instruction ID: 70f10d12b7686bd382422908f4539a7a2e55624809dfc16690092b60b051b051
                                                                                                                                                                                  • Opcode Fuzzy Hash: 03dbfdff6cd75c8ea48697c67881109ea3a60b4359ae4a5203fb201d46f21fe0
                                                                                                                                                                                  • Instruction Fuzzy Hash: 64E04F31305351AFEB028A54EC05F057BB4AB5A754F054425B534E3350D321CD15DF52
                                                                                                                                                                                  Function 00810000 Relevance: 4.9, APIs: 3, Instructions: 387nativememoryCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • NtProtectVirtualMemory.NTDLL(000000FF,?,?,00000040,?,?,00000000,DF18C02A), ref: 00810532
                                                                                                                                                                                  • NtAllocateVirtualMemory.NTDLL(000000FF,00000000,00000000,?,00003000,00000040), ref: 00810569
                                                                                                                                                                                  • NtProtectVirtualMemory.NTDLL(000000FF,?,00001000,00000002,?,?,?,DF18C02A,?,?,?,00000000,?,00000000), ref: 0081084C
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000000.00000002.1740291645.0000000000810000.00000040.00001000.00020000.00000000.sdmp, Offset: 00810000, based on PE: false
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_810000_loaddll32.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: MemoryVirtual$Protect$Allocate
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 955180148-0
                                                                                                                                                                                  • Opcode ID: 0276ce237686d955ecd96cb5b1eef00a4676b752b1876b5eb49befe3360d61fd
                                                                                                                                                                                  • Instruction ID: 8c200d241fdbdabd284d18d6ac31a63439a8c1b9eeb42b5b65ca3c66aa4766d1
                                                                                                                                                                                  • Opcode Fuzzy Hash: 0276ce237686d955ecd96cb5b1eef00a4676b752b1876b5eb49befe3360d61fd
                                                                                                                                                                                  • Instruction Fuzzy Hash: 53F14772E002189FDB04CFA9C981ADDBBB6FF88310F258169E419BB255D774AD82CF50
                                                                                                                                                                                  Function 6CBF2E32 Relevance: 4.5, APIs: 3, Instructions: 29memorynativeCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • NtAllocateVirtualMemory.NTDLL(6CBF28CF,00000000,00000000,6CBF28CF,00003000,00000040), ref: 6CBF2E63
                                                                                                                                                                                  • RtlNtStatusToDosError.NTDLL ref: 6CBF2E6A
                                                                                                                                                                                  • SetLastError.KERNEL32(00000000), ref: 6CBF2E71
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000000.00000002.1740519196.000000006CBF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 6CBF0000, based on PE: true
                                                                                                                                                                                  • Associated: 00000000.00000002.1740504253.000000006CBF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000000.00000002.1740519196.000000006CBFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_6cbf0000_loaddll32.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: Error$AllocateLastMemoryStatusVirtual
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 722216270-0
                                                                                                                                                                                  • Opcode ID: 75bb827979cdcd05515bbc0a4a26ac162cff3245928404c257da9dd8c04c69e4
                                                                                                                                                                                  • Instruction ID: e1696c6e52f82c8b35b8127d70b07aa4c4083810d5045a848bfb14f64b6b2c96
                                                                                                                                                                                  • Opcode Fuzzy Hash: 75bb827979cdcd05515bbc0a4a26ac162cff3245928404c257da9dd8c04c69e4
                                                                                                                                                                                  • Instruction Fuzzy Hash: A4F05E71A11309FBEB04CB95D819B9EB7BCAB05305F104048A210A6280EBB4EB04CB65
                                                                                                                                                                                  Function 6CBF2DF1 Relevance: 4.5, APIs: 3, Instructions: 26nativeCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • NtWriteVirtualMemory.NTDLL(?,00000004,6CBF468D,6CBF468D,00000000,74E05030,?,6CBF3C80,?,00000004,6CBF468D,00000004,?), ref: 6CBF2E0F
                                                                                                                                                                                  • RtlNtStatusToDosError.NTDLL ref: 6CBF2E1E
                                                                                                                                                                                  • SetLastError.KERNEL32(00000000,?,6CBF3C80,?,00000004,6CBF468D,00000004,?,?,?,?,6CBF453C,00000000,6CBF468D,CCCCFEEB,00000000), ref: 6CBF2E25
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000000.00000002.1740519196.000000006CBF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 6CBF0000, based on PE: true
                                                                                                                                                                                  • Associated: 00000000.00000002.1740504253.000000006CBF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000000.00000002.1740519196.000000006CBFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_6cbf0000_loaddll32.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: Error$LastMemoryStatusVirtualWrite
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 1089604434-0
                                                                                                                                                                                  • Opcode ID: 1816e23932a08f6edab7dbc4c08106460807a28bf86feace411f7ace092c444e
                                                                                                                                                                                  • Instruction ID: b68facb3353404949bade2746c938b6a2a580ca39d6f051695f5ef0a5dfee969
                                                                                                                                                                                  • Opcode Fuzzy Hash: 1816e23932a08f6edab7dbc4c08106460807a28bf86feace411f7ace092c444e
                                                                                                                                                                                  • Instruction Fuzzy Hash: 08E01232241299ABDF015FE9AC08D8B7B69EB0D751B104425BA21C6711C731D5219BA1
                                                                                                                                                                                  Function 00810DD2 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 185libraryloaderCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • LdrLoadDll.NTDLL(00000000,00000000,?,?,?,0081080D,?,DF18C02A,?,?,?,00000000,?,00000000), ref: 00810E7A
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000000.00000002.1740291645.0000000000810000.00000040.00001000.00020000.00000000.sdmp, Offset: 00810000, based on PE: false
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_810000_loaddll32.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: Load
                                                                                                                                                                                  • String ID: U/
                                                                                                                                                                                  • API String ID: 2234796835-28647567
                                                                                                                                                                                  • Opcode ID: 95ad536bfe3863d19e965b884b539d5f883aa0a128a14424d074b338dc3537cf
                                                                                                                                                                                  • Instruction ID: 2fbdf5bade7cd72d9a00d37f7043011365efe6a6cb31fa96e1fe940d31e9d59e
                                                                                                                                                                                  • Opcode Fuzzy Hash: 95ad536bfe3863d19e965b884b539d5f883aa0a128a14424d074b338dc3537cf
                                                                                                                                                                                  • Instruction Fuzzy Hash: 78611B75E10209AFDF14CFA5D8819EEBBB6FF88310F14C529E915EB244DB74AA818F50
                                                                                                                                                                                  Function 6CBF2D19 Relevance: 3.0, APIs: 2, Instructions: 48nativeCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • NtQuerySystemInformation.NTDLL ref: 6CBF2D4A
                                                                                                                                                                                  • RtlNtStatusToDosError.NTDLL ref: 6CBF2D83
                                                                                                                                                                                    • Part of subcall function 6CBF11C7: RtlFreeHeap.NTDLL(00000000,00000000,6CBF1B7B,00000000), ref: 6CBF11D3
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000000.00000002.1740519196.000000006CBF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 6CBF0000, based on PE: true
                                                                                                                                                                                  • Associated: 00000000.00000002.1740504253.000000006CBF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000000.00000002.1740519196.000000006CBFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_6cbf0000_loaddll32.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: ErrorFreeHeapInformationQueryStatusSystem
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 2533303245-0
                                                                                                                                                                                  • Opcode ID: 018a6a352cd8302c377f9c1458485a88046f2ded7464776cd8e5e7db952c1dcf
                                                                                                                                                                                  • Instruction ID: f03f2fbc581efe32e4f056fd35d422eeb25efae4bed09f61f2f51062f8b05a37
                                                                                                                                                                                  • Opcode Fuzzy Hash: 018a6a352cd8302c377f9c1458485a88046f2ded7464776cd8e5e7db952c1dcf
                                                                                                                                                                                  • Instruction Fuzzy Hash: D701F27A9039F4AAD7124655890CBDE7968CF46B58F110114ED30A7B00D770CE0A82F3
                                                                                                                                                                                  Function 6CBF4904 Relevance: 3.0, APIs: 2, Instructions: 28nativeCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000000.00000002.1740519196.000000006CBF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 6CBF0000, based on PE: true
                                                                                                                                                                                  • Associated: 00000000.00000002.1740504253.000000006CBF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000000.00000002.1740519196.000000006CBFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_6cbf0000_loaddll32.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: ErrorSectionStatusView
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 1313840181-0
                                                                                                                                                                                  • Opcode ID: 19fc8330002138bc4df6f376718265aa4d97c29fc6e373bfe2bd4d1a22473c08
                                                                                                                                                                                  • Instruction ID: 83790d556e31726be7f376e3c44faf6c4d30b93a27a300a62e93d82d0fcede85
                                                                                                                                                                                  • Opcode Fuzzy Hash: 19fc8330002138bc4df6f376718265aa4d97c29fc6e373bfe2bd4d1a22473c08
                                                                                                                                                                                  • Instruction Fuzzy Hash: 31E0E5B6900208FFEF059F95DC0FDEF7B7DEB45300F00856AF615A6151E6B1AA149B60
                                                                                                                                                                                  Function 6CBF4B80 Relevance: 1.5, APIs: 1, Instructions: 37nativeCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • NtWriteVirtualMemory.NTDLL ref: 6CBF4BCB
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000000.00000002.1740519196.000000006CBF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 6CBF0000, based on PE: true
                                                                                                                                                                                  • Associated: 00000000.00000002.1740504253.000000006CBF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000000.00000002.1740519196.000000006CBFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_6cbf0000_loaddll32.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: MemoryVirtualWrite
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 3527976591-0
                                                                                                                                                                                  • Opcode ID: af5b7e29ad1b2268868168bc09b01d4086c669db7eb639983e2640be428b1d8f
                                                                                                                                                                                  • Instruction ID: 28cc42cccdb4055abea283a3ea790c5e4a853cf746611ce8e43d63e46f8e3474
                                                                                                                                                                                  • Opcode Fuzzy Hash: af5b7e29ad1b2268868168bc09b01d4086c669db7eb639983e2640be428b1d8f
                                                                                                                                                                                  • Instruction Fuzzy Hash: 75F0243101860A5BD714EB58CC82EA6B3ECFF49310F04065CBCA5873D1E671B964CBC2
                                                                                                                                                                                  Function 6CBF1F0F Relevance: 72.0, APIs: 33, Strings: 8, Instructions: 278registrystringmemoryCOMMON
                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                  • Executed
                                                                                                                                                                                  • Not Executed
                                                                                                                                                                                  control_flow_graph 0 6cbf1f0f-6cbf1f2a 1 6cbf1f2c 0->1 2 6cbf1f33-6cbf1f39 0->2 1->2 3 6cbf1f3f-6cbf1f47 2->3 4 6cbf2277-6cbf2283 2->4 3->4 5 6cbf1f4d-6cbf1f5a StrChrA 3->5 5->4 6 6cbf1f60-6cbf1fa8 lstrcpyA lstrcatA * 2 RegOpenKeyA 5->6 6->4 7 6cbf1fae-6cbf1fcb RegQueryValueExW 6->7 8 6cbf2267 7->8 9 6cbf1fd1-6cbf1ff9 lstrlenW HeapAlloc 7->9 11 6cbf226e-6cbf2271 RegCloseKey 8->11 9->8 10 6cbf1fff-6cbf2015 RegQueryValueExW 9->10 12 6cbf201b-6cbf2068 PathCombineW CreateDirectoryW PathCombineW CreateDirectoryW PathCombineW lstrcmpiW 10->12 13 6cbf2257-6cbf2265 HeapFree 10->13 11->4 14 6cbf206e-6cbf2076 12->14 15 6cbf2250 12->15 13->11 16 6cbf2078-6cbf207f call 6cbf32ee 14->16 17 6cbf2081-6cbf2082 call 6cbf35c6 14->17 15->13 21 6cbf2087-6cbf208c 16->21 17->21 22 6cbf2247-6cbf224e 21->22 23 6cbf2092-6cbf20cb lstrcpyA RegOpenKeyExA 21->23 22->13 24 6cbf20cd-6cbf20ff lstrlenW RegSetValueExW RegCloseKey 23->24 25 6cbf2105-6cbf210a 23->25 24->25 26 6cbf2235-6cbf2245 HeapFree 24->26 27 6cbf210c-6cbf2111 call 6cbf1be5 25->27 28 6cbf2121-6cbf2133 call 6cbf1c30 25->28 26->13 31 6cbf2116-6cbf211b 27->31 34 6cbf21de-6cbf21e1 28->34 35 6cbf2139-6cbf213b 28->35 31->28 33 6cbf2232 31->33 33->26 36 6cbf222f 34->36 37 6cbf21e3-6cbf21fd RegOpenKeyExA 34->37 38 6cbf213d-6cbf2145 call 6cbf35c6 35->38 39 6cbf2147-6cbf2174 lstrcpyA RegCreateKeyA 35->39 36->33 37->33 40 6cbf21ff-6cbf2218 RegOpenKeyW 37->40 38->39 39->33 42 6cbf217a-6cbf219d RegQueryValueExA 39->42 43 6cbf221a-6cbf222d RegDeleteValueW RegCloseKey 40->43 44 6cbf21d3-6cbf21dc RegCloseKey 40->44 46 6cbf219f-6cbf21a3 42->46 47 6cbf21bb-6cbf21c0 42->47 43->44 44->33 46->47 48 6cbf21a5-6cbf21b9 RegSetValueExA 46->48 47->44 49 6cbf21c2-6cbf21d1 RegSetValueExA 47->49 48->47 49->44
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • StrChrA.SHLWAPI(?,0000005F,00000000,00000000,00000104), ref: 6CBF1F52
                                                                                                                                                                                  • lstrcpyA.KERNEL32(?,?), ref: 6CBF1F6A
                                                                                                                                                                                  • lstrcatA.KERNEL32(?,\Software\Microsoft\Windows\CurrentVersion), ref: 6CBF1F82
                                                                                                                                                                                  • lstrcatA.KERNEL32(?,\Explorer\Shell Folders), ref: 6CBF1F90
                                                                                                                                                                                  • RegOpenKeyA.ADVAPI32(?,?,?), ref: 6CBF1FA0
                                                                                                                                                                                  • RegQueryValueExW.KERNELBASE(?,AppData,00000000,?,00000000,?), ref: 6CBF1FC6
                                                                                                                                                                                  • lstrlenW.KERNEL32 ref: 6CBF1FD7
                                                                                                                                                                                  • HeapAlloc.KERNEL32(00000000,?), ref: 6CBF1FEC
                                                                                                                                                                                  • RegQueryValueExW.KERNELBASE(?,AppData,00000000,?,00000000,?), ref: 6CBF2011
                                                                                                                                                                                  • PathCombineW.SHLWAPI(00000000,00000000,Microsoft), ref: 6CBF2033
                                                                                                                                                                                  • CreateDirectoryW.KERNELBASE(00000000,00000000), ref: 6CBF2037
                                                                                                                                                                                  • PathCombineW.SHLWAPI(00000000,00000000), ref: 6CBF2045
                                                                                                                                                                                  • CreateDirectoryW.KERNELBASE(00000000,00000000), ref: 6CBF2049
                                                                                                                                                                                  • PathCombineW.SHLWAPI(00000000,00000000), ref: 6CBF2057
                                                                                                                                                                                  • lstrcmpiW.KERNEL32(00000000), ref: 6CBF2060
                                                                                                                                                                                    • Part of subcall function 6CBF32EE: lstrlenW.KERNEL32(00000000,00000000,?,6CBF207F,00000000,FF571A75), ref: 6CBF3301
                                                                                                                                                                                    • Part of subcall function 6CBF32EE: lstrlenA.KERNEL32(6CBF207F,?,6CBF207F,00000000,FF571A75), ref: 6CBF330C
                                                                                                                                                                                    • Part of subcall function 6CBF32EE: HeapAlloc.KERNEL32(00000000,00000022,?,6CBF207F,00000000,FF571A75), ref: 6CBF3321
                                                                                                                                                                                    • Part of subcall function 6CBF32EE: wsprintfW.USER32 ref: 6CBF3339
                                                                                                                                                                                  • lstrcpyA.KERNEL32(?,\Run,00000000), ref: 6CBF20A2
                                                                                                                                                                                  • RegOpenKeyExA.KERNELBASE(?,?,00000000,6CBF3417,?), ref: 6CBF20C3
                                                                                                                                                                                  • lstrlenW.KERNEL32(?), ref: 6CBF20D0
                                                                                                                                                                                  • RegSetValueExW.KERNELBASE(?,00000000,00000001,?,?), ref: 6CBF20EA
                                                                                                                                                                                  • RegCloseKey.KERNELBASE(?), ref: 6CBF20F6
                                                                                                                                                                                  • lstrcpyA.KERNEL32(?,?,6CBF342F,0AEBFFFF), ref: 6CBF2158
                                                                                                                                                                                  • RegCreateKeyA.ADVAPI32(?,?,?), ref: 6CBF216C
                                                                                                                                                                                  • RegQueryValueExA.KERNELBASE(?,Client,00000000,?,?,?), ref: 6CBF218F
                                                                                                                                                                                  • RegSetValueExA.ADVAPI32(?,Client,00000000,00000003,?,00000028), ref: 6CBF21B9
                                                                                                                                                                                  • RegSetValueExA.ADVAPI32(?,Client32,00000000,00000003,BFA98035,3D6CBF80), ref: 6CBF21D1
                                                                                                                                                                                  • RegCloseKey.KERNELBASE(?), ref: 6CBF21D6
                                                                                                                                                                                  • RegOpenKeyExA.ADVAPI32(?,?,00000000,6CBF3417,?,?,6CBF342F,0AEBFFFF), ref: 6CBF21F5
                                                                                                                                                                                  • RegOpenKeyW.ADVAPI32(?,00000000,?), ref: 6CBF2210
                                                                                                                                                                                  • RegDeleteValueW.ADVAPI32(?,02DE86E0), ref: 6CBF221E
                                                                                                                                                                                  • RegCloseKey.ADVAPI32(?), ref: 6CBF2227
                                                                                                                                                                                  • HeapFree.KERNEL32(00000000,?,?,6CBF342F,0AEBFFFF), ref: 6CBF223F
                                                                                                                                                                                  • HeapFree.KERNEL32(00000000,00000000), ref: 6CBF225F
                                                                                                                                                                                  • RegCloseKey.ADVAPI32(?), ref: 6CBF2271
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000000.00000002.1740519196.000000006CBF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 6CBF0000, based on PE: true
                                                                                                                                                                                  • Associated: 00000000.00000002.1740504253.000000006CBF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000000.00000002.1740519196.000000006CBFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_6cbf0000_loaddll32.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: Value$CloseHeapOpenlstrlen$CombineCreatePathQuerylstrcpy$AllocDirectoryFreelstrcat$Deletelstrcmpiwsprintf
                                                                                                                                                                                  • String ID: ($AppData$Client$Client32$Microsoft$\Explorer\Shell Folders$\Run$\Software\Microsoft\Windows\CurrentVersion
                                                                                                                                                                                  • API String ID: 4063272932-2954684206
                                                                                                                                                                                  • Opcode ID: d6ba58318e9012b8fabbc5c54a49635f953442c0bf75067a8ade2a0ff9c3dac8
                                                                                                                                                                                  • Instruction ID: d5b5995981af87601f0265e63448b9721a9a69c03413a0e9ad7d1cc960552da6
                                                                                                                                                                                  • Opcode Fuzzy Hash: d6ba58318e9012b8fabbc5c54a49635f953442c0bf75067a8ade2a0ff9c3dac8
                                                                                                                                                                                  • Instruction Fuzzy Hash: 23A12671A00189FFDF119FA2DC88DAEBB7DFB0A344F104422F925A6610D7319A5ADF52
                                                                                                                                                                                  Function 6CBF16B2 Relevance: 42.3, APIs: 20, Strings: 4, Instructions: 286filetimesleepCOMMON
                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                  • Executed
                                                                                                                                                                                  • Not Executed
                                                                                                                                                                                  control_flow_graph 84 6cbf16b2-6cbf16dc call 6cbf1a53 87 6cbf1a48-6cbf1a50 84->87 88 6cbf16e2-6cbf16ed 84->88 89 6cbf16f1-6cbf1729 GetCursorInfo call 6cbf345b 88->89 92 6cbf172b-6cbf172d 89->92 92->87 93 6cbf1733-6cbf1740 call 6cbf22c9 92->93 96 6cbf1754-6cbf1757 93->96 97 6cbf1742-6cbf174c 93->97 98 6cbf1759-6cbf176d call 6cbf2c92 96->98 99 6cbf17b2-6cbf17d8 CreateFileA 96->99 97->96 98->99 109 6cbf176f-6cbf1781 GetLongPathNameW 98->109 100 6cbf17fd-6cbf1801 99->100 101 6cbf17da-6cbf17f0 ReadFile 99->101 105 6cbf1818-6cbf1830 call 6cbf389c 100->105 106 6cbf1803 call 6cbf1000 100->106 103 6cbf17f6-6cbf17f7 CloseHandle 101->103 104 6cbf17f2 101->104 103->100 104->103 117 6cbf1843-6cbf186b call 6cbf150f call 6cbf1b96 105->117 118 6cbf1832-6cbf1837 105->118 111 6cbf1808-6cbf180e 106->111 112 6cbf17a9-6cbf17ad 109->112 113 6cbf1783-6cbf1794 call 6cbf11b2 109->113 111->105 115 6cbf1810 111->115 112->99 113->112 124 6cbf1796-6cbf17a2 GetLongPathNameW call 6cbf11c7 113->124 120 6cbf1812-6cbf1813 115->120 130 6cbf186d-6cbf187f call 6cbf1b96 117->130 131 6cbf1885-6cbf1898 call 6cbf2e82 117->131 118->117 122 6cbf1839-6cbf183e call 6cbf1638 118->122 120->87 122->117 129 6cbf17a7 124->129 129->99 130->131 136 6cbf1a40-6cbf1a46 GetLastError 130->136 137 6cbf189e-6cbf18a5 call 6cbf11dc 131->137 138 6cbf1a3b-6cbf1a3e 131->138 136->87 137->87 141 6cbf18ab-6cbf18b1 137->141 138->87 138->136 142 6cbf18bc-6cbf18c1 call 6cbf2f05 141->142 143 6cbf18b3 call 6cbf128f 141->143 147 6cbf18c6-6cbf18c8 142->147 146 6cbf18b8-6cbf18ba 143->146 146->142 148 6cbf190b-6cbf1916 call 6cbf137f 146->148 147->148 149 6cbf18ca-6cbf18d2 147->149 154 6cbf191f-6cbf193a 148->154 155 6cbf1918 148->155 149->148 151 6cbf18d4-6cbf18db call 6cbf14c3 149->151 151->148 159 6cbf18dd-6cbf18e3 151->159 157 6cbf193c-6cbf1941 154->157 158 6cbf1943 154->158 155->154 160 6cbf1948-6cbf196a ConvertStringSecurityDescriptorToSecurityDescriptorA CreateEventA 157->160 158->160 161 6cbf18fb-6cbf1906 call 6cbf1ddb 159->161 162 6cbf18e5-6cbf18f9 call 6cbf1d2e 159->162 163 6cbf196c-6cbf1974 GetLastError 160->163 164 6cbf1996-6cbf19b9 call 6cbf3349 160->164 161->120 162->148 162->161 167 6cbf198f-6cbf1990 CloseHandle 163->167 168 6cbf1976-6cbf1989 SetEvent Sleep ResetEvent 163->168 173 6cbf19bb-6cbf19bd 164->173 174 6cbf19e2-6cbf19f0 call 6cbf2d19 164->174 167->164 168->167 176 6cbf1a2f-6cbf1a39 LocalFree 173->176 177 6cbf19bf-6cbf19c6 173->177 174->138 181 6cbf19f2-6cbf1a09 CreateWaitableTimerA 174->181 176->138 177->174 178 6cbf19c8-6cbf19d1 DeleteFileW 177->178 178->174 180 6cbf19d3-6cbf19dc MoveFileExW 178->180 180->174 181->176 182 6cbf1a0b-6cbf1a29 SetWaitableTimer CloseHandle 181->182 182->176
                                                                                                                                                                                  APIs
                                                                                                                                                                                    • Part of subcall function 6CBF1A53: CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,?,6CBF16D8), ref: 6CBF1A62
                                                                                                                                                                                    • Part of subcall function 6CBF1A53: GetVersion.KERNEL32(?,6CBF16D8), ref: 6CBF1A71
                                                                                                                                                                                    • Part of subcall function 6CBF1A53: GetCurrentProcessId.KERNEL32(?,6CBF16D8), ref: 6CBF1A8D
                                                                                                                                                                                    • Part of subcall function 6CBF1A53: OpenProcess.KERNEL32(0000047A,00000000,00000000,?,6CBF16D8), ref: 6CBF1AA6
                                                                                                                                                                                  • GetCursorInfo.USER32 ref: 6CBF16FE
                                                                                                                                                                                    • Part of subcall function 6CBF345B: lstrcpynA.KERNEL32(?,.bss,00000008,?,00000000,00000000,?,?,?,?,?,?,?), ref: 6CBF3489
                                                                                                                                                                                  • GetLongPathNameW.KERNELBASE(?,00000000,00000000), ref: 6CBF177B
                                                                                                                                                                                  • GetLongPathNameW.KERNELBASE(?,00000000,00000000), ref: 6CBF179C
                                                                                                                                                                                  • CreateFileA.KERNELBASE(c:\321.txt,80000000,00000001,00000000,00000003,00000080,00000000,00000000,?), ref: 6CBF17CD
                                                                                                                                                                                  • ReadFile.KERNEL32(00000000,?,00000004,?,00000000), ref: 6CBF17E8
                                                                                                                                                                                  • CloseHandle.KERNEL32(00000000), ref: 6CBF17F7
                                                                                                                                                                                    • Part of subcall function 6CBF389C: lstrcmpA.KERNEL32(?,?,00000000,00000000), ref: 6CBF3950
                                                                                                                                                                                  • ConvertStringSecurityDescriptorToSecurityDescriptorA.ADVAPI32(S:(ML;;NW;;;LW)D:(A;;0x1fffff;;;WD)(A;;0x1fffff;;;S-1-15-2-1),00000001,?,00000000), ref: 6CBF1948
                                                                                                                                                                                  • CreateEventA.KERNEL32(?,00000001,00000000,?,EE553B4E,00000001,00000000,6CBFA95C), ref: 6CBF195B
                                                                                                                                                                                  • GetLastError.KERNEL32 ref: 6CBF196C
                                                                                                                                                                                  • SetEvent.KERNEL32(00000000), ref: 6CBF1977
                                                                                                                                                                                  • Sleep.KERNEL32(00000BB8), ref: 6CBF1982
                                                                                                                                                                                  • ResetEvent.KERNEL32(00000000), ref: 6CBF1989
                                                                                                                                                                                  • CloseHandle.KERNELBASE(00000000), ref: 6CBF1990
                                                                                                                                                                                  • DeleteFileW.KERNELBASE(02DE87C8,?), ref: 6CBF19C9
                                                                                                                                                                                  • MoveFileExW.KERNELBASE(00000000,00000004), ref: 6CBF19DC
                                                                                                                                                                                  • CreateWaitableTimerA.KERNEL32(?,00000001,?), ref: 6CBF19FF
                                                                                                                                                                                  • SetWaitableTimer.KERNELBASE(00000000,0000000C,00000000,00000000,00000000,00000000), ref: 6CBF1A22
                                                                                                                                                                                  • CloseHandle.KERNEL32(00000000), ref: 6CBF1A29
                                                                                                                                                                                  • LocalFree.KERNEL32(?), ref: 6CBF1A33
                                                                                                                                                                                  • GetLastError.KERNEL32(EE553B4E,00000001,00000000,6CBFA95C), ref: 6CBF1A40
                                                                                                                                                                                  Strings
                                                                                                                                                                                  • c:\321.txt, xrefs: 6CBF17C4
                                                                                                                                                                                  • S:(ML;;NW;;;LW)D:(A;;0x1fffff;;;WD)(A;;0x1fffff;;;S-1-15-2-1), xrefs: 6CBF1943
                                                                                                                                                                                  • D:(D;OICI;GA;;;BG)(D;OICI;GA;;;AN)(A;OICI;GA;;;AU)(A;OICI;GA;;;BA), xrefs: 6CBF193C
                                                                                                                                                                                  • N;U, xrefs: 6CBF1851
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000000.00000002.1740519196.000000006CBF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 6CBF0000, based on PE: true
                                                                                                                                                                                  • Associated: 00000000.00000002.1740504253.000000006CBF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000000.00000002.1740519196.000000006CBFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_6cbf0000_loaddll32.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: CreateEventFile$CloseHandle$DescriptorErrorLastLongNamePathProcessSecurityTimerWaitable$ConvertCurrentCursorDeleteFreeInfoLocalMoveOpenReadResetSleepStringVersionlstrcmplstrcpyn
                                                                                                                                                                                  • String ID: D:(D;OICI;GA;;;BG)(D;OICI;GA;;;AN)(A;OICI;GA;;;AU)(A;OICI;GA;;;BA)$N;U$S:(ML;;NW;;;LW)D:(A;;0x1fffff;;;WD)(A;;0x1fffff;;;S-1-15-2-1)$c:\321.txt
                                                                                                                                                                                  • API String ID: 400546999-400329992
                                                                                                                                                                                  • Opcode ID: 8a067fc74be49b56aa86a033110dc9262dd7eb954261ea7a8f4fcad245bd981d
                                                                                                                                                                                  • Instruction ID: 0bfabbcd689d29662f5e76863d64d4601979bad7f637ba32e1b45e975acdee41
                                                                                                                                                                                  • Opcode Fuzzy Hash: 8a067fc74be49b56aa86a033110dc9262dd7eb954261ea7a8f4fcad245bd981d
                                                                                                                                                                                  • Instruction Fuzzy Hash: 31A1B4B26052859FDB009F75D884A9E77F8EB45308F498E2AF571D3750D730D84E8B92
                                                                                                                                                                                  Function 6CBF1C30 Relevance: 18.1, APIs: 12, Instructions: 98fileCOMMON
                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                  APIs
                                                                                                                                                                                  • CreateFileW.KERNELBASE(6CBF342F,C0000000,00000001,00000000,00000004,00000080,00000000,6CBF3417,00000000,6CBF342F,?,6CBF212E,?,6CBF342F,0AEBFFFF), ref: 6CBF1C6C
                                                                                                                                                                                  • WriteFile.KERNELBASE(6CBF342F,?,?,6CBF212E,00000000,?,6CBF212E,?,6CBF342F,0AEBFFFF), ref: 6CBF1C92
                                                                                                                                                                                  • WriteFile.KERNELBASE(6CBF342F,?,?,6CBF212E,00000000,?,6CBF212E,?,6CBF342F,0AEBFFFF), ref: 6CBF1CAB
                                                                                                                                                                                  • GetLastError.KERNEL32(?,6CBF212E,?,6CBF342F,0AEBFFFF), ref: 6CBF1CB1
                                                                                                                                                                                  • SetEndOfFile.KERNELBASE(6CBF342F,?,6CBF212E,?,6CBF342F,0AEBFFFF), ref: 6CBF1CBD
                                                                                                                                                                                  • CloseHandle.KERNELBASE(6CBF342F,?,6CBF212E,?,6CBF342F,0AEBFFFF), ref: 6CBF1CC6
                                                                                                                                                                                  • GetLastError.KERNEL32(?,6CBF212E,?,6CBF342F,0AEBFFFF), ref: 6CBF1CCE
                                                                                                                                                                                  • CreateFileW.KERNELBASE(6CBF342F,C0000000,00000001,00000000,00000003,00000080,00000000,?,6CBF212E,?,6CBF342F,0AEBFFFF), ref: 6CBF1CED
                                                                                                                                                                                  • WriteFile.KERNELBASE(00000000,?,?,6CBF212E,00000000,?,6CBF212E,?,6CBF342F,0AEBFFFF), ref: 6CBF1D03
                                                                                                                                                                                  • GetLastError.KERNEL32(?,6CBF212E,?,6CBF342F,0AEBFFFF), ref: 6CBF1D09
                                                                                                                                                                                  • FlushFileBuffers.KERNEL32(00000000,?,6CBF212E,?,6CBF342F,0AEBFFFF), ref: 6CBF1D13
                                                                                                                                                                                  • GetLastError.KERNEL32(?,6CBF212E,?,6CBF342F,0AEBFFFF), ref: 6CBF1D1B
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000000.00000002.1740519196.000000006CBF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 6CBF0000, based on PE: true
                                                                                                                                                                                  • Associated: 00000000.00000002.1740504253.000000006CBF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000000.00000002.1740519196.000000006CBFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_6cbf0000_loaddll32.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: File$ErrorLast$Write$Create$BuffersCloseFlushHandle
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 2625730619-0
                                                                                                                                                                                  • Opcode ID: 8c9d14119bf1386cb7670a2b000947b6485c6d57e9bee74cb1d5ba9eb7cc7bcf
                                                                                                                                                                                  • Instruction ID: 71b52acd720305bbb8fdd735e3808596cbd223411343c519a1023ed0fa8217e4
                                                                                                                                                                                  • Opcode Fuzzy Hash: 8c9d14119bf1386cb7670a2b000947b6485c6d57e9bee74cb1d5ba9eb7cc7bcf
                                                                                                                                                                                  • Instruction Fuzzy Hash: E83162B1A00208FFEF00DFA5CD44BAEBBB9EB4A754F148515F920E7290D7719A019B21
                                                                                                                                                                                  Function 6CBF13E7 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 81processmemorysynchronizationCOMMON
                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                  APIs
                                                                                                                                                                                  • memset.NTDLL ref: 6CBF1407
                                                                                                                                                                                    • Part of subcall function 6CBF3585: ExpandEnvironmentStringsA.KERNEL32(00000000,00000000,00000000,00000000,6CBF0000,EE553B43,6CBF3047,%systemroot%\system32\c_1252.nls), ref: 6CBF3596
                                                                                                                                                                                    • Part of subcall function 6CBF3585: ExpandEnvironmentStringsA.KERNEL32(?,00000000,00000000,00000000), ref: 6CBF35B0
                                                                                                                                                                                    • Part of subcall function 6CBF2344: GetProcAddress.KERNEL32(Wow64EnableWow64FsRedirection,6CBF3278), ref: 6CBF2358
                                                                                                                                                                                  • CreateProcessA.KERNELBASE(00000000,00000000,00000000,00000000,00000000,04000004,00000000,00000000,00000044,?,00000000,%systemroot%\system32\svchost.exe,C000009A,?,00000000), ref: 6CBF1444
                                                                                                                                                                                  • WaitForSingleObject.KERNEL32(?,000000FF,?,00000000,00000001), ref: 6CBF1470
                                                                                                                                                                                  • GetExitCodeProcess.KERNEL32(?,00000000), ref: 6CBF1481
                                                                                                                                                                                  • CloseHandle.KERNELBASE(00000000,?,00000000,00000001), ref: 6CBF1490
                                                                                                                                                                                  • CloseHandle.KERNEL32(?), ref: 6CBF1495
                                                                                                                                                                                  • GetLastError.KERNEL32(00000001), ref: 6CBF1499
                                                                                                                                                                                  • HeapFree.KERNEL32(00000000,00000000), ref: 6CBF14AA
                                                                                                                                                                                    • Part of subcall function 6CBF449E: memset.NTDLL ref: 6CBF44C1
                                                                                                                                                                                    • Part of subcall function 6CBF449E: ResumeThread.KERNEL32(?,00000000,6CBF468D,CCCCFEEB,00000000,6CBF468D,6CBF468D,00000004,?,00000000,00000000,74DEF550,00000000), ref: 6CBF454C
                                                                                                                                                                                    • Part of subcall function 6CBF449E: WaitForSingleObject.KERNEL32(00000064), ref: 6CBF455A
                                                                                                                                                                                    • Part of subcall function 6CBF449E: SuspendThread.KERNEL32(?), ref: 6CBF456D
                                                                                                                                                                                    • Part of subcall function 6CBF449E: GetLastError.KERNEL32(00000000,6CBF468D,6CBF468D,00000004,?,00000000,00000000,74DEF550,00000000), ref: 6CBF45D9
                                                                                                                                                                                    • Part of subcall function 6CBF449E: ResumeThread.KERNELBASE(?), ref: 6CBF45E4
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000000.00000002.1740519196.000000006CBF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 6CBF0000, based on PE: true
                                                                                                                                                                                  • Associated: 00000000.00000002.1740504253.000000006CBF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000000.00000002.1740519196.000000006CBFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_6cbf0000_loaddll32.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: Thread$CloseEnvironmentErrorExpandHandleLastObjectProcessResumeSingleStringsWaitmemset$AddressCodeCreateExitFreeHeapProcSuspend
                                                                                                                                                                                  • String ID: %systemroot%\system32\svchost.exe$D
                                                                                                                                                                                  • API String ID: 3646439427-390745801
                                                                                                                                                                                  • Opcode ID: 3226b7cf6666db76aabcd5813f02de8ff0de0ed93508c22fe017790b0f40e487
                                                                                                                                                                                  • Instruction ID: dff90efabb4aff0f65664f43ecb5f690705236365ede14db7bfd50482c3267fd
                                                                                                                                                                                  • Opcode Fuzzy Hash: 3226b7cf6666db76aabcd5813f02de8ff0de0ed93508c22fe017790b0f40e487
                                                                                                                                                                                  • Instruction Fuzzy Hash: 012169B1901168BFCB019FA6DC489EF7F7DEF46365F108426F625A6250C7318A098FA2
                                                                                                                                                                                  Function 6CBF128F Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 78memoryregistrystringCOMMON
                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                  • Executed
                                                                                                                                                                                  • Not Executed
                                                                                                                                                                                  control_flow_graph 241 6cbf128f-6cbf12ac 242 6cbf12ae 241->242 243 6cbf12b3-6cbf12c9 call 6cbf32ee 241->243 242->243 246 6cbf12cf-6cbf12f4 RegOpenKeyExA 243->246 247 6cbf1378-6cbf137e 243->247 248 6cbf136b-6cbf1377 RtlFreeHeap 246->248 249 6cbf12f6-6cbf1318 lstrlenW HeapAlloc 246->249 248->247 250 6cbf131a-6cbf1335 RegQueryValueExW 249->250 251 6cbf1362-6cbf1365 RegCloseKey 249->251 252 6cbf1358-6cbf1360 HeapFree 250->252 253 6cbf1337-6cbf134f lstrcmpiW 250->253 251->248 252->251 253->252 254 6cbf1351 253->254 254->252
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • RegOpenKeyExA.KERNELBASE(80000001,Software\Microsoft\Windows\CurrentVersion\Run,00000000,00000000,?,6CBF0000,00000000,00000000), ref: 6CBF12E6
                                                                                                                                                                                  • lstrlenW.KERNEL32(?), ref: 6CBF12F9
                                                                                                                                                                                  • HeapAlloc.KERNEL32(00000000,?), ref: 6CBF130E
                                                                                                                                                                                  • RegQueryValueExW.KERNELBASE(?,00000000,00000001,00000000,?), ref: 6CBF132D
                                                                                                                                                                                  • lstrcmpiW.KERNEL32(00000000,?), ref: 6CBF1347
                                                                                                                                                                                  • HeapFree.KERNEL32(00000000,00000000), ref: 6CBF1360
                                                                                                                                                                                  • RegCloseKey.KERNELBASE(?), ref: 6CBF1365
                                                                                                                                                                                  • RtlFreeHeap.NTDLL(00000000,?), ref: 6CBF1375
                                                                                                                                                                                  Strings
                                                                                                                                                                                  • Software\Microsoft\Windows\CurrentVersion\Run, xrefs: 6CBF12DC
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000000.00000002.1740519196.000000006CBF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 6CBF0000, based on PE: true
                                                                                                                                                                                  • Associated: 00000000.00000002.1740504253.000000006CBF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000000.00000002.1740519196.000000006CBFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_6cbf0000_loaddll32.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: Heap$Free$AllocCloseOpenQueryValuelstrcmpilstrlen
                                                                                                                                                                                  • String ID: Software\Microsoft\Windows\CurrentVersion\Run
                                                                                                                                                                                  • API String ID: 464076213-1428018034
                                                                                                                                                                                  • Opcode ID: 2eb2d9785ab97c7024d2949fd165d2bec1b261a6866681cc40e673d1e9812e36
                                                                                                                                                                                  • Instruction ID: fe687682966ef18a9cadcd1d6bf5c1e12d65ed12d7db68d216dd488f7ad79e6e
                                                                                                                                                                                  • Opcode Fuzzy Hash: 2eb2d9785ab97c7024d2949fd165d2bec1b261a6866681cc40e673d1e9812e36
                                                                                                                                                                                  • Instruction Fuzzy Hash: BF217C72A01119BFDF119FA2DC48EAFBBBCFB06348B554565E921E3310D3729915CBA0
                                                                                                                                                                                  Function 6CBF45F3 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 78libraryloaderCOMMON
                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                  • Executed
                                                                                                                                                                                  • Not Executed
                                                                                                                                                                                  control_flow_graph 255 6cbf45f3-6cbf4629 call 6cbf22c9 OpenProcess 258 6cbf462f-6cbf4631 255->258 259 6cbf46b4-6cbf46ba GetLastError 255->259 261 6cbf4633-6cbf463a 258->261 262 6cbf4641-6cbf4665 GetProcAddress * 2 258->262 260 6cbf46bc-6cbf46c2 259->260 261->262 265 6cbf463c-6cbf463f 261->265 263 6cbf4667-6cbf4669 262->263 264 6cbf46a4 262->264 263->264 266 6cbf466b-6cbf467f 263->266 267 6cbf46a9-6cbf46b2 CloseHandle 264->267 265->267 269 6cbf469a-6cbf46a2 GetLastError 266->269 270 6cbf4681-6cbf4698 call 6cbf449e CloseHandle 266->270 267->260 269->267 270->267
                                                                                                                                                                                  APIs
                                                                                                                                                                                    • Part of subcall function 6CBF22C9: GetModuleHandleA.KERNEL32(KERNEL32.DLL,?,00000000,?,?,6CBF173E,00000000,?), ref: 6CBF22E3
                                                                                                                                                                                    • Part of subcall function 6CBF22C9: GetProcAddress.KERNEL32(00000000,IsWow64Process), ref: 6CBF22F4
                                                                                                                                                                                    • Part of subcall function 6CBF22C9: OpenProcess.KERNEL32(00000400,00000000,?,?,00000000,?,?,6CBF173E,00000000,?), ref: 6CBF2311
                                                                                                                                                                                    • Part of subcall function 6CBF22C9: IsWow64Process.KERNEL32(00000250,?,?,00000000,?,?,6CBF173E,00000000,?), ref: 6CBF2322
                                                                                                                                                                                    • Part of subcall function 6CBF22C9: CloseHandle.KERNELBASE(00000250,?,?,6CBF173E,00000000,?), ref: 6CBF2335
                                                                                                                                                                                  • OpenProcess.KERNEL32(001F0FFF,00000000,6CBF1623,6CBF1623,C000009A,?,00000000,?,?,6CBF1623,?,?), ref: 6CBF461E
                                                                                                                                                                                  • GetProcAddress.KERNEL32(RtlExitUserThread), ref: 6CBF4652
                                                                                                                                                                                  • GetProcAddress.KERNEL32(CreateRemoteThread), ref: 6CBF4661
                                                                                                                                                                                  • CloseHandle.KERNEL32(6CBF1623,?,00000000,?,?,6CBF1623,?,?), ref: 6CBF4692
                                                                                                                                                                                  • GetLastError.KERNEL32(?,?,6CBF1623,?,?), ref: 6CBF469A
                                                                                                                                                                                  • CloseHandle.KERNEL32(?,?,?,6CBF1623,?,?), ref: 6CBF46AC
                                                                                                                                                                                  • GetLastError.KERNEL32(?,?,6CBF1623,?,?), ref: 6CBF46B4
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000000.00000002.1740519196.000000006CBF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 6CBF0000, based on PE: true
                                                                                                                                                                                  • Associated: 00000000.00000002.1740504253.000000006CBF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000000.00000002.1740519196.000000006CBFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_6cbf0000_loaddll32.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: Handle$AddressCloseProcProcess$ErrorLastOpen$ModuleWow64
                                                                                                                                                                                  • String ID: CreateRemoteThread$RtlExitUserThread
                                                                                                                                                                                  • API String ID: 1303122091-3466022969
                                                                                                                                                                                  • Opcode ID: d2ad6cd9443b06fecb3b4a5cdf75bfdd9f2c83ac8ba909801f1b076520ecd619
                                                                                                                                                                                  • Instruction ID: 82551c7240de48624df413532e57212cef16f453a4b6d6d5af3e551ea2f3c787
                                                                                                                                                                                  • Opcode Fuzzy Hash: d2ad6cd9443b06fecb3b4a5cdf75bfdd9f2c83ac8ba909801f1b076520ecd619
                                                                                                                                                                                  • Instruction Fuzzy Hash: 7B219272A00198BFDF015FF5DD4889EBBB9EB0A354B114876E931E3710D6714D0E8E91
                                                                                                                                                                                  Function 6CBF2A18 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 108memorystringCOMMON
                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                  • Executed
                                                                                                                                                                                  • Not Executed
                                                                                                                                                                                  control_flow_graph 273 6cbf2a18-6cbf2a57 call 6cbf2492 VirtualAlloc 276 6cbf2a5d-6cbf2a68 call 6cbf2492 273->276 277 6cbf2b23 273->277 280 6cbf2a6d-6cbf2a73 276->280 279 6cbf2b2b-6cbf2b2d 277->279 281 6cbf2b2f-6cbf2b37 VirtualFree 279->281 282 6cbf2b3d-6cbf2b48 279->282 283 6cbf2a9b-6cbf2a9d 280->283 284 6cbf2a75-6cbf2a79 280->284 281->282 283->277 286 6cbf2aa3-6cbf2aa7 283->286 284->283 285 6cbf2a7b-6cbf2a99 VirtualFree VirtualAlloc 284->285 285->276 285->283 286->277 287 6cbf2aa9-6cbf2ab4 286->287 287->279 288 6cbf2ab6 287->288 289 6cbf2abc-6cbf2ace lstrcmpiA 288->289 290 6cbf2b00-6cbf2b1a 289->290 291 6cbf2ad0-6cbf2adb StrChrA 289->291 290->279 294 6cbf2b1c-6cbf2b21 290->294 292 6cbf2add-6cbf2aea lstrcmpiA 291->292 293 6cbf2aec-6cbf2afc 291->293 292->290 292->293 293->289 295 6cbf2afe 293->295 294->279 295->279
                                                                                                                                                                                  APIs
                                                                                                                                                                                    • Part of subcall function 6CBF2492: GetProcAddress.KERNEL32(ZwWow64QueryInformationProcess64,00000318), ref: 6CBF24B0
                                                                                                                                                                                    • Part of subcall function 6CBF2492: NtWow64QueryInformationProcess64.NTDLL(00000000,00000000,?,00000030,00000000), ref: 6CBF24CC
                                                                                                                                                                                  • VirtualAlloc.KERNELBASE(00000000,00000000,00003000,00000004), ref: 6CBF2A51
                                                                                                                                                                                  • VirtualFree.KERNELBASE(00000000,00000000,00008000), ref: 6CBF2B37
                                                                                                                                                                                    • Part of subcall function 6CBF2492: StrRChrA.SHLWAPI(00000018,00000000,0000005C,00000000,00000318,?,00000000,00000068,00000098,00000000,00000028,00000040,00000000,00000000,00000028,00000100), ref: 6CBF2636
                                                                                                                                                                                  • VirtualFree.KERNEL32(00000000,00000000,00008000,?,00000000,00000000,00000000), ref: 6CBF2A87
                                                                                                                                                                                  • VirtualAlloc.KERNEL32(00000000,00000000,00003000,00000004), ref: 6CBF2A93
                                                                                                                                                                                  • lstrcmpiA.KERNEL32(?,NTDLL.DLL), ref: 6CBF2ACA
                                                                                                                                                                                  • StrChrA.SHLWAPI(?,0000002E), ref: 6CBF2AD3
                                                                                                                                                                                  • lstrcmpiA.KERNEL32(?,NTDLL.DLL), ref: 6CBF2AE6
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000000.00000002.1740519196.000000006CBF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 6CBF0000, based on PE: true
                                                                                                                                                                                  • Associated: 00000000.00000002.1740504253.000000006CBF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000000.00000002.1740519196.000000006CBFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_6cbf0000_loaddll32.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: Virtual$AllocFreelstrcmpi$AddressInformationProcProcess64QueryWow64
                                                                                                                                                                                  • String ID: NTDLL.DLL
                                                                                                                                                                                  • API String ID: 3901270786-1613819793
                                                                                                                                                                                  • Opcode ID: a828508e122c45feefb8b31460300ed9a2abf809ba81c706b52b66a93b1e3de2
                                                                                                                                                                                  • Instruction ID: 6feb7925d7ff07bc43edbcc22aa82d619937076948661425e6b66be1e10d63d6
                                                                                                                                                                                  • Opcode Fuzzy Hash: a828508e122c45feefb8b31460300ed9a2abf809ba81c706b52b66a93b1e3de2
                                                                                                                                                                                  • Instruction Fuzzy Hash: 2A31C371205792ABD321CF56C888F1BBBE8EF85754F110909F9A457781C730D90ACBA3
                                                                                                                                                                                  Function 6CBF22C9 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 44libraryloaderCOMMON
                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                  • Executed
                                                                                                                                                                                  • Not Executed
                                                                                                                                                                                  control_flow_graph 338 6cbf22c9-6cbf22dc 339 6cbf22de-6cbf2301 GetModuleHandleA GetProcAddress 338->339 340 6cbf2303-6cbf2306 338->340 339->340 341 6cbf233b-6cbf2341 339->341 342 6cbf2319-6cbf231b 340->342 343 6cbf2308-6cbf2317 OpenProcess 340->343 342->341 344 6cbf231d-6cbf232a IsWow64Process 342->344 343->342 345 6cbf232f-6cbf2332 344->345 346 6cbf232c 344->346 345->341 347 6cbf2334-6cbf2335 CloseHandle 345->347 346->345 347->341
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • GetModuleHandleA.KERNEL32(KERNEL32.DLL,?,00000000,?,?,6CBF173E,00000000,?), ref: 6CBF22E3
                                                                                                                                                                                  • GetProcAddress.KERNEL32(00000000,IsWow64Process), ref: 6CBF22F4
                                                                                                                                                                                  • OpenProcess.KERNEL32(00000400,00000000,?,?,00000000,?,?,6CBF173E,00000000,?), ref: 6CBF2311
                                                                                                                                                                                  • IsWow64Process.KERNEL32(00000250,?,?,00000000,?,?,6CBF173E,00000000,?), ref: 6CBF2322
                                                                                                                                                                                  • CloseHandle.KERNELBASE(00000250,?,?,6CBF173E,00000000,?), ref: 6CBF2335
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000000.00000002.1740519196.000000006CBF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 6CBF0000, based on PE: true
                                                                                                                                                                                  • Associated: 00000000.00000002.1740504253.000000006CBF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000000.00000002.1740519196.000000006CBFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_6cbf0000_loaddll32.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: HandleProcess$AddressCloseModuleOpenProcWow64
                                                                                                                                                                                  • String ID: IsWow64Process$KERNEL32.DLL
                                                                                                                                                                                  • API String ID: 4157061983-1193389583
                                                                                                                                                                                  • Opcode ID: abfbc6cb4203a526b09b802b7cb11e2d9689af0901e908783d2001414961af3e
                                                                                                                                                                                  • Instruction ID: c0ab2c1abe1b4340081c7cdf9fe61c6d41a4c2e604a853c51e3d6d59090e8d96
                                                                                                                                                                                  • Opcode Fuzzy Hash: abfbc6cb4203a526b09b802b7cb11e2d9689af0901e908783d2001414961af3e
                                                                                                                                                                                  • Instruction Fuzzy Hash: 1601A7B5A02584FFDB069F66D90C89E7BBDEBCA7557204126E534D3300D2718B45CB63
                                                                                                                                                                                  Function 6CBF2F05 Relevance: 10.6, APIs: 7, Instructions: 75COMMON
                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                  APIs
                                                                                                                                                                                  • OpenProcessToken.ADVAPI32(000000FF,00020008,?,00000000), ref: 6CBF2F37
                                                                                                                                                                                  • GetTokenInformation.KERNELBASE(?,00000014(TokenIntegrityLevel),00000001,00000004,?,00000000), ref: 6CBF2F57
                                                                                                                                                                                  • GetTokenInformation.KERNELBASE(?,00000019(TokenIntegrityLevel),00000000,00000000,?), ref: 6CBF2F67
                                                                                                                                                                                  • CloseHandle.KERNELBASE(?), ref: 6CBF2FB7
                                                                                                                                                                                    • Part of subcall function 6CBF11B2: RtlAllocateHeap.NTDLL(00000000,6CBF0000,6CBF1B4C,6CBF0000), ref: 6CBF11BE
                                                                                                                                                                                  • GetTokenInformation.KERNELBASE(?,00000019(TokenIntegrityLevel),00000000,?,?,?,6CBF0000), ref: 6CBF2F8A
                                                                                                                                                                                  • GetSidSubAuthorityCount.ADVAPI32(00000000), ref: 6CBF2F92
                                                                                                                                                                                  • GetSidSubAuthority.ADVAPI32(00000000,?), ref: 6CBF2FA2
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000000.00000002.1740519196.000000006CBF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 6CBF0000, based on PE: true
                                                                                                                                                                                  • Associated: 00000000.00000002.1740504253.000000006CBF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000000.00000002.1740519196.000000006CBFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_6cbf0000_loaddll32.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: Token$Information$Authority$AllocateCloseCountHandleHeapOpenProcess
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 1295030180-0
                                                                                                                                                                                  • Opcode ID: 313d0a405886b0580eabe38f40e1753d7e03a7272633623284ae07fee2ae8ef2
                                                                                                                                                                                  • Instruction ID: 9fc0a7b9fc51d0eebef006e9924587aee81be6ddab7e764d3136aa0c5d05aec2
                                                                                                                                                                                  • Opcode Fuzzy Hash: 313d0a405886b0580eabe38f40e1753d7e03a7272633623284ae07fee2ae8ef2
                                                                                                                                                                                  • Instruction Fuzzy Hash: 94212A75900249BFEF019FA5DD44DEEBBBDEB09304F104066E920A6350C7719A09EF61
                                                                                                                                                                                  Function 6CBF449E Relevance: 9.1, APIs: 6, Instructions: 105threadsynchronizationinjectionCOMMON
                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                  APIs
                                                                                                                                                                                  • memset.NTDLL ref: 6CBF44C1
                                                                                                                                                                                    • Part of subcall function 6CBF22C9: GetModuleHandleA.KERNEL32(KERNEL32.DLL,?,00000000,?,?,6CBF173E,00000000,?), ref: 6CBF22E3
                                                                                                                                                                                    • Part of subcall function 6CBF22C9: GetProcAddress.KERNEL32(00000000,IsWow64Process), ref: 6CBF22F4
                                                                                                                                                                                    • Part of subcall function 6CBF22C9: OpenProcess.KERNEL32(00000400,00000000,?,?,00000000,?,?,6CBF173E,00000000,?), ref: 6CBF2311
                                                                                                                                                                                    • Part of subcall function 6CBF22C9: IsWow64Process.KERNEL32(00000250,?,?,00000000,?,?,6CBF173E,00000000,?), ref: 6CBF2322
                                                                                                                                                                                    • Part of subcall function 6CBF22C9: CloseHandle.KERNELBASE(00000250,?,?,6CBF173E,00000000,?), ref: 6CBF2335
                                                                                                                                                                                  • ResumeThread.KERNEL32(?,00000000,6CBF468D,CCCCFEEB,00000000,6CBF468D,6CBF468D,00000004,?,00000000,00000000,74DEF550,00000000), ref: 6CBF454C
                                                                                                                                                                                  • WaitForSingleObject.KERNEL32(00000064), ref: 6CBF455A
                                                                                                                                                                                  • SuspendThread.KERNEL32(?), ref: 6CBF456D
                                                                                                                                                                                  • GetLastError.KERNEL32(00000000,6CBF468D,6CBF468D,00000004,?,00000000,00000000,74DEF550,00000000), ref: 6CBF45D9
                                                                                                                                                                                  • ResumeThread.KERNELBASE(?), ref: 6CBF45E4
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000000.00000002.1740519196.000000006CBF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 6CBF0000, based on PE: true
                                                                                                                                                                                  • Associated: 00000000.00000002.1740504253.000000006CBF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000000.00000002.1740519196.000000006CBFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_6cbf0000_loaddll32.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: Thread$HandleProcessResume$AddressCloseErrorLastModuleObjectOpenProcSingleSuspendWaitWow64memset
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 3158980537-0
                                                                                                                                                                                  • Opcode ID: 3734b34cf50187578fea0984291a79839d0a1556893063e23c8320d4cbbb88c1
                                                                                                                                                                                  • Instruction ID: b7bf53af608e10ce6e97ce3a8b46c8b9165ff845f5aff955d537bd41850555bf
                                                                                                                                                                                  • Opcode Fuzzy Hash: 3734b34cf50187578fea0984291a79839d0a1556893063e23c8320d4cbbb88c1
                                                                                                                                                                                  • Instruction Fuzzy Hash: A231DD71900258BBDF02AFA5C944ADEBB78EF01368F008162F934A7750D7319E5ACF91
                                                                                                                                                                                  Function 6CBF11DC Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 59memorystringCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • lstrcatW.KERNEL32(.dll,?,6CBF0000,00000000,?), ref: 6CBF120F
                                                                                                                                                                                    • Part of subcall function 6CBF3723: lstrlenA.KERNEL32(6CBF1224,00000000,?,00000027,6CBF0000,00000000,00000000,?,?,?,6CBF1224,Software\AppDataLow\Software\Microsoft\,00000000), ref: 6CBF3759
                                                                                                                                                                                    • Part of subcall function 6CBF3723: lstrcpyA.KERNEL32(00000000,00000000,00000027,00000000,?,00000027,6CBF0000,00000000,00000000), ref: 6CBF377D
                                                                                                                                                                                    • Part of subcall function 6CBF3723: lstrcatA.KERNEL32(00000000,00000000,00000027,00000000,?,00000027,6CBF0000,00000000,00000000), ref: 6CBF3785
                                                                                                                                                                                  • HeapFree.KERNEL32(00000000,?,Local\,00000001,00000000,00000001,Local\,00000001,Software\AppDataLow\Software\Microsoft\,00000000), ref: 6CBF1282
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000000.00000002.1740519196.000000006CBF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 6CBF0000, based on PE: true
                                                                                                                                                                                  • Associated: 00000000.00000002.1740504253.000000006CBF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000000.00000002.1740519196.000000006CBFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_6cbf0000_loaddll32.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: lstrcat$FreeHeaplstrcpylstrlen
                                                                                                                                                                                  • String ID: .dll$Local\$Software\AppDataLow\Software\Microsoft\
                                                                                                                                                                                  • API String ID: 2335496509-1273941773
                                                                                                                                                                                  • Opcode ID: 99acfeb630928c054cac7ebc5f14a659af525726996e787b8d8c49110735b278
                                                                                                                                                                                  • Instruction ID: f9ee55973e922b6819aef8c67e07787b0fef87324c2b223b26c882a5c12a0ba0
                                                                                                                                                                                  • Opcode Fuzzy Hash: 99acfeb630928c054cac7ebc5f14a659af525726996e787b8d8c49110735b278
                                                                                                                                                                                  • Instruction Fuzzy Hash: 3D115BB5A01289ABEF00CBA6ED45F9E7BB8EB91204F1050A6A431E7B40E730D609CF51
                                                                                                                                                                                  Function 6CBF3A18 Relevance: 7.6, APIs: 5, Instructions: 72fileCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • CreateFileW.KERNELBASE(6CBF342F,80000000,00000001,00000000,00000003,00000080,00000000,6CBF3417,02DE87C8,6CBF342F,?,?,6CBF1BFB,02DE87C8,00000000,00000000), ref: 6CBF3A36
                                                                                                                                                                                  • GetFileSize.KERNEL32(00000000,00000000,?,?,6CBF1BFB,02DE87C8,00000000,00000000,6CBF3417,00000000,6CBF2116,6CBF342F,6CBF3433), ref: 6CBF3A46
                                                                                                                                                                                  • ReadFile.KERNELBASE(6CBF342F,00000000,00000000,6CBF3433,00000000,00000001,?,?,6CBF1BFB,02DE87C8,00000000,00000000,6CBF3417,00000000,6CBF2116,6CBF342F), ref: 6CBF3A72
                                                                                                                                                                                  • GetLastError.KERNEL32(?,?,6CBF1BFB,02DE87C8,00000000,00000000,6CBF3417,00000000,6CBF2116,6CBF342F,6CBF3433), ref: 6CBF3A97
                                                                                                                                                                                  • CloseHandle.KERNEL32(000000FF,?,?,6CBF1BFB,02DE87C8,00000000,00000000,6CBF3417,00000000,6CBF2116), ref: 6CBF3AA8
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000000.00000002.1740519196.000000006CBF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 6CBF0000, based on PE: true
                                                                                                                                                                                  • Associated: 00000000.00000002.1740504253.000000006CBF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000000.00000002.1740519196.000000006CBFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_6cbf0000_loaddll32.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: File$CloseCreateErrorHandleLastReadSize
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 3577853679-0
                                                                                                                                                                                  • Opcode ID: fda3ee3730789d3e6899d9ef718ab1b151eb642e4fda446a0e8122473d36ff17
                                                                                                                                                                                  • Instruction ID: 41644cd9c9b9f97e9c6811693926bc9ec7671719c589b5331f1cc4fe94abf577
                                                                                                                                                                                  • Opcode Fuzzy Hash: fda3ee3730789d3e6899d9ef718ab1b151eb642e4fda446a0e8122473d36ff17
                                                                                                                                                                                  • Instruction Fuzzy Hash: 14115972201295FFDB105F76CC88E9E7B6DDB063A4F10422AF934A7350D3319D4A86A2
                                                                                                                                                                                  Function 6CBF4341 Relevance: 6.1, APIs: 4, Instructions: 107threadsynchronizationCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • memset.NTDLL ref: 6CBF436F
                                                                                                                                                                                    • Part of subcall function 6CBF41BA: memset.NTDLL ref: 6CBF41F6
                                                                                                                                                                                  • ResumeThread.KERNELBASE(?,?,00000004,00000004,?,?,?,?,?,00000004,?), ref: 6CBF43F9
                                                                                                                                                                                  • WaitForSingleObject.KERNEL32(00000064), ref: 6CBF4407
                                                                                                                                                                                  • Wow64SuspendThread.KERNEL32(?), ref: 6CBF441A
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000000.00000002.1740519196.000000006CBF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 6CBF0000, based on PE: true
                                                                                                                                                                                  • Associated: 00000000.00000002.1740504253.000000006CBF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000000.00000002.1740519196.000000006CBFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_6cbf0000_loaddll32.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: Threadmemset$ObjectResumeSingleSuspendWaitWow64
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 390528492-0
                                                                                                                                                                                  • Opcode ID: 5e0f3dc5824f10c5baaac7896e2811806b5f7e2b07f16bee91de0bc62893f99c
                                                                                                                                                                                  • Instruction ID: c5d6127d432ecac6846b5fedc38fa2e465c2ed4b195dba71b5713391a7266aa7
                                                                                                                                                                                  • Opcode Fuzzy Hash: 5e0f3dc5824f10c5baaac7896e2811806b5f7e2b07f16bee91de0bc62893f99c
                                                                                                                                                                                  • Instruction Fuzzy Hash: 8E317E71108381AFE711DF50C980AABBBA9FF88318F004929F6A492761DB71D95DDF93
                                                                                                                                                                                  Function 6CBF3349 Relevance: 6.1, APIs: 4, Instructions: 99registrysynchronizationCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • RegOpenKeyExA.KERNELBASE(80000003,00000000,00000000,?,?,00000000,000000B7,?,?,?,?), ref: 6CBF3370
                                                                                                                                                                                    • Part of subcall function 6CBF11B2: RtlAllocateHeap.NTDLL(00000000,6CBF0000,6CBF1B4C,6CBF0000), ref: 6CBF11BE
                                                                                                                                                                                  • RegEnumKeyExA.KERNELBASE(?,?,?,?,00000000,00000000,00000000,00000000,00000104,00000000,?,?,?,?), ref: 6CBF33B7
                                                                                                                                                                                  • WaitForSingleObject.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?), ref: 6CBF3424
                                                                                                                                                                                  • RegCloseKey.ADVAPI32(?,00000104,00000000,?,?,?,?), ref: 6CBF344C
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000000.00000002.1740519196.000000006CBF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 6CBF0000, based on PE: true
                                                                                                                                                                                  • Associated: 00000000.00000002.1740504253.000000006CBF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000000.00000002.1740519196.000000006CBFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_6cbf0000_loaddll32.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: AllocateCloseEnumHeapObjectOpenSingleWait
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 3664505660-0
                                                                                                                                                                                  • Opcode ID: 40b6ca95bbdaf3820844f406a47fd0e91415fbb473234a72c875cc56133f205b
                                                                                                                                                                                  • Instruction ID: c01a025978880df60076113d02ef46dac7817f8015366d424635c291b44ed363
                                                                                                                                                                                  • Opcode Fuzzy Hash: 40b6ca95bbdaf3820844f406a47fd0e91415fbb473234a72c875cc56133f205b
                                                                                                                                                                                  • Instruction Fuzzy Hash: 1B317A71D00169EBCF129BAACC448EFFFB9EB85754F104526E9A1B3310C2714A49DB92
                                                                                                                                                                                  Function 6CBF3E34 Relevance: 6.0, APIs: 1, Strings: 3, Instructions: 43COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • memcpy.NTDLL(CCCCFEEB,6CBFA9DC,00000018,CCCCFEEB,ZwProtectVirtualMemory,CCCCFEEB,LdrGetProcedureAddress,CCCCFEEB,LdrLoadDll,CCCCFEEB,6CBF4062,?,6CBF45C5,?,?,00000000), ref: 6CBF3EC5
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000000.00000002.1740519196.000000006CBF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 6CBF0000, based on PE: true
                                                                                                                                                                                  • Associated: 00000000.00000002.1740504253.000000006CBF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000000.00000002.1740519196.000000006CBFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_6cbf0000_loaddll32.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: memcpy
                                                                                                                                                                                  • String ID: LdrGetProcedureAddress$LdrLoadDll$ZwProtectVirtualMemory
                                                                                                                                                                                  • API String ID: 3510742995-2710412950
                                                                                                                                                                                  • Opcode ID: be35b3dbf3e632f08729bae97c3743b41f8eb14ba6ec141eeabd77bf1bb4688c
                                                                                                                                                                                  • Instruction ID: b26b4d089e5465923a51dcfe1ec991e96474259b2b81f3a0a30ba33eb298a4ef
                                                                                                                                                                                  • Opcode Fuzzy Hash: be35b3dbf3e632f08729bae97c3743b41f8eb14ba6ec141eeabd77bf1bb4688c
                                                                                                                                                                                  • Instruction Fuzzy Hash: AF0121707122819BCF48DF55E8C1896B7B1FB92354B12C836E2B497B21D331544E8FB2
                                                                                                                                                                                  Function 6CBF1142 Relevance: 6.0, APIs: 4, Instructions: 35memoryCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • InterlockedIncrement.KERNEL32(6CBFA948), ref: 6CBF1157
                                                                                                                                                                                  • HeapCreate.KERNELBASE(00000000,00400000,00000000), ref: 6CBF116A
                                                                                                                                                                                  • InterlockedDecrement.KERNEL32(6CBFA948), ref: 6CBF1196
                                                                                                                                                                                  • HeapDestroy.KERNELBASE ref: 6CBF11A6
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000000.00000002.1740519196.000000006CBF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 6CBF0000, based on PE: true
                                                                                                                                                                                  • Associated: 00000000.00000002.1740504253.000000006CBF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000000.00000002.1740519196.000000006CBFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_6cbf0000_loaddll32.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: HeapInterlocked$CreateDecrementDestroyIncrement
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 4057829272-0
                                                                                                                                                                                  • Opcode ID: 552f1dafefe9ba85d1af7ce82a349d281e3d4f78fa30776a43028946b294a158
                                                                                                                                                                                  • Instruction ID: bb848c8a35e7dee50c46aa7aba71969739e237411599ff4d1c02f77b26540bbe
                                                                                                                                                                                  • Opcode Fuzzy Hash: 552f1dafefe9ba85d1af7ce82a349d281e3d4f78fa30776a43028946b294a158
                                                                                                                                                                                  • Instruction Fuzzy Hash: 92F0F978786282AFEB049F2ADC09B06BEB4EB87764F598925E474D2740D730D54A8B12
                                                                                                                                                                                  Function 6CBF157A Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 63COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • RtlUpcaseUnicodeString.NTDLL ref: 6CBF15A6
                                                                                                                                                                                  • RtlFreeUnicodeString.NTDLL(?,?,?), ref: 6CBF1628
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000000.00000002.1740519196.000000006CBF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 6CBF0000, based on PE: true
                                                                                                                                                                                  • Associated: 00000000.00000002.1740504253.000000006CBF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000000.00000002.1740519196.000000006CBFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_6cbf0000_loaddll32.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: StringUnicode$FreeUpcase
                                                                                                                                                                                  • String ID: N;U
                                                                                                                                                                                  • API String ID: 941810394-3665909347
                                                                                                                                                                                  • Opcode ID: 695164c84c50c73660de2ab6641bf5705345b23967e03a015f90dae7595d5a1a
                                                                                                                                                                                  • Instruction ID: 04db9d4d0059404eb37b95737045e883904a8c4d1c567b8457c62cb36d00d5ec
                                                                                                                                                                                  • Opcode Fuzzy Hash: 695164c84c50c73660de2ab6641bf5705345b23967e03a015f90dae7595d5a1a
                                                                                                                                                                                  • Instruction Fuzzy Hash: A111D071A01385BADF109A21D84079E73A9EB09714F288D25E871D7FA0DB31E94ECB92
                                                                                                                                                                                  Function 6CBF272F Relevance: 5.1, APIs: 4, Instructions: 110COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • memset.NTDLL ref: 6CBF2755
                                                                                                                                                                                  • memcpy.NTDLL ref: 6CBF277D
                                                                                                                                                                                    • Part of subcall function 6CBF2E32: NtAllocateVirtualMemory.NTDLL(6CBF28CF,00000000,00000000,6CBF28CF,00003000,00000040), ref: 6CBF2E63
                                                                                                                                                                                    • Part of subcall function 6CBF2E32: RtlNtStatusToDosError.NTDLL ref: 6CBF2E6A
                                                                                                                                                                                    • Part of subcall function 6CBF2E32: SetLastError.KERNEL32(00000000), ref: 6CBF2E71
                                                                                                                                                                                  • GetLastError.KERNEL32(00000010,00000218,6CBF4BEC,00000100,?,00000318,00000008), ref: 6CBF2794
                                                                                                                                                                                  • GetLastError.KERNEL32(00000010,?,00000000,00000318,?,?,?,?,?,?,?,?,00000010,00000218,6CBF4BEC,00000100), ref: 6CBF2877
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000000.00000002.1740519196.000000006CBF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 6CBF0000, based on PE: true
                                                                                                                                                                                  • Associated: 00000000.00000002.1740504253.000000006CBF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000000.00000002.1740519196.000000006CBFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_6cbf0000_loaddll32.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: Error$Last$AllocateMemoryStatusVirtualmemcpymemset
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 685050087-0
                                                                                                                                                                                  • Opcode ID: 914ff4eeb014556cb12cd194d23102ba3f1fe404812df7a10e0d1ccb786377b5
                                                                                                                                                                                  • Instruction ID: 79cf99de8b29e72afb6cc3e27418fca29fd778fab988e2b27339a1c4fcd54735
                                                                                                                                                                                  • Opcode Fuzzy Hash: 914ff4eeb014556cb12cd194d23102ba3f1fe404812df7a10e0d1ccb786377b5
                                                                                                                                                                                  • Instruction Fuzzy Hash: 2E419FB1504381AFD720CF65C945B9BBBF8EB48314F004A29F5A8C6751E730D91A8B63
                                                                                                                                                                                  Function 6CBF137F Relevance: 4.5, APIs: 2, Strings: 1, Instructions: 40memoryCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • memset.NTDLL ref: 6CBF1386
                                                                                                                                                                                    • Part of subcall function 6CBF379A: memcpy.NTDLL(00000000,?,?,?,00000000,00000000,?,?,?,?,6CBF13A4,?,?), ref: 6CBF384F
                                                                                                                                                                                  • HeapFree.KERNEL32(00000000,?,?,?,00000008,EE553B4E,?,?,00000000,EE553B4E), ref: 6CBF13D8
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000000.00000002.1740519196.000000006CBF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 6CBF0000, based on PE: true
                                                                                                                                                                                  • Associated: 00000000.00000002.1740504253.000000006CBF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000000.00000002.1740519196.000000006CBFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_6cbf0000_loaddll32.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: FreeHeapmemcpymemset
                                                                                                                                                                                  • String ID: N;U
                                                                                                                                                                                  • API String ID: 2272576838-3665909347
                                                                                                                                                                                  • Opcode ID: e1b53ea86470dc1dc37a52fc579b615847ec6d0941bd605bcf93c11d8bbdd21a
                                                                                                                                                                                  • Instruction ID: f846aa8a4bedd2feff064d35cf0f8959c5c9789584d21487d1336933b26f5269
                                                                                                                                                                                  • Opcode Fuzzy Hash: e1b53ea86470dc1dc37a52fc579b615847ec6d0941bd605bcf93c11d8bbdd21a
                                                                                                                                                                                  • Instruction Fuzzy Hash: 51F06DB12022806ADB61CA76AC48E9736BCEBC2348F040925B861C3B40DB61D50E8B61
                                                                                                                                                                                  Function 6CBF112F Relevance: 3.0, APIs: 2, Instructions: 5COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                    • Part of subcall function 6CBF16B2: GetCursorInfo.USER32 ref: 6CBF16FE
                                                                                                                                                                                    • Part of subcall function 6CBF16B2: GetLongPathNameW.KERNELBASE(?,00000000,00000000), ref: 6CBF177B
                                                                                                                                                                                    • Part of subcall function 6CBF16B2: GetLongPathNameW.KERNELBASE(?,00000000,00000000), ref: 6CBF179C
                                                                                                                                                                                    • Part of subcall function 6CBF16B2: CreateFileA.KERNELBASE(c:\321.txt,80000000,00000001,00000000,00000003,00000080,00000000,00000000,?), ref: 6CBF17CD
                                                                                                                                                                                  • ExitProcess.KERNEL32 ref: 6CBF113B
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000000.00000002.1740519196.000000006CBF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 6CBF0000, based on PE: true
                                                                                                                                                                                  • Associated: 00000000.00000002.1740504253.000000006CBF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000000.00000002.1740519196.000000006CBFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_6cbf0000_loaddll32.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: LongNamePath$CreateCursorExitFileInfoProcess
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 1773960417-0
                                                                                                                                                                                  • Opcode ID: e3b4764ad7365777045b98ff9f1e3b29a9cd6f7917c4f96b04e820c8539f6bad
                                                                                                                                                                                  • Instruction ID: d67f01e87a2cb07e2a617664e22e2f7a955f37f86d688e3fd11fc16db191311b
                                                                                                                                                                                  • Opcode Fuzzy Hash: e3b4764ad7365777045b98ff9f1e3b29a9cd6f7917c4f96b04e820c8539f6bad
                                                                                                                                                                                  • Instruction Fuzzy Hash: A8A002F09102C077CD20A7F2981C99E256EAB0320D78CCD097471E3B10CF39D44E5669
                                                                                                                                                                                  Function 6CBF2B4B Relevance: 2.6, APIs: 2, Instructions: 69memoryCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                    • Part of subcall function 6CBF2A18: VirtualAlloc.KERNELBASE(00000000,00000000,00003000,00000004), ref: 6CBF2A51
                                                                                                                                                                                    • Part of subcall function 6CBF2A18: VirtualFree.KERNEL32(00000000,00000000,00008000,?,00000000,00000000,00000000), ref: 6CBF2A87
                                                                                                                                                                                    • Part of subcall function 6CBF2A18: VirtualAlloc.KERNEL32(00000000,00000000,00003000,00000004), ref: 6CBF2A93
                                                                                                                                                                                    • Part of subcall function 6CBF2A18: lstrcmpiA.KERNEL32(?,NTDLL.DLL), ref: 6CBF2ACA
                                                                                                                                                                                    • Part of subcall function 6CBF2A18: StrChrA.SHLWAPI(?,0000002E), ref: 6CBF2AD3
                                                                                                                                                                                    • Part of subcall function 6CBF2A18: lstrcmpiA.KERNEL32(?,NTDLL.DLL), ref: 6CBF2AE6
                                                                                                                                                                                    • Part of subcall function 6CBF2A18: VirtualFree.KERNELBASE(00000000,00000000,00008000), ref: 6CBF2B37
                                                                                                                                                                                  • VirtualAlloc.KERNELBASE(00000000,?,00003000,00000004,00000010,?,?,6CBF8410,00000030,6CBF26CC,ZwGetContextThread,?,6CBF2762,?,00000318,00000008), ref: 6CBF2B87
                                                                                                                                                                                    • Part of subcall function 6CBF241D: GetProcAddress.KERNEL32(ZwWow64ReadVirtualMemory64,00000000), ref: 6CBF243F
                                                                                                                                                                                    • Part of subcall function 6CBF241D: NtWow64ReadVirtualMemory64.NTDLL(00000100,?,?,00000028,00000000,00000000,00000100,00000000,?,?,?,6CBF250D,00000000,00000000,00000028,00000100), ref: 6CBF2461
                                                                                                                                                                                  • VirtualFree.KERNELBASE(?,00000000,00008000,00000010,?,?,6CBF8410,00000030,6CBF26CC,ZwGetContextThread,?,6CBF2762,?,00000318,00000008), ref: 6CBF2C12
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000000.00000002.1740519196.000000006CBF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 6CBF0000, based on PE: true
                                                                                                                                                                                  • Associated: 00000000.00000002.1740504253.000000006CBF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000000.00000002.1740519196.000000006CBFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_6cbf0000_loaddll32.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: Virtual$AllocFree$lstrcmpi$AddressMemory64ProcReadWow64
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 4138075514-0
                                                                                                                                                                                  • Opcode ID: 461a0d5f64f94fdcb38babb22293be19be242b49ce4518d4d1cbdd14bd51cd1e
                                                                                                                                                                                  • Instruction ID: 349b2e1dac7b352ec203c28e6d01593987971f3df7588759c45d7327db196996
                                                                                                                                                                                  • Opcode Fuzzy Hash: 461a0d5f64f94fdcb38babb22293be19be242b49ce4518d4d1cbdd14bd51cd1e
                                                                                                                                                                                  • Instruction Fuzzy Hash: EA21C471D01268ABCF11CFE5DC84ACEBBB4FF09714F20412AE924B2650C3749A0ACF91
                                                                                                                                                                                  Function 6CBF11B2 Relevance: 1.5, APIs: 1, Instructions: 5memoryCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • RtlAllocateHeap.NTDLL(00000000,6CBF0000,6CBF1B4C,6CBF0000), ref: 6CBF11BE
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000000.00000002.1740519196.000000006CBF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 6CBF0000, based on PE: true
                                                                                                                                                                                  • Associated: 00000000.00000002.1740504253.000000006CBF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000000.00000002.1740519196.000000006CBFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_6cbf0000_loaddll32.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: AllocateHeap
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 1279760036-0
                                                                                                                                                                                  • Opcode ID: 23977dcb478b552ebb45a1d426bcfa155fb3a10993af1e104911ee3f834ff5dc
                                                                                                                                                                                  • Instruction ID: b8ce547b5503943abe1f2380b6df63760ba07a9de63245981ce5e6f619c5a836
                                                                                                                                                                                  • Opcode Fuzzy Hash: 23977dcb478b552ebb45a1d426bcfa155fb3a10993af1e104911ee3f834ff5dc
                                                                                                                                                                                  • Instruction Fuzzy Hash: BCB01231610100FFCF014B20DD09F057B71B752700F01C021B3140136082320420EF14
                                                                                                                                                                                  Function 6CBF11C7 Relevance: 1.5, APIs: 1, Instructions: 5memoryCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • RtlFreeHeap.NTDLL(00000000,00000000,6CBF1B7B,00000000), ref: 6CBF11D3
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000000.00000002.1740519196.000000006CBF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 6CBF0000, based on PE: true
                                                                                                                                                                                  • Associated: 00000000.00000002.1740504253.000000006CBF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000000.00000002.1740519196.000000006CBFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_6cbf0000_loaddll32.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: FreeHeap
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 3298025750-0
                                                                                                                                                                                  • Opcode ID: 284e62c275f0e935d674ad9e9211603806e6477f363f4826ec41c9b06cb38cf8
                                                                                                                                                                                  • Instruction ID: 82c2d1d36811edfd1c03c23f412d2c1185ad7d48691b39041a0e41481a5e6262
                                                                                                                                                                                  • Opcode Fuzzy Hash: 284e62c275f0e935d674ad9e9211603806e6477f363f4826ec41c9b06cb38cf8
                                                                                                                                                                                  • Instruction Fuzzy Hash: B7B01231200100AFCE014B20DD09F057B71B752700F118021B3180226082324420EF08
                                                                                                                                                                                  Function 6CBF3260 Relevance: 1.3, APIs: 1, Instructions: 57memoryCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                    • Part of subcall function 6CBF2344: GetProcAddress.KERNEL32(Wow64EnableWow64FsRedirection,6CBF3278), ref: 6CBF2358
                                                                                                                                                                                    • Part of subcall function 6CBF2FCE: HeapAlloc.KERNEL32(00000000,EE553B4E,00000000,6CBFAA50,00000001), ref: 6CBF2FF9
                                                                                                                                                                                    • Part of subcall function 6CBF2FCE: HeapAlloc.KERNEL32(00000000,EE553B4E), ref: 6CBF301B
                                                                                                                                                                                    • Part of subcall function 6CBF2FCE: memset.NTDLL ref: 6CBF3035
                                                                                                                                                                                    • Part of subcall function 6CBF2FCE: CreateFileA.KERNELBASE(00000000,80000000,00000001,00000000,00000003,00000080,00000000,%systemroot%\system32\c_1252.nls), ref: 6CBF306C
                                                                                                                                                                                    • Part of subcall function 6CBF2FCE: GetFileTime.KERNEL32(00000000,?,00000000,00000000), ref: 6CBF3080
                                                                                                                                                                                    • Part of subcall function 6CBF2FCE: CloseHandle.KERNEL32(?), ref: 6CBF3097
                                                                                                                                                                                    • Part of subcall function 6CBF2FCE: StrRChrA.KERNELBASE(6CBF11FC,00000000,0000005C), ref: 6CBF30A3
                                                                                                                                                                                    • Part of subcall function 6CBF2FCE: lstrcatA.KERNEL32(6CBF11FC,\*.dll), ref: 6CBF30DD
                                                                                                                                                                                    • Part of subcall function 6CBF2FCE: FindFirstFileA.KERNELBASE(6CBF11FC,?), ref: 6CBF30F3
                                                                                                                                                                                    • Part of subcall function 6CBF2FCE: CompareFileTime.KERNEL32(?,?), ref: 6CBF3111
                                                                                                                                                                                    • Part of subcall function 6CBF361F: lstrlenA.KERNEL32(6CBF11FC,00000000,6CBFAA50,00000001,6CBF3293,00000000,00000000,00000000,6CBF0000,00000000,00000000,?,?,?,6CBF11FC,?), ref: 6CBF3628
                                                                                                                                                                                    • Part of subcall function 6CBF361F: mbstowcs.NTDLL ref: 6CBF364F
                                                                                                                                                                                    • Part of subcall function 6CBF361F: memset.NTDLL ref: 6CBF3661
                                                                                                                                                                                  • HeapFree.KERNEL32(00000000,00000000,00000000,00000000,00000000,6CBF0000,00000000,00000000,?,?,?,6CBF11FC,?,6CBF0000,00000000,?), ref: 6CBF32AF
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000000.00000002.1740519196.000000006CBF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 6CBF0000, based on PE: true
                                                                                                                                                                                  • Associated: 00000000.00000002.1740504253.000000006CBF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000000.00000002.1740519196.000000006CBFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_6cbf0000_loaddll32.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: File$Heap$AllocTimememset$AddressCloseCompareCreateFindFirstFreeHandleProclstrcatlstrlenmbstowcs
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 1861520213-0
                                                                                                                                                                                  • Opcode ID: 632c0a7c1917480f9722b3c4b5c66ef441b6baff53464fb0fa8255fc2ce78c89
                                                                                                                                                                                  • Instruction ID: ebcfe3817d436e011c8e8b27472f73346dde29b45614a4c710ced3c922e8d06a
                                                                                                                                                                                  • Opcode Fuzzy Hash: 632c0a7c1917480f9722b3c4b5c66ef441b6baff53464fb0fa8255fc2ce78c89
                                                                                                                                                                                  • Instruction Fuzzy Hash: 3401F5313002C47EEF005EE6CC85BAA76A8FB46218F600035E974D7750D661CD8F9767
                                                                                                                                                                                  Function 6CBF29AA Relevance: 1.3, APIs: 1, Instructions: 46COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                    • Part of subcall function 6CBF11B2: RtlAllocateHeap.NTDLL(00000000,6CBF0000,6CBF1B4C,6CBF0000), ref: 6CBF11BE
                                                                                                                                                                                  • memset.NTDLL ref: 6CBF29C9
                                                                                                                                                                                    • Part of subcall function 6CBF272F: memset.NTDLL ref: 6CBF2755
                                                                                                                                                                                    • Part of subcall function 6CBF272F: memcpy.NTDLL ref: 6CBF277D
                                                                                                                                                                                    • Part of subcall function 6CBF272F: GetLastError.KERNEL32(00000010,00000218,6CBF4BEC,00000100,?,00000318,00000008), ref: 6CBF2794
                                                                                                                                                                                    • Part of subcall function 6CBF272F: GetLastError.KERNEL32(00000010,?,00000000,00000318,?,?,?,?,?,?,?,?,00000010,00000218,6CBF4BEC,00000100), ref: 6CBF2877
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000000.00000002.1740519196.000000006CBF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 6CBF0000, based on PE: true
                                                                                                                                                                                  • Associated: 00000000.00000002.1740504253.000000006CBF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000000.00000002.1740519196.000000006CBFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_6cbf0000_loaddll32.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: ErrorLastmemset$AllocateHeapmemcpy
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 4290293647-0
                                                                                                                                                                                  • Opcode ID: 5ce2d39bcb20866ebbd57dce7cee95c78a89a614e1bba70ba642c17971872cf7
                                                                                                                                                                                  • Instruction ID: e20a20b4ffe397072f3337a5f6c6b14e1848c08153cef7b13dc2852d9c751d95
                                                                                                                                                                                  • Opcode Fuzzy Hash: 5ce2d39bcb20866ebbd57dce7cee95c78a89a614e1bba70ba642c17971872cf7
                                                                                                                                                                                  • Instruction Fuzzy Hash: E801D6715013C86BD321CF29DC44B8B3BE8EF45718F10862AF86497B41D774E90E87A2
                                                                                                                                                                                  Function 6CBF2BF8 Relevance: 1.3, APIs: 1, Instructions: 14COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • VirtualFree.KERNELBASE(?,00000000,00008000,00000010,?,?,6CBF8410,00000030,6CBF26CC,ZwGetContextThread,?,6CBF2762,?,00000318,00000008), ref: 6CBF2C12
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000000.00000002.1740519196.000000006CBF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 6CBF0000, based on PE: true
                                                                                                                                                                                  • Associated: 00000000.00000002.1740504253.000000006CBF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000000.00000002.1740519196.000000006CBFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_6cbf0000_loaddll32.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: FreeVirtual
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 1263568516-0
                                                                                                                                                                                  • Opcode ID: 589042aa51d45c6921daadf7d904c4c7d04190ad83041130710503daa941447a
                                                                                                                                                                                  • Instruction ID: 543552ed40ee6eae6b20bfc3490eeef5b903297026812cac47cae92350035e03
                                                                                                                                                                                  • Opcode Fuzzy Hash: 589042aa51d45c6921daadf7d904c4c7d04190ad83041130710503daa941447a
                                                                                                                                                                                  • Instruction Fuzzy Hash: 11D01730E01659ABCF10DB95D84A99EFB71BF09720F608220E87077690C3301A5ACF91

                                                                                                                                                                                  Non-executed Functions

                                                                                                                                                                                  Function 6CBF5E30 Relevance: 105.6, APIs: 55, Strings: 5, Instructions: 590filememoryCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • VirtualAlloc.KERNEL32(00000000,00001000,00003000,00000004), ref: 6CBF5EC3
                                                                                                                                                                                  • SHGetFolderPathW.SHELL32(00000000,00000014,00000000,00000000,00000000), ref: 6CBF5EEB
                                                                                                                                                                                  • wcslen.NTDLL ref: 6CBF5F12
                                                                                                                                                                                  • memset.NTDLL ref: 6CBF5F7E
                                                                                                                                                                                  • memcpy.NTDLL(-0000000C,00000000,?), ref: 6CBF5FA0
                                                                                                                                                                                  • memcpy.NTDLL(0000000C,cga80850.fon,0000001A), ref: 6CBF5FBF
                                                                                                                                                                                  • AddFontResourceExW.GDI32(-0000000C,00000010,00000000), ref: 6CBF5FD5
                                                                                                                                                                                  • RemoveFontResourceExW.GDI32(-0000000C,00000010,00000000), ref: 6CBF5FEC
                                                                                                                                                                                  • memset.NTDLL ref: 6CBF6025
                                                                                                                                                                                  • memcpy.NTDLL(?,*.fon,0000000C), ref: 6CBF6044
                                                                                                                                                                                  • FindFirstFileW.KERNEL32(00000000,00000000), ref: 6CBF605A
                                                                                                                                                                                  • FindNextFileW.KERNEL32(000000FF,00000000), ref: 6CBF6081
                                                                                                                                                                                  • memset.NTDLL ref: 6CBF60C7
                                                                                                                                                                                  • memcpy.NTDLL(-0000000C,00000000,?), ref: 6CBF60E9
                                                                                                                                                                                  • wcslen.NTDLL ref: 6CBF60F8
                                                                                                                                                                                  • memcpy.NTDLL(0000000C,?,00000000), ref: 6CBF611A
                                                                                                                                                                                  • AddFontResourceExW.GDI32(-0000000C,00000010,00000000), ref: 6CBF613E
                                                                                                                                                                                  • RemoveFontResourceExW.GDI32(-0000000C,00000010,00000000), ref: 6CBF6155
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000000.00000002.1740519196.000000006CBF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 6CBF0000, based on PE: true
                                                                                                                                                                                  • Associated: 00000000.00000002.1740504253.000000006CBF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000000.00000002.1740519196.000000006CBFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_6cbf0000_loaddll32.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: memcpy$FontResource$memset$FileFindRemovewcslen$AllocFirstFolderNextPathVirtual
                                                                                                                                                                                  • String ID: *.fon$0$WndClass_56$WndClass_56$cga80850.fon
                                                                                                                                                                                  • API String ID: 2579003408-2165019218
                                                                                                                                                                                  • Opcode ID: ee1547ac0f787c1d964e4ccf719483c1482c5a2d8d28e075716209dc1dfd10fb
                                                                                                                                                                                  • Instruction ID: eee86c5376301be513a80d9edb54442ca42dc2fa812b22990241b04a1d1d1090
                                                                                                                                                                                  • Opcode Fuzzy Hash: ee1547ac0f787c1d964e4ccf719483c1482c5a2d8d28e075716209dc1dfd10fb
                                                                                                                                                                                  • Instruction Fuzzy Hash: 4E5291B1700244DFDB14CF14DD84F9A7379FB46308F1481AAEA299B782C771A989CF59
                                                                                                                                                                                  Function 6CBF1DDB Relevance: 36.9, APIs: 13, Strings: 8, Instructions: 108stringCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • memset.NTDLL ref: 6CBF1DF9
                                                                                                                                                                                  • CoInitializeEx.OLE32(00000000,00000002,6CBF0000,00000000,00000000), ref: 6CBF1E04
                                                                                                                                                                                  • PathFindExtensionW.SHLWAPI(00000000,00000750), ref: 6CBF1E1F
                                                                                                                                                                                  • lstrcpyW.KERNEL32(00000000,.dll), ref: 6CBF1E34
                                                                                                                                                                                  • lstrlenW.KERNEL32(00000000), ref: 6CBF1E41
                                                                                                                                                                                  • lstrlenW.KERNEL32(?), ref: 6CBF1E4A
                                                                                                                                                                                  • lstrlenA.KERNEL32(?), ref: 6CBF1E51
                                                                                                                                                                                  • lstrcpyW.KERNEL32(00000000,.exe), ref: 6CBF1E82
                                                                                                                                                                                  • lstrlenW.KERNEL32(00000000), ref: 6CBF1E8F
                                                                                                                                                                                  • lstrlenW.KERNEL32(02DE87C8), ref: 6CBF1E95
                                                                                                                                                                                  • wsprintfW.USER32 ref: 6CBF1EB9
                                                                                                                                                                                  • ShellExecuteExW.SHELL32(0000003C), ref: 6CBF1EEE
                                                                                                                                                                                  • CoUninitialize.OLE32(00000000), ref: 6CBF1F02
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000000.00000002.1740519196.000000006CBF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 6CBF0000, based on PE: true
                                                                                                                                                                                  • Associated: 00000000.00000002.1740504253.000000006CBF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000000.00000002.1740519196.000000006CBFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_6cbf0000_loaddll32.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: lstrlen$lstrcpy$ExecuteExtensionFindInitializePathShellUninitializememsetwsprintf
                                                                                                                                                                                  • String ID: .dll$.exe$/C "copy "%s" "%s" /y && "%s" "%s""$/C "copy "%s" "%s" /y && rundll32 "%s",%S"$<$PDu$cmd.exe$runas
                                                                                                                                                                                  • API String ID: 1734841466-4037923481
                                                                                                                                                                                  • Opcode ID: 9e9647a51e4acdab2d58de727921fac9f03d9bb0f85fee244261edb201bdbe23
                                                                                                                                                                                  • Instruction ID: 92d29e734af3ffaaaf88026adfeb7d1a2061a2e86b4f72d9d148a6fcf97133ee
                                                                                                                                                                                  • Opcode Fuzzy Hash: 9e9647a51e4acdab2d58de727921fac9f03d9bb0f85fee244261edb201bdbe23
                                                                                                                                                                                  • Instruction Fuzzy Hash: 6131E6B2D01258ABCF119BA69C44D9F7ABCEF06748B084916F920A7701D734CE0ACBA1
                                                                                                                                                                                  Function 6CBF2E82 Relevance: 10.5, APIs: 2, Strings: 4, Instructions: 46COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • GetModuleHandleA.KERNEL32(NTDLL.DLL,6CBF0000,00000000,?,00000000,?,6CBF1894,EE553B4E,00000001,00000000,6CBFA95C), ref: 6CBF2E98
                                                                                                                                                                                  • GetModuleHandleA.KERNEL32(KERNEL32.DLL,?,00000000,?,6CBF1894,EE553B4E,00000001,00000000,6CBFA95C), ref: 6CBF2EA8
                                                                                                                                                                                    • Part of subcall function 6CBF389C: lstrcmpA.KERNEL32(?,?,00000000,00000000), ref: 6CBF3950
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000000.00000002.1740519196.000000006CBF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 6CBF0000, based on PE: true
                                                                                                                                                                                  • Associated: 00000000.00000002.1740504253.000000006CBF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000000.00000002.1740519196.000000006CBFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_6cbf0000_loaddll32.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: HandleModule$lstrcmp
                                                                                                                                                                                  • String ID: KERNEL32.DLL$N;U$NTDLL.DLL$~
                                                                                                                                                                                  • API String ID: 397996933-4041261047
                                                                                                                                                                                  • Opcode ID: c75f3fc916f4e1d08d367147cd98a7bead831588aa657aaf0338dd4b18985a79
                                                                                                                                                                                  • Instruction ID: 19f683aebdfabf4a7f57d7103aee2776fbd708fb934894f2d6cf2f36c3ea8b17
                                                                                                                                                                                  • Opcode Fuzzy Hash: c75f3fc916f4e1d08d367147cd98a7bead831588aa657aaf0338dd4b18985a79
                                                                                                                                                                                  • Instruction Fuzzy Hash: 5C01A772A073E59FE710CF59EC8451A7BE8EB4E294B22052AE83097740C771A90D4F93
                                                                                                                                                                                  Function 6CBF2885 Relevance: 6.1, APIs: 4, Instructions: 93COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • memset.NTDLL ref: 6CBF28A7
                                                                                                                                                                                  • GetLastError.KERNEL32(?,00000318,00000008), ref: 6CBF299A
                                                                                                                                                                                    • Part of subcall function 6CBF2E32: NtAllocateVirtualMemory.NTDLL(6CBF28CF,00000000,00000000,6CBF28CF,00003000,00000040), ref: 6CBF2E63
                                                                                                                                                                                    • Part of subcall function 6CBF2E32: RtlNtStatusToDosError.NTDLL ref: 6CBF2E6A
                                                                                                                                                                                    • Part of subcall function 6CBF2E32: SetLastError.KERNEL32(00000000), ref: 6CBF2E71
                                                                                                                                                                                    • Part of subcall function 6CBF2D8F: RtlNtStatusToDosError.NTDLL ref: 6CBF2DA7
                                                                                                                                                                                  • memcpy.NTDLL(00000218,6CBF4C11,00000100,?,00010003,?,?,00000318,00000008), ref: 6CBF2922
                                                                                                                                                                                  • RtlNtStatusToDosError.NTDLL ref: 6CBF297C
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000000.00000002.1740519196.000000006CBF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 6CBF0000, based on PE: true
                                                                                                                                                                                  • Associated: 00000000.00000002.1740504253.000000006CBF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000000.00000002.1740519196.000000006CBFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_6cbf0000_loaddll32.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: Error$Status$Last$AllocateMemoryVirtualmemcpymemset
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 2966525677-0
                                                                                                                                                                                  • Opcode ID: 17528c22e1ccc223da11ebd04ec031f5d6751a80abf4e0853c70a829936daa3b
                                                                                                                                                                                  • Instruction ID: b074362c9688eb71973382dc2ea38a9388693c49841304976b1dd1f9fc47c78e
                                                                                                                                                                                  • Opcode Fuzzy Hash: 17528c22e1ccc223da11ebd04ec031f5d6751a80abf4e0853c70a829936daa3b
                                                                                                                                                                                  • Instruction Fuzzy Hash: F931C27190124AAFDB10CF64C998ADEB7B8EB04308F10857AE566D7B40D730EE4A8F52
                                                                                                                                                                                  Function 6CBF2C25 Relevance: 3.0, APIs: 2, Instructions: 37nativeCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • memset.NTDLL ref: 6CBF2C44
                                                                                                                                                                                  • ZwQueryInformationProcess.NTDLL(00000000,00000000,?,00000018,00000000,?,?,00000000), ref: 6CBF2C5C
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000000.00000002.1740519196.000000006CBF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 6CBF0000, based on PE: true
                                                                                                                                                                                  • Associated: 00000000.00000002.1740504253.000000006CBF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000000.00000002.1740519196.000000006CBFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_6cbf0000_loaddll32.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: InformationProcessQuerymemset
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 2040988606-0
                                                                                                                                                                                  • Opcode ID: c017c20bfca295f2b408442b8bab06937ef81dda08fe0eed9b3c226f7552dd30
                                                                                                                                                                                  • Instruction ID: 1086017dcbb04413cbfaaaed50f3762d0cfacfdd6690913e71ec262f5bb9ad7e
                                                                                                                                                                                  • Opcode Fuzzy Hash: c017c20bfca295f2b408442b8bab06937ef81dda08fe0eed9b3c226f7552dd30
                                                                                                                                                                                  • Instruction Fuzzy Hash: DAF0687590025C7AEF10DB91DC09FDE7B7CDB04740F004061FA14E2281D370DB598BA1
                                                                                                                                                                                  Function 6CBF2DB0 Relevance: 3.0, APIs: 2, Instructions: 26COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • RtlNtStatusToDosError.NTDLL ref: 6CBF2DDD
                                                                                                                                                                                  • SetLastError.KERNEL32(00000000,?,6CBF451D,00000000,6CBF468D,6CBF468D,00000004,?,00000000,00000000,74DEF550,00000000), ref: 6CBF2DE4
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000000.00000002.1740519196.000000006CBF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 6CBF0000, based on PE: true
                                                                                                                                                                                  • Associated: 00000000.00000002.1740504253.000000006CBF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000000.00000002.1740519196.000000006CBFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_6cbf0000_loaddll32.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: Error$LastStatus
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 4076355890-0
                                                                                                                                                                                  • Opcode ID: 559922a02e7f97a52818d48a4f44cd365c96c8cd7367574a7b82e3dcff3b2921
                                                                                                                                                                                  • Instruction ID: be789eee27c5fa062a4d22d780fdd05d91cbd88dffa5739972d1ee41680525bf
                                                                                                                                                                                  • Opcode Fuzzy Hash: 559922a02e7f97a52818d48a4f44cd365c96c8cd7367574a7b82e3dcff3b2921
                                                                                                                                                                                  • Instruction Fuzzy Hash: 30E048363016AAABDF015FE99C08D9B7B79EB0E790B404011FE20C7711C731D8629BB1
                                                                                                                                                                                  Function 00810005 Relevance: 2.8, Strings: 2, Instructions: 290COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000000.00000002.1740291645.0000000000810000.00000040.00001000.00020000.00000000.sdmp, Offset: 00810000, based on PE: false
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_810000_loaddll32.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID:
                                                                                                                                                                                  • String ID: gJ3 $gc
                                                                                                                                                                                  • API String ID: 0-1127060305
                                                                                                                                                                                  • Opcode ID: d2089641cddd14445b6f72733fe9f83086380c457c142573068a8bbf742b116b
                                                                                                                                                                                  • Instruction ID: 6529d031ec12da3f89d1dfeb3a2993ef77d296dd7b571beaf287064b79a8bfb3
                                                                                                                                                                                  • Opcode Fuzzy Hash: d2089641cddd14445b6f72733fe9f83086380c457c142573068a8bbf742b116b
                                                                                                                                                                                  • Instruction Fuzzy Hash: 91B15771E002199FCF09CFA9C9916EEBBB6FF49311F248129D942B7240CA746986CB91
                                                                                                                                                                                  Function 6CBF755D Relevance: 1.7, APIs: 1, Instructions: 195nativeCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • NtQueryVirtualMemory.NTDLL ref: 6CBF760E
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000000.00000002.1740519196.000000006CBF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 6CBF0000, based on PE: true
                                                                                                                                                                                  • Associated: 00000000.00000002.1740504253.000000006CBF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000000.00000002.1740519196.000000006CBFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_6cbf0000_loaddll32.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: MemoryQueryVirtual
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 2850889275-0
                                                                                                                                                                                  • Opcode ID: 3fd8ad293c7d6a489f0a47cf9ce8925f8a01447b98edff467fa923899579e6ca
                                                                                                                                                                                  • Instruction ID: 1dd8245cb34c6554846c934d55132773958a08cf2de3ba49ea4e7bc43581c655
                                                                                                                                                                                  • Opcode Fuzzy Hash: 3fd8ad293c7d6a489f0a47cf9ce8925f8a01447b98edff467fa923899579e6ca
                                                                                                                                                                                  • Instruction Fuzzy Hash: 1B61F2307152C29BDB0ACE2DC590A1D73B1EB45358B2485E8D831EBB94E7B0D84FCB41
                                                                                                                                                                                  Function 6CBF4FC0 Relevance: 1.5, APIs: 1, Instructions: 24COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • GetVersionExW.KERNEL32(0000011C), ref: 6CBF4FDA
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000000.00000002.1740519196.000000006CBF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 6CBF0000, based on PE: true
                                                                                                                                                                                  • Associated: 00000000.00000002.1740504253.000000006CBF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000000.00000002.1740519196.000000006CBFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_6cbf0000_loaddll32.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: Version
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 1889659487-0
                                                                                                                                                                                  • Opcode ID: a6a39cbf2eb079d6af3bf43c405bb0e5412ad39bf93f55ff7adea7d5ea14d91d
                                                                                                                                                                                  • Instruction ID: 70000eaeab343fd8769d0d6abc1a395021fac8757f0bff1ed2d9ba8b1190d6fa
                                                                                                                                                                                  • Opcode Fuzzy Hash: a6a39cbf2eb079d6af3bf43c405bb0e5412ad39bf93f55ff7adea7d5ea14d91d
                                                                                                                                                                                  • Instruction Fuzzy Hash: 7BF01C7460424C8FCB15CF68D845ADABBB8AB4A300F0082D69D5987341D631D995CFA1
                                                                                                                                                                                  Function 6CBF2D8F Relevance: 1.5, APIs: 1, Instructions: 11COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • RtlNtStatusToDosError.NTDLL ref: 6CBF2DA7
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000000.00000002.1740519196.000000006CBF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 6CBF0000, based on PE: true
                                                                                                                                                                                  • Associated: 00000000.00000002.1740504253.000000006CBF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000000.00000002.1740519196.000000006CBFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_6cbf0000_loaddll32.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: ErrorStatus
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 1596131371-0
                                                                                                                                                                                  • Opcode ID: faf623013ea4c1e839b318b23c66865b4f8a9196eaf0827af296973a439e2c49
                                                                                                                                                                                  • Instruction ID: db9465ddd02f64e0b86bab2f08459161ca3de111c3fc8725718968a8f86e374f
                                                                                                                                                                                  • Opcode Fuzzy Hash: faf623013ea4c1e839b318b23c66865b4f8a9196eaf0827af296973a439e2c49
                                                                                                                                                                                  • Instruction Fuzzy Hash: CAC01236606242BBEF099BA0E828D3ABA21EB95340F00881DB169866B1CA31A451CB12
                                                                                                                                                                                  Function 008109C5 Relevance: .1, Instructions: 82COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000000.00000002.1740291645.0000000000810000.00000040.00001000.00020000.00000000.sdmp, Offset: 00810000, based on PE: false
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_810000_loaddll32.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID:
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                  • Opcode ID: eeed882b9ab00d0c01230e741777529506dbf8cd605c31855c3a5ca3ccd5d6c1
                                                                                                                                                                                  • Instruction ID: 74cf0db9e6489d0a928f3554ecf1b5afab37d703dff0065f1502b2f69f5fd313
                                                                                                                                                                                  • Opcode Fuzzy Hash: eeed882b9ab00d0c01230e741777529506dbf8cd605c31855c3a5ca3ccd5d6c1
                                                                                                                                                                                  • Instruction Fuzzy Hash: CE312A76E1021A9F9F48CFAAD5810EEBBF2FF88324F25911AD415F7204DA745A428F94
                                                                                                                                                                                  Function 6CBF733C Relevance: .1, Instructions: 77COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000000.00000002.1740519196.000000006CBF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 6CBF0000, based on PE: true
                                                                                                                                                                                  • Associated: 00000000.00000002.1740504253.000000006CBF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000000.00000002.1740519196.000000006CBFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_6cbf0000_loaddll32.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID:
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                  • Opcode ID: 12a7070065f657aa0aacf06b7ef6137888dfa06173cfdd6141a47a1bb7c7c469
                                                                                                                                                                                  • Instruction ID: c035040d3a1f58ac1ef561f8f7832cb22e90fe0d918e01d3fbd6fdfa66348408
                                                                                                                                                                                  • Opcode Fuzzy Hash: 12a7070065f657aa0aacf06b7ef6137888dfa06173cfdd6141a47a1bb7c7c469
                                                                                                                                                                                  • Instruction Fuzzy Hash: 7621C732901244ABDB00DF68C8C09ABBBA5FF45354B4581E8DC65AB345D770F91ECBE1
                                                                                                                                                                                  Function 6CBF52C0 Relevance: .0, Instructions: 17COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000000.00000002.1740519196.000000006CBF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 6CBF0000, based on PE: true
                                                                                                                                                                                  • Associated: 00000000.00000002.1740504253.000000006CBF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000000.00000002.1740519196.000000006CBFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_6cbf0000_loaddll32.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID:
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID:
                                                                                                                                                                                  • Opcode ID: 5fa5d5737de532f8867a89178c51baf7223a6f85c793188375a20ed39758af54
                                                                                                                                                                                  • Instruction ID: 8793fb1f0b39d29f97401c27f8e53cf3e805bf3264d627558bcf5f674bf79888
                                                                                                                                                                                  • Opcode Fuzzy Hash: 5fa5d5737de532f8867a89178c51baf7223a6f85c793188375a20ed39758af54
                                                                                                                                                                                  • Instruction Fuzzy Hash: 30D05BB2B0212287CB0DCAD8F6409B177FCD7D621030342369439C7300E26964808F80
                                                                                                                                                                                  Function 6CBF5810 Relevance: 19.4, APIs: 6, Strings: 5, Instructions: 128registryCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • RegisterClassExW.USER32(00000030), ref: 6CBF589A
                                                                                                                                                                                  • CreateWindowExW.USER32(00000000,WndClass1_56,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000), ref: 6CBF58D4
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000000.00000002.1740519196.000000006CBF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 6CBF0000, based on PE: true
                                                                                                                                                                                  • Associated: 00000000.00000002.1740504253.000000006CBF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000000.00000002.1740519196.000000006CBFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_6cbf0000_loaddll32.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: ClassCreateRegisterWindow
                                                                                                                                                                                  • String ID: 0$WndClass1_56$WndClass1_56$WndClass2_56$WndClass2_56
                                                                                                                                                                                  • API String ID: 3469048531-2885991380
                                                                                                                                                                                  • Opcode ID: 3fc918456768c9c925a8391f982a81897f6227de3abe050279e10ff85aabba21
                                                                                                                                                                                  • Instruction ID: 1da1817ac81876e7fe78940ce27b6f698a9a8a0e4fe90b04bb89c4cb50f8de6e
                                                                                                                                                                                  • Opcode Fuzzy Hash: 3fc918456768c9c925a8391f982a81897f6227de3abe050279e10ff85aabba21
                                                                                                                                                                                  • Instruction Fuzzy Hash: 0B513AB0E40248EFDB08CF95C858B9EBBB4FB0A318F14C51AE5256B780D7755A4ACF94
                                                                                                                                                                                  Function 6CBF5500 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 137threadregistryinjectionCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • memcpy.NTDLL(?,0123456789ABCDEF,00000022), ref: 6CBF553B
                                                                                                                                                                                  • EnterCriticalSection.KERNEL32(-0000044C), ref: 6CBF5668
                                                                                                                                                                                  • SuspendThread.KERNEL32(?), ref: 6CBF567B
                                                                                                                                                                                  • RemoveFontResourceExW.GDI32(-0000000C,00000010,00000000), ref: 6CBF56B9
                                                                                                                                                                                  • RegisterClassExW.USER32(00000030), ref: 6CBF56C3
                                                                                                                                                                                  • ResumeThread.KERNEL32(?), ref: 6CBF572E
                                                                                                                                                                                  • LeaveCriticalSection.KERNEL32(-0000044C), ref: 6CBF5741
                                                                                                                                                                                  • SwitchToThread.KERNEL32 ref: 6CBF5747
                                                                                                                                                                                    • Part of subcall function 6CBF5240: UnregisterClassW.USER32(?,?), ref: 6CBF528B
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000000.00000002.1740519196.000000006CBF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 6CBF0000, based on PE: true
                                                                                                                                                                                  • Associated: 00000000.00000002.1740504253.000000006CBF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000000.00000002.1740519196.000000006CBFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_6cbf0000_loaddll32.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: Thread$ClassCriticalSection$EnterFontLeaveRegisterRemoveResourceResumeSuspendSwitchUnregistermemcpy
                                                                                                                                                                                  • String ID: 0$0123456789ABCDEF
                                                                                                                                                                                  • API String ID: 196111645-1037189808
                                                                                                                                                                                  • Opcode ID: e3e7ff359721d26cf74c09781693cf8e9494aaee3b637eb2a86ea3c6dd347adb
                                                                                                                                                                                  • Instruction ID: ec8ae05ca656cbd865962590630f0c9e5ad1a008833ab2aeeebbd841a51fc812
                                                                                                                                                                                  • Opcode Fuzzy Hash: e3e7ff359721d26cf74c09781693cf8e9494aaee3b637eb2a86ea3c6dd347adb
                                                                                                                                                                                  • Instruction Fuzzy Hash: 5C6149B4A00248CFCB08CF94E594B9DBBB5FB49318F14C16AE9286BB51C735694ECF58
                                                                                                                                                                                  Function 6CBF667A Relevance: 13.6, APIs: 9, Instructions: 72threadsleepwindowCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • ResumeThread.KERNEL32(?), ref: 6CBF677E
                                                                                                                                                                                  • ResumeThread.KERNEL32(?), ref: 6CBF6791
                                                                                                                                                                                  • Sleep.KERNEL32(00000000), ref: 6CBF6799
                                                                                                                                                                                  • LeaveCriticalSection.KERNEL32(-0000044C), ref: 6CBF67D0
                                                                                                                                                                                  • memset.NTDLL ref: 6CBF67EE
                                                                                                                                                                                  • AddFontResourceExW.GDI32(-0000000C,00000010,00000000), ref: 6CBF6804
                                                                                                                                                                                  • EnterCriticalSection.KERNEL32(-0000044C), ref: 6CBF6815
                                                                                                                                                                                  • GetWindowLongW.USER32(?,000000F0), ref: 6CBF682A
                                                                                                                                                                                  • SetMenu.USER32(?,00000000), ref: 6CBF6863
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000000.00000002.1740519196.000000006CBF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 6CBF0000, based on PE: true
                                                                                                                                                                                  • Associated: 00000000.00000002.1740504253.000000006CBF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000000.00000002.1740519196.000000006CBFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_6cbf0000_loaddll32.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: CriticalResumeSectionThread$EnterFontLeaveLongMenuResourceSleepWindowmemset
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 1405369809-0
                                                                                                                                                                                  • Opcode ID: 7f94438b8bd17f9050a9dea7b246f9eb85ee1498fe1288e9b50cf8e19cf6b4ae
                                                                                                                                                                                  • Instruction ID: 08df507158272cc273856123b5602cc3088f27b00d71314dcbc0f5dee1ae3187
                                                                                                                                                                                  • Opcode Fuzzy Hash: 7f94438b8bd17f9050a9dea7b246f9eb85ee1498fe1288e9b50cf8e19cf6b4ae
                                                                                                                                                                                  • Instruction Fuzzy Hash: 1E312A757402009FDB08DF14E998B527379E746319F14826AFE298BB92C732A88ACF55
                                                                                                                                                                                  Function 6CBF6645 Relevance: 13.6, APIs: 9, Instructions: 72threadsleepwindowCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • ResumeThread.KERNEL32(?), ref: 6CBF677E
                                                                                                                                                                                  • ResumeThread.KERNEL32(?), ref: 6CBF6791
                                                                                                                                                                                  • Sleep.KERNEL32(00000000), ref: 6CBF6799
                                                                                                                                                                                  • LeaveCriticalSection.KERNEL32(-0000044C), ref: 6CBF67D0
                                                                                                                                                                                  • memset.NTDLL ref: 6CBF67EE
                                                                                                                                                                                  • AddFontResourceExW.GDI32(-0000000C,00000010,00000000), ref: 6CBF6804
                                                                                                                                                                                  • EnterCriticalSection.KERNEL32(-0000044C), ref: 6CBF6815
                                                                                                                                                                                  • GetWindowLongW.USER32(?,000000F0), ref: 6CBF682A
                                                                                                                                                                                  • SetMenu.USER32(?,00000000), ref: 6CBF6863
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000000.00000002.1740519196.000000006CBF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 6CBF0000, based on PE: true
                                                                                                                                                                                  • Associated: 00000000.00000002.1740504253.000000006CBF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000000.00000002.1740519196.000000006CBFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_6cbf0000_loaddll32.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: CriticalResumeSectionThread$EnterFontLeaveLongMenuResourceSleepWindowmemset
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 1405369809-0
                                                                                                                                                                                  • Opcode ID: 00dd64ca0e21d73653d67ea303f3724bdefa5fcafd8374b4fd996931f36af477
                                                                                                                                                                                  • Instruction ID: 08df507158272cc273856123b5602cc3088f27b00d71314dcbc0f5dee1ae3187
                                                                                                                                                                                  • Opcode Fuzzy Hash: 00dd64ca0e21d73653d67ea303f3724bdefa5fcafd8374b4fd996931f36af477
                                                                                                                                                                                  • Instruction Fuzzy Hash: 1E312A757402009FDB08DF14E998B527379E746319F14826AFE298BB92C732A88ACF55
                                                                                                                                                                                  Function 6CBF3B2B Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 45stringCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • GetTempPathA.KERNEL32(00000000,00000000,00000000,00000000,00000000,6CBF3BA2,?,02DE87C8,00000000,6CBF1E14,00000750), ref: 6CBF3B38
                                                                                                                                                                                    • Part of subcall function 6CBF11B2: RtlAllocateHeap.NTDLL(00000000,6CBF0000,6CBF1B4C,6CBF0000), ref: 6CBF11BE
                                                                                                                                                                                  • GetTempPathA.KERNEL32(00000000,00000000,0000001D), ref: 6CBF3B51
                                                                                                                                                                                  • GetTickCount.KERNEL32 ref: 6CBF3B58
                                                                                                                                                                                  • GetTempFileNameA.KERNEL32(00000000,00000000,?), ref: 6CBF3B66
                                                                                                                                                                                  • PathFindExtensionA.SHLWAPI(00000000,.bin), ref: 6CBF3B76
                                                                                                                                                                                  • lstrcpyA.KERNEL32(00000000), ref: 6CBF3B7D
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000000.00000002.1740519196.000000006CBF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 6CBF0000, based on PE: true
                                                                                                                                                                                  • Associated: 00000000.00000002.1740504253.000000006CBF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000000.00000002.1740519196.000000006CBFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_6cbf0000_loaddll32.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: PathTemp$AllocateCountExtensionFileFindHeapNameTicklstrcpy
                                                                                                                                                                                  • String ID: .bin
                                                                                                                                                                                  • API String ID: 1954728293-886015214
                                                                                                                                                                                  • Opcode ID: b47c474c7be8c3763d66592e43e6b9d4e67011f2490b85173f382be863f10d08
                                                                                                                                                                                  • Instruction ID: 3905d135d33b871c7896516b736e2a5dbd637fd96508635cecfa37c238bceb92
                                                                                                                                                                                  • Opcode Fuzzy Hash: b47c474c7be8c3763d66592e43e6b9d4e67011f2490b85173f382be863f10d08
                                                                                                                                                                                  • Instruction Fuzzy Hash: AAF0F6323429616786115AFB5C48D9F6A7CEF4B565B00021AF534D3700CB20C50F86F6
                                                                                                                                                                                  Function 6CBF1D2E Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 66stringCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                    • Part of subcall function 6CBF3AC5: CreateFileW.KERNEL32(?,C0000000,00000000,00000000,00000004,00000080,00000000,6CBF0000,00000000,?,6CBF1D64,00000000,?,?,00001FD1,00000000), ref: 6CBF3ADE
                                                                                                                                                                                    • Part of subcall function 6CBF3AC5: GetLastError.KERNEL32(?,6CBF1D64,00000000,?,?,00001FD1,00000000,00000000,?,?,6CBF18F2,?,?,?,EE553B4E,00000001), ref: 6CBF3AEB
                                                                                                                                                                                  • lstrlenW.KERNEL32(00000000,00000000,?,?,00001FD1,00000000,00000000,?,?,6CBF18F2,?,?,?,EE553B4E,00000001,00000000), ref: 6CBF1D69
                                                                                                                                                                                    • Part of subcall function 6CBF11B2: RtlAllocateHeap.NTDLL(00000000,6CBF0000,6CBF1B4C,6CBF0000), ref: 6CBF11BE
                                                                                                                                                                                  • PathFindFileNameW.SHLWAPI(00000000,6CBF0000,?,?,?,6CBF18F2,?,?,?,EE553B4E,00000001,00000000,6CBFA95C), ref: 6CBF1D81
                                                                                                                                                                                  • lstrcpyW.KERNEL32(00000000,00000000,?,?,6CBF18F2,?,?,?,EE553B4E,00000001,00000000,6CBFA95C), ref: 6CBF1D92
                                                                                                                                                                                  • lstrcpyW.KERNEL32(?,Low\,?,?,6CBF18F2,?,?,?,EE553B4E,00000001,00000000,6CBFA95C), ref: 6CBF1DA4
                                                                                                                                                                                  • lstrcatW.KERNEL32(00000000,?,?,?,6CBF18F2,?,?,?,EE553B4E,00000001,00000000,6CBFA95C), ref: 6CBF1DAA
                                                                                                                                                                                    • Part of subcall function 6CBF3AC5: WriteFile.KERNEL32(00000000,?,00001000,?,00000000,?,6CBF1D64,00000000,?,?,00001FD1,00000000,00000000,?,?,6CBF18F2), ref: 6CBF3B01
                                                                                                                                                                                    • Part of subcall function 6CBF3AC5: SetEndOfFile.KERNEL32(00000000,?,6CBF1D64,00000000,?,?,00001FD1,00000000,00000000,?,?,6CBF18F2,?,?,?,EE553B4E), ref: 6CBF3B0C
                                                                                                                                                                                    • Part of subcall function 6CBF3AC5: CloseHandle.KERNEL32(00000000,?,6CBF1D64,00000000,?,?,00001FD1,00000000,00000000,?,?,6CBF18F2,?,?,?,EE553B4E), ref: 6CBF3B1D
                                                                                                                                                                                    • Part of subcall function 6CBF11C7: RtlFreeHeap.NTDLL(00000000,00000000,6CBF1B7B,00000000), ref: 6CBF11D3
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000000.00000002.1740519196.000000006CBF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 6CBF0000, based on PE: true
                                                                                                                                                                                  • Associated: 00000000.00000002.1740504253.000000006CBF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000000.00000002.1740519196.000000006CBFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_6cbf0000_loaddll32.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: File$Heaplstrcpy$AllocateCloseCreateErrorFindFreeHandleLastNamePathWritelstrcatlstrlen
                                                                                                                                                                                  • String ID: Low\
                                                                                                                                                                                  • API String ID: 3723596976-2980988522
                                                                                                                                                                                  • Opcode ID: 3b92a28ca632eda3a4e2fb5cfbaba16a0c9f7dee6ad5ab181ed83807a4a05414
                                                                                                                                                                                  • Instruction ID: 5e8701f11d77c39a025a0949a0e6b88ad5f1dc7e94c412a8fb6a500fcdbcd2cb
                                                                                                                                                                                  • Opcode Fuzzy Hash: 3b92a28ca632eda3a4e2fb5cfbaba16a0c9f7dee6ad5ab181ed83807a4a05414
                                                                                                                                                                                  • Instruction Fuzzy Hash: 321191BA501669BBDF015BB68C44CDF76BCEF067587084915F92097B00CB75CA0A8BF1
                                                                                                                                                                                  Function 6CBF3D87 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 52COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • GetModuleHandleA.KERNEL32(NTDLL.DLL,?,CCCCFEEB,6CBF406A,?,?,?,00000000), ref: 6CBF3DBA
                                                                                                                                                                                  • memcpy.NTDLL(?,6CBFA9C4,00000018,ZwProtectVirtualMemory,LdrGetProcedureAddress,LdrLoadDll), ref: 6CBF3E25
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000000.00000002.1740519196.000000006CBF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 6CBF0000, based on PE: true
                                                                                                                                                                                  • Associated: 00000000.00000002.1740504253.000000006CBF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000000.00000002.1740519196.000000006CBFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_6cbf0000_loaddll32.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: HandleModulememcpy
                                                                                                                                                                                  • String ID: LdrGetProcedureAddress$LdrLoadDll$NTDLL.DLL$ZwProtectVirtualMemory
                                                                                                                                                                                  • API String ID: 1801490239-3173696408
                                                                                                                                                                                  • Opcode ID: a5ba9e34f1fc7414ccfd969a7f33db6b7387a18b50ad045d4e90e168e51874a6
                                                                                                                                                                                  • Instruction ID: ffeb380d8d970bc5294ced276848d6be44e6e33cb8b0d0530b48e838d2b55140
                                                                                                                                                                                  • Opcode Fuzzy Hash: a5ba9e34f1fc7414ccfd969a7f33db6b7387a18b50ad045d4e90e168e51874a6
                                                                                                                                                                                  • Instruction Fuzzy Hash: 530140B9B039819B9B09DA1AE945C573AB1F7C9318712C836E274D7B10D334944E8E73
                                                                                                                                                                                  Function 6CBF59F0 Relevance: 9.1, APIs: 6, Instructions: 115memoryCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • VirtualAlloc.KERNEL32(00000000,-00001000,00003000,00000004), ref: 6CBF5A8B
                                                                                                                                                                                    • Part of subcall function 6CBF5320: SetWindowLongW.USER32(?,?,6CBF5C0B), ref: 6CBF5386
                                                                                                                                                                                    • Part of subcall function 6CBF5320: GetAncestor.USER32(?,00000001,?,?,6CBF5C0B), ref: 6CBF539B
                                                                                                                                                                                    • Part of subcall function 6CBF5320: SetWindowLongW.USER32(?,?,?), ref: 6CBF53D9
                                                                                                                                                                                  • memset.NTDLL ref: 6CBF5AB1
                                                                                                                                                                                  • SetWindowLongW.USER32(?,?,00000000), ref: 6CBF5B2D
                                                                                                                                                                                  • SetClassLongW.USER32(?,00000000,00000000), ref: 6CBF5B47
                                                                                                                                                                                  • SetWindowLongW.USER32(?,?,-00000018), ref: 6CBF5B81
                                                                                                                                                                                  • VirtualFree.KERNEL32(00000000,-00001000,00010000), ref: 6CBF5B99
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000000.00000002.1740519196.000000006CBF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 6CBF0000, based on PE: true
                                                                                                                                                                                  • Associated: 00000000.00000002.1740504253.000000006CBF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000000.00000002.1740519196.000000006CBFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_6cbf0000_loaddll32.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: Long$Window$Virtual$AllocAncestorClassFreememset
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 210331842-0
                                                                                                                                                                                  • Opcode ID: 099376858564f34e83fcb847505bcc84499464a5c3dd242894f273dca5dc400a
                                                                                                                                                                                  • Instruction ID: 4b866780d81807b53a4af51d80212cabb928143c0fb43d53a00e6ddbf7fe0d85
                                                                                                                                                                                  • Opcode Fuzzy Hash: 099376858564f34e83fcb847505bcc84499464a5c3dd242894f273dca5dc400a
                                                                                                                                                                                  • Instruction Fuzzy Hash: 83513AB5700104EFCB08CF98D594FAAB7B5FB89304F1082AAED299B755C731AA49CF54
                                                                                                                                                                                  Function 6CBF345B Relevance: 9.1, APIs: 1, Strings: 5, Instructions: 103stringCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • lstrcpynA.KERNEL32(?,.bss,00000008,?,00000000,00000000,?,?,?,?,?,?,?), ref: 6CBF3489
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000000.00000002.1740519196.000000006CBF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 6CBF0000, based on PE: true
                                                                                                                                                                                  • Associated: 00000000.00000002.1740504253.000000006CBF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000000.00000002.1740519196.000000006CBFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_6cbf0000_loaddll32.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: lstrcpyn
                                                                                                                                                                                  • String ID: .bss$Apr 11 2017$N;U$N;U$version=%u&soft=1&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s
                                                                                                                                                                                  • API String ID: 97706510-2121357827
                                                                                                                                                                                  • Opcode ID: b06b3e2116854ffa93fee49613f331b886caa7b5254e56c7cd7ebd406dd6e688
                                                                                                                                                                                  • Instruction ID: bb5a7339562cc7116cf36ba3f756b68a3f4c171f1f3ff192e00d3cceaef4690d
                                                                                                                                                                                  • Opcode Fuzzy Hash: b06b3e2116854ffa93fee49613f331b886caa7b5254e56c7cd7ebd406dd6e688
                                                                                                                                                                                  • Instruction Fuzzy Hash: 20419F71A002599BDB05CF89C4C0AAEB7B2FF89318F258159DD206B705C374E94ACF92
                                                                                                                                                                                  Function 6CBF53F0 Relevance: 9.1, APIs: 6, Instructions: 71threadCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • RemoveFontResourceExW.GDI32(-0000000C,00000010,00000000), ref: 6CBF543C
                                                                                                                                                                                  • SetThreadAffinityMask.KERNEL32(?,-00000001), ref: 6CBF545C
                                                                                                                                                                                  • SetThreadAffinityMask.KERNEL32(?,-00000001), ref: 6CBF548C
                                                                                                                                                                                  • SetThreadPriority.KERNEL32(?,?), ref: 6CBF54AE
                                                                                                                                                                                  • ResumeThread.KERNEL32(?), ref: 6CBF54DF
                                                                                                                                                                                  • SwitchToThread.KERNEL32 ref: 6CBF54E5
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000000.00000002.1740519196.000000006CBF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 6CBF0000, based on PE: true
                                                                                                                                                                                  • Associated: 00000000.00000002.1740504253.000000006CBF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000000.00000002.1740519196.000000006CBFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_6cbf0000_loaddll32.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: Thread$AffinityMask$FontPriorityRemoveResourceResumeSwitch
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 3293583530-0
                                                                                                                                                                                  • Opcode ID: b1cbd5d15f2183d7deff43962c4bafc23a7e855a09c05997bd67676b716ae4d0
                                                                                                                                                                                  • Instruction ID: 9c0a5c3a3cfb1f3b8c9d6fc981a2cf4cc05864e3cf2f8c6865b2b463514c51b8
                                                                                                                                                                                  • Opcode Fuzzy Hash: b1cbd5d15f2183d7deff43962c4bafc23a7e855a09c05997bd67676b716ae4d0
                                                                                                                                                                                  • Instruction Fuzzy Hash: 10219F71704200DFCB08CF25D888B9A73BAFB86305F54C169E9298BB55CB75998DDF04
                                                                                                                                                                                  Function 6CBF3AC5 Relevance: 9.0, APIs: 6, Instructions: 40fileCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • CreateFileW.KERNEL32(?,C0000000,00000000,00000000,00000004,00000080,00000000,6CBF0000,00000000,?,6CBF1D64,00000000,?,?,00001FD1,00000000), ref: 6CBF3ADE
                                                                                                                                                                                  • GetLastError.KERNEL32(?,6CBF1D64,00000000,?,?,00001FD1,00000000,00000000,?,?,6CBF18F2,?,?,?,EE553B4E,00000001), ref: 6CBF3AEB
                                                                                                                                                                                  • WriteFile.KERNEL32(00000000,?,00001000,?,00000000,?,6CBF1D64,00000000,?,?,00001FD1,00000000,00000000,?,?,6CBF18F2), ref: 6CBF3B01
                                                                                                                                                                                  • SetEndOfFile.KERNEL32(00000000,?,6CBF1D64,00000000,?,?,00001FD1,00000000,00000000,?,?,6CBF18F2,?,?,?,EE553B4E), ref: 6CBF3B0C
                                                                                                                                                                                  • CloseHandle.KERNEL32(00000000,?,6CBF1D64,00000000,?,?,00001FD1,00000000,00000000,?,?,6CBF18F2,?,?,?,EE553B4E), ref: 6CBF3B1D
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000000.00000002.1740519196.000000006CBF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 6CBF0000, based on PE: true
                                                                                                                                                                                  • Associated: 00000000.00000002.1740504253.000000006CBF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000000.00000002.1740519196.000000006CBFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_6cbf0000_loaddll32.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: File$CloseCreateErrorHandleLastWrite
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 1150274393-0
                                                                                                                                                                                  • Opcode ID: 1fa98072f8eaf05507fa63ce1bc88c1eaf4cf7b32bb04cdbff0d4c69fa08c6ad
                                                                                                                                                                                  • Instruction ID: dec0df28a768cc174fd2adc2b05bf1900ad554e936af1e7c54224dd283fe291c
                                                                                                                                                                                  • Opcode Fuzzy Hash: 1fa98072f8eaf05507fa63ce1bc88c1eaf4cf7b32bb04cdbff0d4c69fa08c6ad
                                                                                                                                                                                  • Instruction Fuzzy Hash: AFF01D32341124BBDB111BA7AC4CEAB7F7DEB4B7B1F004216FA25D3690C632891196A2
                                                                                                                                                                                  Function 6CBF5090 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 73libraryloaderCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • LoadLibraryW.KERNEL32(USER32.dll,IsMenu,6CBF70E8), ref: 6CBF50A0
                                                                                                                                                                                  • GetProcAddress.KERNEL32(00000000), ref: 6CBF50A7
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000000.00000002.1740519196.000000006CBF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 6CBF0000, based on PE: true
                                                                                                                                                                                  • Associated: 00000000.00000002.1740504253.000000006CBF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000000.00000002.1740519196.000000006CBFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_6cbf0000_loaddll32.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: AddressLibraryLoadProc
                                                                                                                                                                                  • String ID: 0$IsMenu$USER32.dll
                                                                                                                                                                                  • API String ID: 2574300362-703140235
                                                                                                                                                                                  • Opcode ID: cc9a0f938fa14f8b072fec4081c3d8e5c63c78e31e07a8a098205318f7b74d17
                                                                                                                                                                                  • Instruction ID: 26210d2a029d98420bfd28eefd953acc5f0aa6ab2bbcbc41a9e975770cd4b0bf
                                                                                                                                                                                  • Opcode Fuzzy Hash: cc9a0f938fa14f8b072fec4081c3d8e5c63c78e31e07a8a098205318f7b74d17
                                                                                                                                                                                  • Instruction Fuzzy Hash: FB311430A45148EFCB04CFA8D594B9CBBB6FF42309F24C299C42567745C7306B9AEB49
                                                                                                                                                                                  Function 6CBF32EE Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 32memorystringCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • lstrlenW.KERNEL32(00000000,00000000,?,6CBF207F,00000000,FF571A75), ref: 6CBF3301
                                                                                                                                                                                  • lstrlenA.KERNEL32(6CBF207F,?,6CBF207F,00000000,FF571A75), ref: 6CBF330C
                                                                                                                                                                                  • HeapAlloc.KERNEL32(00000000,00000022,?,6CBF207F,00000000,FF571A75), ref: 6CBF3321
                                                                                                                                                                                  • wsprintfW.USER32 ref: 6CBF3339
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000000.00000002.1740519196.000000006CBF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 6CBF0000, based on PE: true
                                                                                                                                                                                  • Associated: 00000000.00000002.1740504253.000000006CBF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000000.00000002.1740519196.000000006CBFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_6cbf0000_loaddll32.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: lstrlen$AllocHeapwsprintf
                                                                                                                                                                                  • String ID: rundll32 "%s",%S
                                                                                                                                                                                  • API String ID: 458455750-2508549009
                                                                                                                                                                                  • Opcode ID: 5af5c74a5b491cc25dd7be06e68711dc9dbaa5a98aa34cbbcfee8b58046cc697
                                                                                                                                                                                  • Instruction ID: 03e81d6da2243d981d6fd24f2f93a5315b66ed2a564a357d18a82a0696aadbd9
                                                                                                                                                                                  • Opcode Fuzzy Hash: 5af5c74a5b491cc25dd7be06e68711dc9dbaa5a98aa34cbbcfee8b58046cc697
                                                                                                                                                                                  • Instruction Fuzzy Hash: 51F05E32942528FBCF125F65DC0899A7B78EB0AB55B40C122FD39A7710D632CA258BD1
                                                                                                                                                                                  Function 6CBF5760 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 56COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • CreateWindowExW.USER32(00000000,00008002,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000), ref: 6CBF5792
                                                                                                                                                                                  • SetWindowLongW.USER32(00000000,00000000,31323334), ref: 6CBF57C5
                                                                                                                                                                                  • DestroyWindow.USER32(00000000,00000000), ref: 6CBF57FE
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000000.00000002.1740519196.000000006CBF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 6CBF0000, based on PE: true
                                                                                                                                                                                  • Associated: 00000000.00000002.1740504253.000000006CBF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000000.00000002.1740519196.000000006CBFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_6cbf0000_loaddll32.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: Window$CreateDestroyLong
                                                                                                                                                                                  • String ID: 4321
                                                                                                                                                                                  • API String ID: 409825929-3297689448
                                                                                                                                                                                  • Opcode ID: f3e5668419dce49ce9031371069b3d43b96762121ee3f97bc444d27e37a12afa
                                                                                                                                                                                  • Instruction ID: 1fe00eda46727468619b96eb3d1efaf5705df8dbaf8bad668acc8303ba3c5ac7
                                                                                                                                                                                  • Opcode Fuzzy Hash: f3e5668419dce49ce9031371069b3d43b96762121ee3f97bc444d27e37a12afa
                                                                                                                                                                                  • Instruction Fuzzy Hash: 76112A74E40288EFDB00DFA8CC49BAEB7B5FB05309F108599E5216B780C7746A49CF89
                                                                                                                                                                                  Function 6CBF236C Relevance: 6.1, APIs: 4, Instructions: 72fileCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                    • Part of subcall function 6CBF2C92: GetModuleFileNameW.KERNEL32(0000007F,00000000,00000104,00000208,00000000,00000000,?,?,6CBF2386,00000000), ref: 6CBF2CB8
                                                                                                                                                                                    • Part of subcall function 6CBF389C: lstrcmpA.KERNEL32(?,?,00000000,00000000), ref: 6CBF3950
                                                                                                                                                                                  • CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000,00000000,?,?,00000000,00000000,00000000,?,00000000,0000007F), ref: 6CBF23C0
                                                                                                                                                                                  • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,?,?,6CBF3DD0,LdrLoadDll), ref: 6CBF23D2
                                                                                                                                                                                  • ReadFile.KERNEL32(?,?,00000004,?,00000000,?,?,?,?,?,6CBF3DD0,LdrLoadDll), ref: 6CBF23EA
                                                                                                                                                                                  • CloseHandle.KERNEL32(?,?,?,?,?,?,6CBF3DD0,LdrLoadDll), ref: 6CBF2405
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000000.00000002.1740519196.000000006CBF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 6CBF0000, based on PE: true
                                                                                                                                                                                  • Associated: 00000000.00000002.1740504253.000000006CBF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000000.00000002.1740519196.000000006CBFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_6cbf0000_loaddll32.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: File$CloseCreateHandleModuleNamePointerReadlstrcmp
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 3110218675-0
                                                                                                                                                                                  • Opcode ID: 905bf694174791799d3bf9d739f0a8b9a0c00a4c0e4b26336a5cb7e89f5f89f7
                                                                                                                                                                                  • Instruction ID: 42d5959779e206ba71a5bb1d240cd1dbc444fba2413c5b7adac5cfad64f60da8
                                                                                                                                                                                  • Opcode Fuzzy Hash: 905bf694174791799d3bf9d739f0a8b9a0c00a4c0e4b26336a5cb7e89f5f89f7
                                                                                                                                                                                  • Instruction Fuzzy Hash: 161181B1601158BBDB11DA66CC49EEF7E7DEF42758F104021F625E3650D371CA4AC6A2
                                                                                                                                                                                  Function 6CBF1A53 Relevance: 6.0, APIs: 4, Instructions: 40COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,?,6CBF16D8), ref: 6CBF1A62
                                                                                                                                                                                  • GetVersion.KERNEL32(?,6CBF16D8), ref: 6CBF1A71
                                                                                                                                                                                  • GetCurrentProcessId.KERNEL32(?,6CBF16D8), ref: 6CBF1A8D
                                                                                                                                                                                  • OpenProcess.KERNEL32(0000047A,00000000,00000000,?,6CBF16D8), ref: 6CBF1AA6
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000000.00000002.1740519196.000000006CBF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 6CBF0000, based on PE: true
                                                                                                                                                                                  • Associated: 00000000.00000002.1740504253.000000006CBF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000000.00000002.1740519196.000000006CBFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_6cbf0000_loaddll32.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: Process$CreateCurrentEventOpenVersion
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 845504543-0
                                                                                                                                                                                  • Opcode ID: ab5e7f3a4ed1d2a6a77747dbfbb83043efea3962590a7fb60e60a03e6a8c6304
                                                                                                                                                                                  • Instruction ID: 03ed0ff2bfeded511f8297972549a02d162fba300a47181b58eb7df4853f71a8
                                                                                                                                                                                  • Opcode Fuzzy Hash: ab5e7f3a4ed1d2a6a77747dbfbb83043efea3962590a7fb60e60a03e6a8c6304
                                                                                                                                                                                  • Instruction Fuzzy Hash: 62F0DCB13827008BEF044B69B9197503BB8EB87B11F158626E231DB3C0D361C002CF15
                                                                                                                                                                                  Function 6CBF5070 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 10libraryloaderCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • LoadLibraryW.KERNEL32(ntdll.dll,6CBF51A0,?,6CBF51A0,NtAllocateVirtualMemory), ref: 6CBF507C
                                                                                                                                                                                  • GetProcAddress.KERNEL32(00000000), ref: 6CBF5083
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000000.00000002.1740519196.000000006CBF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 6CBF0000, based on PE: true
                                                                                                                                                                                  • Associated: 00000000.00000002.1740504253.000000006CBF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000000.00000002.1740519196.000000006CBFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_0_2_6cbf0000_loaddll32.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: AddressLibraryLoadProc
                                                                                                                                                                                  • String ID: ntdll.dll
                                                                                                                                                                                  • API String ID: 2574300362-2227199552
                                                                                                                                                                                  • Opcode ID: e5078b9ffba2687853459310ebf7c7746a89487c93fe6f6b41bbfde43f9fbaa9
                                                                                                                                                                                  • Instruction ID: 556942d24cc67699f56b70155a36ee8af9bc5f9ffd6a01f0db05e7033bb3bd89
                                                                                                                                                                                  • Opcode Fuzzy Hash: e5078b9ffba2687853459310ebf7c7746a89487c93fe6f6b41bbfde43f9fbaa9
                                                                                                                                                                                  • Instruction Fuzzy Hash: 28C04C76600208AB8A005AF9AC08C9677AC965A6117404412B61983600C635A4588A65

                                                                                                                                                                                  Execution Graph

                                                                                                                                                                                  Execution Coverage:24.7%
                                                                                                                                                                                  Dynamic/Decrypted Code Coverage:0.5%
                                                                                                                                                                                  Signature Coverage:0%
                                                                                                                                                                                  Total number of Nodes:953
                                                                                                                                                                                  Total number of Limit Nodes:79
                                                                                                                                                                                  execution_graph 3734 6cbf733c 3735 6cbf7344 3734->3735 3736 6cbf73f8 3735->3736 3740 6cbf755d 3735->3740 3739 6cbf737d 3739->3736 3744 6cbf7448 RtlUnwind 3739->3744 3742 6cbf7572 3740->3742 3743 6cbf758e 3740->3743 3741 6cbf75fd NtQueryVirtualMemory 3741->3743 3742->3741 3742->3743 3743->3739 3743->3743 3745 6cbf7460 3744->3745 3745->3739 3641 3460000 3642 34603e6 3641->3642 3643 34604f0 NtProtectVirtualMemory 3642->3643 3644 3460542 NtAllocateVirtualMemory 3643->3644 3645 346057e 3643->3645 3644->3645 3700 6cbf2bf8 3701 6cbf2c02 3700->3701 3702 6cbf2c09 VirtualFree 3701->3702 3703 6cbf2c18 3701->3703 3702->3703 3757 6cbf6c74 3761 6cbf6c7d 3757->3761 3758 6cbf5760 5 API calls 3759 6cbf6fd5 3758->3759 3760 6cbf5810 8 API calls 3759->3760 3763 6cbf6fe6 3760->3763 3761->3758 3762 6cbf7032 RegisterClassExW 3765 6cbf70ab CreateWindowExW 3762->3765 3770 6cbf700f 3762->3770 3763->3762 3764 6cbf5190 3 API calls 3763->3764 3763->3770 3766 6cbf7026 3764->3766 3767 6cbf70df 3765->3767 3768 6cbf70e8 3765->3768 3766->3762 3771 6cbf51f0 2 API calls 3767->3771 3769 6cbf714e CreateThread 3768->3769 3768->3770 3772 6cbf72a7 UnregisterClassW VirtualFree 3769->3772 3773 6cbf7182 WaitForSingleObject 3769->3773 3784 6cbf5e30 67 API calls 3769->3784 3771->3768 3772->3770 3774 6cbf71a8 3773->3774 3775 6cbf71b7 TerminateThread 3773->3775 3774->3775 3776 6cbf71da WaitForSingleObject TerminateThread 3775->3776 3777 6cbf7206 3775->3777 3776->3777 3778 6cbf7215 WaitForSingleObject TerminateThread 3777->3778 3779 6cbf7241 RemoveFontResourceExW 3777->3779 3778->3779 3780 6cbf725b 3779->3780 3781 6cbf7259 3779->3781 3782 6cbf5240 UnregisterClassW 3780->3782 3781->3779 3783 6cbf7260 UnregisterClassW UnregisterClassW UnregisterClassW 3782->3783 3783->3772 3785 6cbf5973 3786 6cbf59c6 DestroyWindow DestroyWindow 3785->3786 3787 6cbf59dd 3786->3787 2623 6cbf112f 2624 6cbf1134 2623->2624 2627 6cbf16b2 2624->2627 2694 6cbf1a53 CreateEventA 2627->2694 2629 6cbf113a ExitProcess 2630 6cbf16f1 GetCursorInfo 2701 6cbf345b lstrcpynA 2630->2701 2632 6cbf16d8 2632->2629 2632->2630 2633 6cbf172b 2632->2633 2633->2629 2703 6cbf22c9 2633->2703 2636 6cbf17b2 CreateFileA 2638 6cbf17fd 2636->2638 2639 6cbf17da ReadFile 2636->2639 2640 6cbf1808 2638->2640 2726 6cbf1000 SetupDiGetClassDevsA 2638->2726 2642 6cbf17f6 CloseHandle 2639->2642 2643 6cbf17f2 2639->2643 2640->2629 2741 6cbf389c 2640->2741 2642->2638 2643->2642 2645 6cbf176f GetLongPathNameW 2647 6cbf17a7 2645->2647 2648 6cbf1783 2645->2648 2647->2636 2724 6cbf11b2 RtlAllocateHeap 2648->2724 2649 6cbf182a 2746 6cbf150f LoadLibraryA 2649->2746 2651 6cbf178d 2651->2647 2653 6cbf1796 GetLongPathNameW 2651->2653 2725 6cbf11c7 RtlFreeHeap 2653->2725 2658 6cbf1878 2662 6cbf1a40 GetLastError 2658->2662 2754 6cbf2e82 GetModuleHandleA 2658->2754 2659 6cbf1b96 9 API calls 2659->2658 2662->2629 2663 6cbf1a3b 2663->2629 2663->2662 2666 6cbf18b8 2670 6cbf190b 2666->2670 2787 6cbf2f05 2666->2787 2800 6cbf137f memset 2670->2800 2676 6cbf18fb 2852 6cbf1ddb memset CoInitializeEx 2676->2852 2677 6cbf196c GetLastError 2681 6cbf198f CloseHandle 2677->2681 2682 6cbf1976 SetEvent Sleep ResetEvent 2677->2682 2678 6cbf1996 2807 6cbf3349 RegOpenKeyExA 2678->2807 2681->2678 2682->2681 2686 6cbf19e2 2820 6cbf2d19 2686->2820 2688 6cbf1a2f LocalFree 2688->2663 2689 6cbf19ec 2689->2663 2691 6cbf19f2 CreateWaitableTimerA 2689->2691 2690 6cbf19c8 DeleteFileW 2690->2686 2692 6cbf19d3 MoveFileExW 2690->2692 2691->2688 2693 6cbf1a0b SetWaitableTimer CloseHandle 2691->2693 2692->2686 2693->2688 2695 6cbf1ac5 GetLastError 2694->2695 2696 6cbf1a71 GetVersion 2694->2696 2697 6cbf1a7b 2696->2697 2698 6cbf1a88 GetCurrentProcessId OpenProcess 2697->2698 2699 6cbf1ac0 2697->2699 2700 6cbf1ab5 2698->2700 2699->2632 2700->2632 2702 6cbf34a0 2701->2702 2702->2632 2704 6cbf22de GetModuleHandleA GetProcAddress 2703->2704 2705 6cbf2303 2703->2705 2704->2705 2706 6cbf173e 2704->2706 2707 6cbf2319 2705->2707 2708 6cbf2308 OpenProcess 2705->2708 2706->2636 2712 6cbf2c92 2706->2712 2707->2706 2709 6cbf231d IsWow64Process 2707->2709 2708->2707 2710 6cbf232c 2709->2710 2710->2706 2711 6cbf2334 CloseHandle 2710->2711 2711->2706 2871 6cbf11b2 RtlAllocateHeap 2712->2871 2714 6cbf2cad 2715 6cbf2cb8 GetModuleFileNameW 2714->2715 2716 6cbf2cc0 GetModuleFileNameA 2714->2716 2717 6cbf2ca7 2715->2717 2716->2717 2717->2714 2718 6cbf2cec 2717->2718 2723 6cbf176b 2717->2723 2872 6cbf11c7 RtlFreeHeap 2717->2872 2873 6cbf11b2 RtlAllocateHeap 2717->2873 2720 6cbf2cfe GetLastError 2718->2720 2718->2723 2874 6cbf11c7 RtlFreeHeap 2720->2874 2723->2636 2723->2645 2724->2651 2725->2647 2727 6cbf1036 SetupDiEnumDeviceInfo 2726->2727 2728 6cbf10e0 2726->2728 2729 6cbf10d7 SetupDiDestroyDeviceInfoList 2727->2729 2730 6cbf1051 SetupDiGetDeviceRegistryPropertyA 2727->2730 2728->2640 2729->2728 2730->2729 2731 6cbf106f 2730->2731 2875 6cbf11b2 RtlAllocateHeap 2731->2875 2733 6cbf1077 2733->2729 2734 6cbf107d SetupDiGetDeviceRegistryPropertyA 2733->2734 2735 6cbf1098 StrStrIA 2734->2735 2736 6cbf10ce 2734->2736 2735->2736 2737 6cbf10aa StrStrIA 2735->2737 2876 6cbf11c7 RtlFreeHeap 2736->2876 2737->2736 2739 6cbf10b6 StrStrIA 2737->2739 2739->2736 2740 6cbf10c2 StrStrIA 2739->2740 2740->2736 2743 6cbf38b6 2741->2743 2742 6cbf398a 2742->2649 2743->2742 2744 6cbf394e lstrcmpA 2743->2744 2745 6cbf395a lstrlenA 2743->2745 2744->2743 2745->2743 2747 6cbf1528 GetProcAddress 2746->2747 2750 6cbf1560 2746->2750 2748 6cbf153e GetModuleHandleA GetProcAddress 2747->2748 2747->2750 2749 6cbf1553 FindWindowA 2748->2749 2748->2750 2749->2750 2751 6cbf1b96 2750->2751 2877 6cbf1acc ZwOpenProcess 2751->2877 2755 6cbf1894 2754->2755 2756 6cbf2ea3 GetModuleHandleA 2754->2756 2755->2663 2760 6cbf11dc 2755->2760 2758 6cbf2eaf 2756->2758 2757 6cbf389c 2 API calls 2757->2758 2758->2757 2759 6cbf2ee7 2758->2759 2759->2755 2891 6cbf3260 2760->2891 2763 6cbf1288 2763->2629 2763->2666 2774 6cbf128f 2763->2774 2764 6cbf1204 lstrcatW 2900 6cbf3723 2764->2900 2767 6cbf3723 6 API calls 2768 6cbf1246 2767->2768 2768->2763 2769 6cbf3723 6 API calls 2768->2769 2770 6cbf125a 2769->2770 2770->2763 2771 6cbf3723 6 API calls 2770->2771 2772 6cbf126b HeapFree 2771->2772 2772->2763 2775 6cbf12ae 2774->2775 2965 6cbf32ee 2775->2965 2778 6cbf12cf RegOpenKeyExA 2780 6cbf136b RtlFreeHeap 2778->2780 2781 6cbf12f6 lstrlenW HeapAlloc 2778->2781 2779 6cbf1378 2779->2666 2780->2779 2782 6cbf131a RegQueryValueExW 2781->2782 2783 6cbf1362 RegCloseKey 2781->2783 2784 6cbf1358 HeapFree 2782->2784 2785 6cbf1337 lstrcmpiW 2782->2785 2783->2780 2784->2783 2785->2784 2786 6cbf1351 2785->2786 2786->2784 2788 6cbf2f26 OpenProcessToken 2787->2788 2789 6cbf18c6 2787->2789 2788->2789 2790 6cbf2f41 GetTokenInformation GetTokenInformation 2788->2790 2789->2670 2828 6cbf14c3 2789->2828 2791 6cbf2f6e 2790->2791 2792 6cbf2fb4 CloseHandle 2790->2792 2970 6cbf11b2 RtlAllocateHeap 2791->2970 2792->2789 2794 6cbf2f77 2795 6cbf2f7d GetTokenInformation 2794->2795 2796 6cbf2fb3 2794->2796 2797 6cbf2fad 2795->2797 2798 6cbf2f90 GetSidSubAuthorityCount GetSidSubAuthority 2795->2798 2796->2792 2971 6cbf11c7 RtlFreeHeap 2797->2971 2798->2797 2972 6cbf379a 2800->2972 2802 6cbf13e0 ConvertStringSecurityDescriptorToSecurityDescriptorA CreateEventA 2802->2677 2802->2678 2804 6cbf379a 3 API calls 2805 6cbf13cb 2804->2805 2805->2802 2806 6cbf13cf HeapFree 2805->2806 2806->2802 2808 6cbf19b7 2807->2808 2809 6cbf3380 2807->2809 2808->2686 2808->2688 2808->2690 2980 6cbf11b2 RtlAllocateHeap 2809->2980 2811 6cbf3449 RegCloseKey 2811->2808 2812 6cbf339d RegEnumKeyExA 2814 6cbf338f 2812->2814 2813 6cbf33f6 3026 6cbf11c7 RtlFreeHeap 2813->3026 2814->2811 2814->2812 2814->2813 2817 6cbf341d WaitForSingleObject 2814->2817 2981 6cbf1f0f 2814->2981 3024 6cbf11c7 RtlFreeHeap 2814->3024 3025 6cbf11b2 RtlAllocateHeap 2814->3025 2817->2812 2817->2813 2821 6cbf2d28 2820->2821 2824 6cbf2d5a 2821->2824 2825 6cbf2d40 NtQuerySystemInformation 2821->2825 3071 6cbf11b2 RtlAllocateHeap 2821->3071 3085 6cbf11c7 RtlFreeHeap 2821->3085 2826 6cbf2d82 RtlNtStatusToDosError 2824->2826 3072 6cbf157a 2824->3072 2825->2821 2825->2824 2826->2689 2829 6cbf14fc 2828->2829 2830 6cbf14d6 2828->2830 3415 6cbf68c0 Sleep VirtualAlloc 2829->3415 2832 6cbf137f 5 API calls 2830->2832 2834 6cbf14de 2832->2834 2833 6cbf14f0 2833->2670 2833->2676 2836 6cbf1d2e 2833->2836 2834->2833 2835 6cbf13e7 94 API calls 2834->2835 2835->2833 2837 6cbf1d3e 2836->2837 2849 6cbf18f2 2836->2849 2837->2849 3607 6cbf3b95 2837->3607 2841 6cbf1d64 2842 6cbf1d68 lstrlenW 2841->2842 2841->2849 3621 6cbf11b2 RtlAllocateHeap 2842->3621 2844 6cbf1d79 2845 6cbf1d7f PathFindFileNameW lstrcpyW lstrcpyW lstrcatW 2844->2845 2846 6cbf1dc7 2844->2846 2848 6cbf3ac5 6 API calls 2845->2848 3623 6cbf11c7 RtlFreeHeap 2846->3623 2850 6cbf1dbc 2848->2850 2849->2670 2849->2676 2850->2846 3622 6cbf11c7 RtlFreeHeap 2850->3622 2853 6cbf3b95 11 API calls 2852->2853 2854 6cbf1e14 2853->2854 2855 6cbf1e1e PathFindExtensionW 2854->2855 2864 6cbf1ec8 2854->2864 2856 6cbf1e2a 2855->2856 2857 6cbf1e78 2855->2857 2858 6cbf1e2e lstrcpyW 2856->2858 2859 6cbf1e3a lstrlenW lstrlenW lstrlenA 2856->2859 2860 6cbf1e7c lstrcpyW 2857->2860 2861 6cbf1e88 lstrlenW lstrlenW 2857->2861 2858->2859 3637 6cbf11b2 RtlAllocateHeap 2859->3637 2860->2861 3638 6cbf11b2 RtlAllocateHeap 2861->3638 2869 6cbf1f02 CoUninitialize 2864->2869 3640 6cbf11c7 RtlFreeHeap 2864->3640 2865 6cbf1ec2 3639 6cbf11c7 RtlFreeHeap 2865->3639 2866 6cbf1e63 2866->2865 2867 6cbf1eb8 wsprintfW 2866->2867 2867->2865 2869->2629 2871->2717 2872->2717 2873->2717 2874->2723 2875->2733 2876->2729 2878 6cbf1b1e ZwOpenProcessToken 2877->2878 2879 6cbf1864 2877->2879 2880 6cbf1b84 ZwClose 2878->2880 2881 6cbf1b31 ZwQueryInformationToken 2878->2881 2879->2658 2879->2659 2880->2879 2889 6cbf11b2 RtlAllocateHeap 2881->2889 2883 6cbf1b4c 2884 6cbf1b7b ZwClose 2883->2884 2885 6cbf1b52 ZwQueryInformationToken 2883->2885 2884->2880 2886 6cbf1b75 2885->2886 2887 6cbf1b65 memcpy 2885->2887 2890 6cbf11c7 RtlFreeHeap 2886->2890 2887->2886 2889->2883 2890->2884 2915 6cbf2344 2891->2915 2894 6cbf3278 2895 6cbf32a2 2894->2895 2898 6cbf32a4 HeapFree 2894->2898 2918 6cbf2fce HeapAlloc 2894->2918 2942 6cbf361f lstrlenA 2894->2942 2897 6cbf2344 GetProcAddress 2895->2897 2899 6cbf11fc 2897->2899 2898->2895 2899->2763 2899->2764 2901 6cbf3739 2900->2901 2959 6cbf11b2 RtlAllocateHeap 2901->2959 2903 6cbf373f 2904 6cbf1224 2903->2904 2960 6cbf36c4 2903->2960 2904->2763 2904->2767 2906 6cbf3751 2907 6cbf3756 lstrlenA 2906->2907 2908 6cbf3764 2906->2908 2907->2908 2963 6cbf11b2 RtlAllocateHeap 2908->2963 2910 6cbf376a 2911 6cbf378b 2910->2911 2912 6cbf3779 lstrcpyA 2910->2912 2913 6cbf3783 lstrcatA 2910->2913 2964 6cbf11c7 RtlFreeHeap 2911->2964 2912->2913 2913->2911 2916 6cbf234d GetProcAddress 2915->2916 2917 6cbf2367 2915->2917 2916->2917 2917->2894 2919 6cbf3256 2918->2919 2920 6cbf3006 HeapAlloc 2918->2920 2919->2894 2921 6cbf302a memset 2920->2921 2922 6cbf3246 HeapFree 2920->2922 2948 6cbf3585 ExpandEnvironmentStringsA 2921->2948 2922->2919 2925 6cbf3236 HeapFree 2925->2922 2926 6cbf3052 CreateFileA 2927 6cbf309d StrRChrA lstrcatA FindFirstFileA 2926->2927 2928 6cbf3079 GetFileTime CloseHandle 2926->2928 2929 6cbf3234 2927->2929 2930 6cbf3100 CompareFileTime 2927->2930 2928->2927 2929->2925 2931 6cbf3162 2930->2931 2932 6cbf311b FindNextFileA 2931->2932 2935 6cbf3166 2931->2935 2933 6cbf312f FindClose FindFirstFileA 2932->2933 2934 6cbf3155 CompareFileTime 2932->2934 2933->2934 2934->2931 2936 6cbf321c FindClose 2935->2936 2937 6cbf318a StrChrA 2935->2937 2938 6cbf31d7 FindNextFileA 2935->2938 2941 6cbf31bd memcpy 2935->2941 2936->2922 2937->2935 2939 6cbf31ff CompareFileTime 2938->2939 2940 6cbf31eb FindClose FindFirstFileA 2938->2940 2939->2935 2939->2938 2940->2939 2941->2938 2943 6cbf3634 2942->2943 2958 6cbf11b2 RtlAllocateHeap 2943->2958 2945 6cbf3640 2946 6cbf3669 2945->2946 2947 6cbf3646 mbstowcs memset 2945->2947 2946->2894 2947->2946 2949 6cbf359e 2948->2949 2955 6cbf3047 2948->2955 2956 6cbf11b2 RtlAllocateHeap 2949->2956 2951 6cbf35a4 2952 6cbf35aa ExpandEnvironmentStringsA 2951->2952 2951->2955 2953 6cbf35b6 2952->2953 2952->2955 2957 6cbf11c7 RtlFreeHeap 2953->2957 2955->2925 2955->2926 2956->2951 2957->2955 2958->2945 2959->2903 2961 6cbf36d6 wsprintfA 2960->2961 2962 6cbf36d1 2960->2962 2961->2906 2962->2961 2963->2910 2964->2904 2966 6cbf32f9 2965->2966 2967 6cbf12c4 2965->2967 2966->2967 2968 6cbf32fe lstrlenW lstrlenA HeapAlloc 2966->2968 2967->2778 2967->2779 2968->2967 2969 6cbf332d wsprintfW 2968->2969 2969->2967 2970->2794 2971->2796 2976 6cbf37d5 2972->2976 2973 6cbf13a4 2973->2802 2973->2804 2975 6cbf3845 memcpy 2975->2973 2975->2976 2976->2973 2976->2975 2978 6cbf11b2 RtlAllocateHeap 2976->2978 2979 6cbf11c7 RtlFreeHeap 2976->2979 2978->2976 2979->2976 2980->2814 2982 6cbf1f2c 2981->2982 2983 6cbf2277 2982->2983 2984 6cbf1f4d StrChrA 2982->2984 2983->2814 2984->2983 2985 6cbf1f60 lstrcpyA lstrcatA lstrcatA RegOpenKeyA 2984->2985 2985->2983 2986 6cbf1fae RegQueryValueExW 2985->2986 2987 6cbf2267 2986->2987 2988 6cbf1fd1 lstrlenW HeapAlloc 2986->2988 2990 6cbf226e RegCloseKey 2987->2990 2988->2987 2989 6cbf1fff RegQueryValueExW 2988->2989 2991 6cbf201b 6 API calls 2989->2991 2992 6cbf2257 HeapFree 2989->2992 2990->2983 2993 6cbf206e 2991->2993 2994 6cbf2247 2991->2994 2992->2990 2995 6cbf2078 2993->2995 2996 6cbf2081 2993->2996 2994->2992 2997 6cbf32ee 4 API calls 2995->2997 3051 6cbf35c6 lstrlenW 2996->3051 2999 6cbf207f 2997->2999 2999->2994 3000 6cbf2092 lstrcpyA RegOpenKeyExA 2999->3000 3001 6cbf20cd lstrlenW RegSetValueExW RegCloseKey 3000->3001 3002 6cbf2105 3000->3002 3001->3002 3004 6cbf2235 HeapFree 3001->3004 3003 6cbf2116 3002->3003 3027 6cbf1be5 3002->3027 3008 6cbf222f 3003->3008 3036 6cbf1c30 3003->3036 3004->2992 3008->3004 3009 6cbf21de 3009->3008 3011 6cbf21e3 RegOpenKeyExA 3009->3011 3010 6cbf2139 3012 6cbf213d 3010->3012 3013 6cbf2147 lstrcpyA RegCreateKeyA 3010->3013 3011->3008 3014 6cbf21ff RegOpenKeyW 3011->3014 3015 6cbf35c6 4 API calls 3012->3015 3013->3008 3016 6cbf217a RegQueryValueExA 3013->3016 3017 6cbf221a RegDeleteValueW RegCloseKey 3014->3017 3018 6cbf21d3 RegCloseKey 3014->3018 3019 6cbf2145 3015->3019 3020 6cbf219f 3016->3020 3021 6cbf21bb 3016->3021 3017->3018 3018->3008 3019->3013 3020->3021 3022 6cbf21a5 RegSetValueExA 3020->3022 3021->3018 3023 6cbf21c2 RegSetValueExA 3021->3023 3022->3021 3023->3018 3024->2814 3025->2814 3026->2811 3056 6cbf3a18 CreateFileW 3027->3056 3029 6cbf1c29 3029->3003 3031 6cbf2344 GetProcAddress 3032 6cbf1c12 3031->3032 3033 6cbf3a18 7 API calls 3032->3033 3034 6cbf1c20 3033->3034 3035 6cbf2344 GetProcAddress 3034->3035 3035->3029 3037 6cbf1c4f CreateFileW 3036->3037 3038 6cbf1c4c 3036->3038 3039 6cbf1cce GetLastError 3037->3039 3040 6cbf1c7c WriteFile 3037->3040 3038->3037 3041 6cbf1cd7 3039->3041 3042 6cbf1c98 WriteFile 3040->3042 3043 6cbf1cb1 GetLastError 3040->3043 3044 6cbf1cde CreateFileW 3041->3044 3045 6cbf1d24 3041->3045 3042->3043 3046 6cbf1cba SetEndOfFile CloseHandle 3042->3046 3043->3046 3047 6cbf1d1b GetLastError 3044->3047 3048 6cbf1cf6 WriteFile 3044->3048 3045->3009 3045->3010 3046->3041 3047->3045 3049 6cbf1d09 GetLastError 3048->3049 3050 6cbf1d12 FlushFileBuffers 3048->3050 3049->3050 3050->3045 3070 6cbf11b2 RtlAllocateHeap 3051->3070 3053 6cbf35e9 3054 6cbf3616 3053->3054 3055 6cbf35f0 memcpy memset 3053->3055 3054->2999 3055->3054 3057 6cbf3a97 GetLastError 3056->3057 3058 6cbf3a44 GetFileSize 3056->3058 3067 6cbf3a52 3057->3067 3059 6cbf3a59 3058->3059 3058->3067 3068 6cbf11b2 RtlAllocateHeap 3059->3068 3060 6cbf3aae 3063 6cbf1bfb 3060->3063 3069 6cbf11c7 RtlFreeHeap 3060->3069 3061 6cbf3aa5 CloseHandle 3061->3060 3063->3029 3063->3031 3064 6cbf3a62 3064->3057 3065 6cbf3a68 ReadFile 3064->3065 3065->3057 3065->3067 3067->3060 3067->3061 3068->3064 3069->3063 3070->3053 3071->2821 3073 6cbf162e 3072->3073 3074 6cbf1591 3072->3074 3073->2824 3074->3073 3075 6cbf159e RtlUpcaseUnicodeString 3074->3075 3075->3073 3076 6cbf15b0 3075->3076 3077 6cbf1618 3076->3077 3080 6cbf15e2 3076->3080 3078 6cbf45f3 90 API calls 3077->3078 3079 6cbf1623 RtlFreeUnicodeString 3078->3079 3079->3073 3080->3079 3086 6cbf45f3 3080->3086 3085->2821 3087 6cbf22c9 5 API calls 3086->3087 3088 6cbf4613 OpenProcess 3087->3088 3089 6cbf462f 3088->3089 3090 6cbf46b4 GetLastError 3088->3090 3092 6cbf4633 3089->3092 3093 6cbf4641 GetProcAddress GetProcAddress 3089->3093 3091 6cbf1606 3090->3091 3091->3079 3101 6cbf13e7 memset 3091->3101 3092->3093 3094 6cbf463c 3092->3094 3093->3094 3096 6cbf4667 3093->3096 3095 6cbf46a9 CloseHandle 3094->3095 3095->3091 3096->3094 3097 6cbf469a GetLastError 3096->3097 3098 6cbf4681 3096->3098 3097->3095 3117 6cbf449e memset 3098->3117 3100 6cbf468d CloseHandle 3100->3095 3102 6cbf3585 4 API calls 3101->3102 3103 6cbf1419 3102->3103 3104 6cbf14b2 3103->3104 3105 6cbf2344 GetProcAddress 3103->3105 3104->3079 3106 6cbf1430 CreateProcessA 3105->3106 3107 6cbf2344 GetProcAddress 3106->3107 3108 6cbf1453 3107->3108 3109 6cbf1499 GetLastError 3108->3109 3110 6cbf1457 3108->3110 3112 6cbf14a2 HeapFree 3109->3112 3111 6cbf449e 83 API calls 3110->3111 3113 6cbf1463 3111->3113 3112->3104 3114 6cbf146b WaitForSingleObject 3113->3114 3115 6cbf1487 CloseHandle CloseHandle 3113->3115 3114->3115 3116 6cbf147b GetExitCodeProcess 3114->3116 3115->3112 3116->3115 3118 6cbf22c9 5 API calls 3117->3118 3119 6cbf44dd 3118->3119 3120 6cbf45ad 3119->3120 3122 6cbf44e5 3119->3122 3169 6cbf4341 memset 3120->3169 3121 6cbf4507 3155 6cbf2db0 3121->3155 3122->3121 3140 6cbf3ca4 3122->3140 3126 6cbf45b5 3128 6cbf45d9 GetLastError 3126->3128 3129 6cbf45e1 ResumeThread 3126->3129 3128->3129 3129->3100 3132 6cbf4549 ResumeThread WaitForSingleObject 3133 6cbf456a SuspendThread 3132->3133 3135 6cbf4544 3132->3135 3165 6cbf2d8f 3133->3165 3135->3132 3135->3133 3136 6cbf4594 3135->3136 3137 6cbf4599 3136->3137 3186 6cbf3ed3 3136->3186 3139 6cbf3c49 5 API calls 3137->3139 3139->3126 3210 6cbf11b2 RtlAllocateHeap 3140->3210 3142 6cbf3cbc 3143 6cbf3d7d 3142->3143 3211 6cbf2c25 memset ZwQueryInformationProcess 3142->3211 3143->3121 3147 6cbf2db0 2 API calls 3148 6cbf3ce7 3147->3148 3149 6cbf2db0 2 API calls 3148->3149 3154 6cbf3d6a 3148->3154 3150 6cbf3d03 3149->3150 3151 6cbf2db0 2 API calls 3150->3151 3150->3154 3152 6cbf3d4f 3151->3152 3153 6cbf2db0 2 API calls 3152->3153 3152->3154 3153->3154 3215 6cbf11c7 RtlFreeHeap 3154->3215 3156 6cbf2dbf 3155->3156 3157 6cbf2ddc RtlNtStatusToDosError SetLastError 3156->3157 3158 6cbf2dd4 3156->3158 3157->3158 3158->3128 3159 6cbf3c49 VirtualProtectEx 3158->3159 3160 6cbf3c9c 3159->3160 3161 6cbf3c6c 3159->3161 3160->3128 3160->3135 3216 6cbf2df1 3161->3216 3166 6cbf2dad 3165->3166 3167 6cbf2d9c RtlNtStatusToDosError 3165->3167 3166->3135 3167->3166 3221 6cbf26ae 3169->3221 3174 6cbf4494 3174->3126 3178 6cbf43dc 3178->3174 3179 6cbf43f6 ResumeThread WaitForSingleObject 3178->3179 3180 6cbf4417 Wow64SuspendThread 3178->3180 3182 6cbf4460 3178->3182 3179->3178 3179->3180 3261 6cbf4b80 3180->3261 3183 6cbf446c 3182->3183 3185 6cbf3ed3 59 API calls 3182->3185 3184 6cbf40cd 19 API calls 3183->3184 3184->3174 3185->3183 3187 6cbf3ef8 3186->3187 3188 6cbf3f1b 3187->3188 3317 6cbf4943 NtCreateSection 3187->3317 3188->3137 3191 6cbf409a 3193 6cbf40b5 3191->3193 3194 6cbf40a3 NtUnmapViewOfSection RtlNtStatusToDosError 3191->3194 3193->3188 3196 6cbf40bb CloseHandle 3193->3196 3194->3193 3195 6cbf3f8d 3195->3191 3327 6cbf4a02 memcpy 3195->3327 3196->3188 3199 6cbf3fb8 memcpy 3203 6cbf3fc4 memcpy 3199->3203 3201 6cbf401b 3202 6cbf4064 3201->3202 3204 6cbf4057 3201->3204 3341 6cbf3d87 3202->3341 3203->3201 3331 6cbf3e34 3204->3331 3207 6cbf4062 3207->3191 3208 6cbf4071 memcpy 3207->3208 3353 6cbf29aa 3208->3353 3210->3142 3212 6cbf2c81 3211->3212 3213 6cbf2c66 3211->3213 3212->3147 3212->3154 3214 6cbf2db0 2 API calls 3213->3214 3214->3212 3215->3143 3217 6cbf2e18 3216->3217 3218 6cbf2e00 NtWriteVirtualMemory 3216->3218 3219 6cbf2e1d RtlNtStatusToDosError SetLastError 3217->3219 3218->3219 3220 6cbf2e15 VirtualProtectEx 3218->3220 3219->3220 3220->3160 3222 6cbf26bc 3221->3222 3223 6cbf271d 3221->3223 3264 6cbf2b4b 3222->3264 3231 6cbf41ba 3223->3231 3225 6cbf26cc 3226 6cbf2b4b 18 API calls 3225->3226 3227 6cbf26e7 3226->3227 3228 6cbf2b4b 18 API calls 3227->3228 3229 6cbf2702 3228->3229 3230 6cbf2b4b 18 API calls 3229->3230 3230->3223 3311 6cbf11b2 RtlAllocateHeap 3231->3311 3233 6cbf41e0 3234 6cbf430a 3233->3234 3235 6cbf41ea memset 3233->3235 3236 6cbf4337 3234->3236 3316 6cbf11c7 RtlFreeHeap 3234->3316 3312 6cbf2286 3235->3312 3236->3174 3249 6cbf2471 3236->3249 3240 6cbf422c 3240->3234 3242 6cbf2471 2 API calls 3240->3242 3241 6cbf241d 2 API calls 3241->3240 3243 6cbf4267 3242->3243 3243->3234 3244 6cbf2471 2 API calls 3243->3244 3245 6cbf4289 3244->3245 3245->3234 3246 6cbf2471 2 API calls 3245->3246 3247 6cbf42ed 3246->3247 3247->3234 3248 6cbf2471 2 API calls 3247->3248 3248->3234 3250 6cbf241d 2 API calls 3249->3250 3251 6cbf2487 3250->3251 3251->3174 3252 6cbf40cd 3251->3252 3253 6cbf26ae 18 API calls 3252->3253 3254 6cbf40f6 3253->3254 3255 6cbf4b80 NtProtectVirtualMemory 3254->3255 3256 6cbf4145 3255->3256 3257 6cbf41ad 3256->3257 3258 6cbf4b80 NtProtectVirtualMemory 3256->3258 3257->3178 3259 6cbf4173 3258->3259 3260 6cbf4b80 NtProtectVirtualMemory 3259->3260 3260->3257 3262 6cbf4b98 3261->3262 3263 6cbf4bb8 NtProtectVirtualMemory 3262->3263 3263->3178 3265 6cbf2b57 3264->3265 3276 6cbf2a18 3265->3276 3268 6cbf2b7c VirtualAlloc 3271 6cbf2b94 3268->3271 3275 6cbf2bda 3268->3275 3269 6cbf2c09 VirtualFree 3270 6cbf2c18 3269->3270 3270->3225 3273 6cbf2bc8 3271->3273 3289 6cbf241d 3271->3289 3274 6cbf389c 2 API calls 3273->3274 3274->3275 3275->3269 3275->3270 3293 6cbf2492 GetProcAddress 3276->3293 3279 6cbf2a5d 3281 6cbf2492 7 API calls 3279->3281 3284 6cbf2a7b VirtualFree VirtualAlloc 3279->3284 3285 6cbf2a9b 3279->3285 3280 6cbf2afe 3282 6cbf2b2f VirtualFree 3280->3282 3283 6cbf2b3d 3280->3283 3281->3279 3282->3283 3283->3268 3283->3275 3284->3279 3284->3285 3285->3280 3286 6cbf2abc lstrcmpiA 3285->3286 3286->3280 3287 6cbf2ad0 StrChrA 3286->3287 3287->3285 3288 6cbf2add lstrcmpiA 3287->3288 3288->3280 3288->3285 3290 6cbf244e NtWow64ReadVirtualMemory64 3289->3290 3291 6cbf2434 GetProcAddress 3289->3291 3292 6cbf2467 3290->3292 3291->3290 3291->3292 3292->3271 3294 6cbf24be NtWow64QueryInformationProcess64 3293->3294 3298 6cbf268b VirtualAlloc 3293->3298 3295 6cbf24d6 3294->3295 3294->3298 3296 6cbf11b2 RtlAllocateHeap 3295->3296 3297 6cbf24e0 3296->3297 3297->3298 3299 6cbf11b2 RtlAllocateHeap 3297->3299 3298->3279 3298->3280 3300 6cbf24f5 3299->3300 3301 6cbf266a 3300->3301 3302 6cbf241d GetProcAddress NtWow64ReadVirtualMemory64 3300->3302 3303 6cbf11c7 RtlFreeHeap 3301->3303 3304 6cbf250d 3302->3304 3305 6cbf2681 3303->3305 3304->3301 3307 6cbf241d GetProcAddress NtWow64ReadVirtualMemory64 3304->3307 3305->3298 3306 6cbf11c7 RtlFreeHeap 3305->3306 3306->3298 3309 6cbf2529 3307->3309 3308 6cbf241d GetProcAddress NtWow64ReadVirtualMemory64 3308->3309 3309->3301 3309->3308 3310 6cbf2629 StrRChrA 3309->3310 3310->3309 3311->3233 3313 6cbf22af NtWow64QueryInformationProcess64 3312->3313 3314 6cbf2295 GetProcAddress 3312->3314 3315 6cbf22c3 3313->3315 3314->3313 3314->3315 3315->3240 3315->3241 3316->3236 3318 6cbf49de RtlNtStatusToDosError 3317->3318 3319 6cbf49a8 3317->3319 3325 6cbf49d7 3318->3325 3365 6cbf4904 NtMapViewOfSection RtlNtStatusToDosError 3319->3365 3321 6cbf49b6 3323 6cbf49bc memset 3321->3323 3321->3325 3322 6cbf3f5d 3322->3191 3326 6cbf4904 NtMapViewOfSection RtlNtStatusToDosError 3322->3326 3323->3325 3324 6cbf49f0 ZwClose 3324->3322 3325->3322 3325->3324 3326->3195 3328 6cbf4a4d 3327->3328 3330 6cbf3fa6 3327->3330 3329 6cbf4a67 memcpy 3328->3329 3328->3330 3329->3328 3330->3191 3330->3199 3330->3203 3332 6cbf3e44 3331->3332 3333 6cbf2b4b 18 API calls 3332->3333 3334 6cbf3eba memcpy 3332->3334 3335 6cbf3e6f 3333->3335 3336 6cbf3ecd 3334->3336 3335->3336 3337 6cbf2b4b 18 API calls 3335->3337 3336->3207 3338 6cbf3e8c 3337->3338 3338->3336 3339 6cbf2b4b 18 API calls 3338->3339 3340 6cbf3ea9 3339->3340 3340->3334 3340->3336 3342 6cbf3d98 3341->3342 3343 6cbf3db2 GetModuleHandleA 3341->3343 3342->3343 3346 6cbf3e1a memcpy 3342->3346 3344 6cbf3e2d 3343->3344 3345 6cbf3dc6 3343->3345 3344->3207 3366 6cbf236c 3345->3366 3346->3344 3349 6cbf236c 11 API calls 3350 6cbf3dec 3349->3350 3350->3344 3351 6cbf236c 11 API calls 3350->3351 3352 6cbf3e08 3351->3352 3352->3344 3352->3346 3380 6cbf11b2 RtlAllocateHeap 3353->3380 3355 6cbf29bf 3356 6cbf2a0e 3355->3356 3357 6cbf29c5 memset 3355->3357 3356->3191 3358 6cbf29fe 3357->3358 3359 6cbf29eb 3357->3359 3396 6cbf2885 memset 3358->3396 3359->3358 3360 6cbf29f4 3359->3360 3381 6cbf272f memset 3360->3381 3363 6cbf29fc 3410 6cbf11c7 RtlFreeHeap 3363->3410 3365->3321 3367 6cbf2c92 5 API calls 3366->3367 3368 6cbf2386 3367->3368 3369 6cbf2414 3368->3369 3370 6cbf389c 2 API calls 3368->3370 3369->3344 3369->3349 3373 6cbf2398 3370->3373 3371 6cbf240b 3379 6cbf11c7 RtlFreeHeap 3371->3379 3373->3371 3374 6cbf23ad CreateFileA 3373->3374 3374->3371 3375 6cbf23ce SetFilePointer 3374->3375 3376 6cbf23dc ReadFile 3375->3376 3377 6cbf2402 CloseHandle 3375->3377 3376->3377 3378 6cbf23f4 3376->3378 3377->3371 3378->3377 3379->3369 3380->3355 3382 6cbf26ae 18 API calls 3381->3382 3383 6cbf2762 memcpy 3382->3383 3411 6cbf2e32 3383->3411 3386 6cbf279f 3389 6cbf4b80 NtProtectVirtualMemory 3386->3389 3387 6cbf2794 GetLastError 3388 6cbf2865 3387->3388 3390 6cbf27c9 3388->3390 3391 6cbf2877 GetLastError 3388->3391 3392 6cbf27c2 3389->3392 3390->3363 3391->3390 3392->3390 3393 6cbf2df1 3 API calls 3392->3393 3394 6cbf281d 3393->3394 3394->3391 3395 6cbf4b80 NtProtectVirtualMemory 3394->3395 3395->3388 3397 6cbf28be 3396->3397 3402 6cbf2982 3396->3402 3398 6cbf2e32 3 API calls 3397->3398 3399 6cbf28cf 3398->3399 3400 6cbf299a GetLastError 3399->3400 3401 6cbf2d8f RtlNtStatusToDosError 3399->3401 3403 6cbf29a3 3400->3403 3404 6cbf28e8 3401->3404 3402->3400 3402->3403 3403->3363 3404->3402 3405 6cbf28f3 memcpy 3404->3405 3406 6cbf2935 3405->3406 3407 6cbf2df1 3 API calls 3406->3407 3408 6cbf295d 3407->3408 3408->3402 3408->3403 3409 6cbf297b RtlNtStatusToDosError 3408->3409 3409->3402 3410->3356 3412 6cbf278c 3411->3412 3413 6cbf2e44 NtAllocateVirtualMemory 3411->3413 3412->3386 3412->3387 3413->3412 3414 6cbf2e69 RtlNtStatusToDosError SetLastError 3413->3414 3414->3412 3416 6cbf692b memset GetModuleHandleA InitializeCriticalSection LoadLibraryW 3415->3416 3434 6cbf6924 3415->3434 3417 6cbf6976 LoadLibraryW 3416->3417 3416->3434 3418 6cbf698c 3417->3418 3417->3434 3456 6cbf4fc0 GetVersionExW 3418->3456 3421 6cbf7032 RegisterClassExW 3422 6cbf70ab CreateWindowExW 3421->3422 3421->3434 3424 6cbf70df 3422->3424 3435 6cbf70e8 3422->3435 3484 6cbf51f0 3424->3484 3425 6cbf714e CreateThread 3428 6cbf72a7 UnregisterClassW VirtualFree 3425->3428 3429 6cbf7182 WaitForSingleObject 3425->3429 3495 6cbf5e30 3425->3495 3427 6cbf6a81 IsWow64Process 3442 6cbf6a91 3427->3442 3428->3434 3430 6cbf71a8 3429->3430 3431 6cbf71b7 TerminateThread 3429->3431 3430->3431 3432 6cbf71da WaitForSingleObject TerminateThread 3431->3432 3433 6cbf7206 3431->3433 3432->3433 3436 6cbf7215 WaitForSingleObject TerminateThread 3433->3436 3437 6cbf7241 RemoveFontResourceExW 3433->3437 3434->2833 3435->3425 3435->3434 3436->3437 3438 6cbf725b 3437->3438 3439 6cbf7259 3437->3439 3488 6cbf5240 3438->3488 3439->3437 3440 6cbf69bf 3440->3427 3440->3434 3442->3434 3444 6cbf6bfe LoadLibraryExW 3442->3444 3445 6cbf6c12 3442->3445 3446 6cbf6c2e 3444->3446 3445->3446 3447 6cbf6c1c LoadLibraryExW 3445->3447 3448 6cbf6c38 GetProcAddress 3446->3448 3455 6cbf6c54 3446->3455 3447->3446 3448->3455 3460 6cbf5760 CreateWindowExW 3455->3460 3457 6cbf4fe4 3456->3457 3457->3421 3457->3440 3458 6cbf5020 GetModuleHandleW 3457->3458 3459 6cbf503a 3458->3459 3459->3440 3461 6cbf5804 3460->3461 3462 6cbf57a1 3460->3462 3468 6cbf5810 RegisterClassExW 3461->3468 3463 6cbf51f0 2 API calls 3462->3463 3464 6cbf57aa 3463->3464 3465 6cbf57fa DestroyWindow 3464->3465 3466 6cbf57b3 SetWindowLongW 3464->3466 3465->3461 3467 6cbf57cd 3466->3467 3467->3465 3469 6cbf58ae CreateWindowExW 3468->3469 3470 6cbf58a7 3468->3470 3469->3470 3471 6cbf58ea RegisterClassExW 3469->3471 3470->3421 3470->3434 3479 6cbf5190 3470->3479 3471->3470 3472 6cbf5910 CreateWindowExW 3471->3472 3472->3470 3473 6cbf594b 3472->3473 3474 6cbf51f0 2 API calls 3473->3474 3475 6cbf5954 3474->3475 3476 6cbf51f0 2 API calls 3475->3476 3477 6cbf5960 3476->3477 3477->3470 3478 6cbf59c6 DestroyWindow DestroyWindow 3477->3478 3478->3470 3492 6cbf5070 LoadLibraryW GetProcAddress 3479->3492 3481 6cbf51a0 3482 6cbf51d2 3481->3482 3483 6cbf51a9 GetCurrentProcess 3481->3483 3482->3421 3483->3482 3485 6cbf5204 3484->3485 3487 6cbf5209 3484->3487 3493 6cbf5090 LoadLibraryW GetProcAddress 3485->3493 3487->3435 3491 6cbf5254 3488->3491 3489 6cbf526e UnregisterClassW 3489->3491 3490 6cbf52a6 UnregisterClassW UnregisterClassW UnregisterClassW 3490->3428 3491->3489 3491->3490 3492->3481 3494 6cbf50b9 3493->3494 3494->3487 3496 6cbf5e9f 3495->3496 3542 6cbf5eae 3495->3542 3497 6cbf5eb5 VirtualAlloc 3496->3497 3496->3542 3498 6cbf5edc SHGetFolderPathW 3497->3498 3499 6cbf6162 3497->3499 3498->3499 3501 6cbf5f0b wcslen 3498->3501 3500 6cbf6174 RegisterClassExW 3499->3500 3499->3542 3502 6cbf6211 memset 3500->3502 3500->3542 3503 6cbf5f6d memset memcpy memcpy AddFontResourceExW 3501->3503 3504 6cbf5f36 3501->3504 3505 6cbf6233 3502->3505 3506 6cbf5fdf RemoveFontResourceExW 3503->3506 3507 6cbf5ff9 3503->3507 3504->3503 3508 6cbf624e CreateWindowExW 3505->3508 3514 6cbf6297 3505->3514 3506->3507 3507->3499 3509 6cbf6003 memset memcpy FindFirstFileW 3507->3509 3508->3505 3508->3514 3510 6cbf6127 3509->3510 3511 6cbf6073 FindNextFileW 3509->3511 3510->3499 3513 6cbf6130 AddFontResourceExW 3510->3513 3511->3510 3512 6cbf608f 3511->3512 3512->3511 3516 6cbf60aa memset memcpy wcslen memcpy 3512->3516 3513->3499 3515 6cbf6148 RemoveFontResourceExW 3513->3515 3518 6cbf51f0 2 API calls 3514->3518 3519 6cbf6419 3514->3519 3515->3499 3516->3512 3517 6cbf6525 3521 6cbf6549 SetParent SetWindowLongW GetWindowLongW 3517->3521 3517->3542 3520 6cbf6308 3518->3520 3519->3517 3522 6cbf650f DestroyWindow 3519->3522 3523 6cbf51f0 2 API calls 3520->3523 3524 6cbf6598 SetWindowLongW 3521->3524 3521->3542 3522->3519 3531 6cbf6324 3523->3531 3525 6cbf65d3 EnterCriticalSection CreateThread CreateThread SetThreadAffinityMask 3524->3525 3526 6cbf664a SetThreadAffinityMask 3525->3526 3525->3542 3588 6cbf5500 memcpy 3525->3588 3599 6cbf53f0 3525->3599 3527 6cbf667f SetThreadAffinityMask 3526->3527 3526->3542 3528 6cbf6698 7 API calls 3527->3528 3529 6cbf6706 7 API calls 3527->3529 3530 6cbf6772 ResumeThread ResumeThread Sleep 3528->3530 3529->3530 3532 6cbf679f 3530->3532 3531->3519 3536 6cbf51f0 2 API calls 3531->3536 3533 6cbf67c5 LeaveCriticalSection 3532->3533 3538 6cbf6854 SetMenu 3532->3538 3539 6cbf6886 3532->3539 3532->3542 3534 6cbf67f6 AddFontResourceExW EnterCriticalSection GetWindowLongW 3533->3534 3535 6cbf67e5 memset 3533->3535 3534->3532 3535->3534 3537 6cbf63fa 3536->3537 3540 6cbf51f0 2 API calls 3537->3540 3538->3532 3543 6cbf5bb0 3539->3543 3540->3519 3571 6cbf5320 SetWindowLongW GetAncestor SetWindowLongW 3543->3571 3545 6cbf5c0b 3572 6cbf5320 SetWindowLongW GetAncestor SetWindowLongW 3545->3572 3547 6cbf5c75 3575 6cbf5320 SetWindowLongW GetAncestor SetWindowLongW 3547->3575 3550 6cbf5c22 3550->3547 3551 6cbf5c5c 3550->3551 3573 6cbf5320 SetWindowLongW GetAncestor SetWindowLongW 3550->3573 3574 6cbf5320 SetWindowLongW GetAncestor SetWindowLongW 3551->3574 3553 6cbf5ddb 3579 6cbf5320 SetWindowLongW GetAncestor SetWindowLongW 3553->3579 3554 6cbf5cf6 GetCurrentProcessId 3555 6cbf5cc1 3554->3555 3555->3554 3559 6cbf5320 SetWindowLongW GetAncestor SetWindowLongW 3555->3559 3561 6cbf5d72 3555->3561 3568 6cbf5d58 3555->3568 3558 6cbf5320 SetWindowLongW GetAncestor SetWindowLongW 3558->3561 3559->3555 3560 6cbf5df1 3580 6cbf59f0 3560->3580 3561->3553 3561->3558 3565 6cbf5dc7 3561->3565 3563 6cbf5c85 3563->3555 3576 6cbf5320 SetWindowLongW GetAncestor SetWindowLongW 3563->3576 3578 6cbf5320 SetWindowLongW GetAncestor SetWindowLongW 3565->3578 3566 6cbf59f0 9 API calls 3569 6cbf5e1c 3566->3569 3577 6cbf5320 SetWindowLongW GetAncestor SetWindowLongW 3568->3577 3569->3542 3571->3545 3572->3550 3573->3550 3574->3547 3575->3563 3576->3563 3577->3561 3578->3553 3579->3560 3584 6cbf5a37 3580->3584 3581 6cbf5a5d VirtualAlloc 3583 6cbf5aa1 memset SetWindowLongW SetClassLongW SetWindowLongW VirtualFree 3581->3583 3585 6cbf5a9a 3581->3585 3583->3585 3584->3581 3586 6cbf5a50 3584->3586 3587 6cbf5320 SetWindowLongW GetAncestor SetWindowLongW 3584->3587 3585->3566 3586->3581 3587->3584 3596 6cbf5592 3588->3596 3589 6cbf5752 3590 6cbf5240 UnregisterClassW 3589->3590 3591 6cbf5757 3590->3591 3592 6cbf564e EnterCriticalSection SuspendThread 3592->3596 3593 6cbf56bf RegisterClassExW 3593->3596 3594 6cbf56ab RemoveFontResourceExW 3594->3593 3595 6cbf5240 UnregisterClassW 3595->3596 3596->3589 3596->3592 3596->3593 3596->3594 3596->3595 3597 6cbf5722 ResumeThread LeaveCriticalSection SwitchToThread 3596->3597 3598 6cbf5240 UnregisterClassW 3596->3598 3597->3596 3598->3597 3600 6cbf53fb 3599->3600 3601 6cbf54f0 3600->3601 3602 6cbf542f RemoveFontResourceExW SetThreadAffinityMask 3600->3602 3603 6cbf5494 SetThreadPriority 3600->3603 3604 6cbf5473 SetThreadAffinityMask 3600->3604 3605 6cbf54e5 SwitchToThread 3600->3605 3606 6cbf54d2 ResumeThread 3600->3606 3602->3600 3603->3600 3604->3600 3605->3600 3606->3605 3624 6cbf3b2b GetTempPathA 3607->3624 3609 6cbf3ba2 3610 6cbf1d52 3609->3610 3611 6cbf361f 4 API calls 3609->3611 3610->2849 3614 6cbf3ac5 CreateFileW 3610->3614 3612 6cbf3bb0 3611->3612 3634 6cbf11c7 RtlFreeHeap 3612->3634 3615 6cbf3aeb GetLastError 3614->3615 3616 6cbf3af5 WriteFile 3614->3616 3617 6cbf3b23 3615->3617 3618 6cbf3b0b SetEndOfFile 3616->3618 3619 6cbf3b14 GetLastError 3616->3619 3617->2841 3620 6cbf3b1c CloseHandle 3618->3620 3619->3620 3620->3617 3621->2844 3622->2846 3623->2849 3625 6cbf3b40 3624->3625 3633 6cbf3b8b 3624->3633 3635 6cbf11b2 RtlAllocateHeap 3625->3635 3627 6cbf3b49 3628 6cbf3b4f GetTempPathA 3627->3628 3627->3633 3629 6cbf3b57 GetTickCount GetTempFileNameA 3628->3629 3630 6cbf3b85 3628->3630 3629->3630 3631 6cbf3b70 PathFindExtensionA lstrcpyA 3629->3631 3636 6cbf11c7 RtlFreeHeap 3630->3636 3631->3633 3633->3609 3634->3610 3635->3627 3636->3633 3637->2866 3638->2866 3639->2864 3640->2869 3653 6cbf62a7 3654 6cbf62b6 3653->3654 3656 6cbf51f0 2 API calls 3654->3656 3658 6cbf6419 3654->3658 3655 6cbf6525 3657 6cbf6542 3655->3657 3660 6cbf6549 SetParent SetWindowLongW GetWindowLongW 3655->3660 3659 6cbf6308 3656->3659 3658->3655 3661 6cbf650f DestroyWindow 3658->3661 3662 6cbf51f0 2 API calls 3659->3662 3660->3657 3663 6cbf6598 SetWindowLongW 3660->3663 3661->3658 3670 6cbf6324 3662->3670 3664 6cbf65d3 EnterCriticalSection CreateThread CreateThread SetThreadAffinityMask 3663->3664 3664->3657 3665 6cbf664a SetThreadAffinityMask 3664->3665 3681 6cbf5500 9 API calls 3664->3681 3682 6cbf53f0 6 API calls 3664->3682 3665->3657 3666 6cbf667f SetThreadAffinityMask 3665->3666 3667 6cbf6698 7 API calls 3666->3667 3668 6cbf6706 7 API calls 3666->3668 3669 6cbf6772 ResumeThread ResumeThread Sleep 3667->3669 3668->3669 3675 6cbf679f 3669->3675 3670->3658 3674 6cbf51f0 2 API calls 3670->3674 3671 6cbf67c5 LeaveCriticalSection 3672 6cbf67f6 AddFontResourceExW EnterCriticalSection GetWindowLongW 3671->3672 3673 6cbf67e5 memset 3671->3673 3672->3675 3673->3672 3676 6cbf63fa 3674->3676 3675->3657 3675->3671 3677 6cbf6854 SetMenu 3675->3677 3678 6cbf6886 3675->3678 3679 6cbf51f0 2 API calls 3676->3679 3677->3675 3680 6cbf5bb0 10 API calls 3678->3680 3679->3658 3680->3657 3683 6cbf70a6 3684 6cbf7139 3683->3684 3685 6cbf714e CreateThread 3684->3685 3686 6cbf7147 3684->3686 3687 6cbf72a7 UnregisterClassW VirtualFree 3685->3687 3688 6cbf7182 WaitForSingleObject 3685->3688 3699 6cbf5e30 67 API calls 3685->3699 3687->3686 3689 6cbf71a8 3688->3689 3690 6cbf71b7 TerminateThread 3688->3690 3689->3690 3691 6cbf71da WaitForSingleObject TerminateThread 3690->3691 3692 6cbf7206 3690->3692 3691->3692 3693 6cbf7215 WaitForSingleObject TerminateThread 3692->3693 3694 6cbf7241 RemoveFontResourceExW 3692->3694 3693->3694 3695 6cbf725b 3694->3695 3696 6cbf7259 3694->3696 3697 6cbf5240 UnregisterClassW 3695->3697 3696->3694 3698 6cbf7260 UnregisterClassW UnregisterClassW UnregisterClassW 3697->3698 3698->3687 3788 6cbf6645 3789 6cbf6772 ResumeThread ResumeThread Sleep 3788->3789 3794 6cbf679f 3789->3794 3790 6cbf688b 3791 6cbf67c5 LeaveCriticalSection 3792 6cbf67f6 AddFontResourceExW EnterCriticalSection GetWindowLongW 3791->3792 3793 6cbf67e5 memset 3791->3793 3792->3794 3793->3792 3794->3790 3794->3791 3795 6cbf6854 SetMenu 3794->3795 3796 6cbf6886 3794->3796 3795->3794 3797 6cbf5bb0 10 API calls 3796->3797 3797->3790 3798 6cbf7344 3799 6cbf7362 3798->3799 3801 6cbf73f8 3798->3801 3800 6cbf755d NtQueryVirtualMemory 3799->3800 3803 6cbf737d 3800->3803 3802 6cbf7448 RtlUnwind 3802->3803 3803->3801 3803->3802 3646 6cbf1142 3647 6cbf114f 3646->3647 3648 6cbf1191 InterlockedDecrement 3646->3648 3649 6cbf1179 3647->3649 3651 6cbf1152 InterlockedIncrement 3647->3651 3648->3649 3650 6cbf11a0 HeapDestroy 3648->3650 3650->3649 3651->3649 3652 6cbf1161 HeapCreate 3651->3652 3652->3649 3746 6cbf5300 DefWindowProcW

                                                                                                                                                                                  Executed Functions

                                                                                                                                                                                  Function 6CBF2FCE Relevance: 47.5, APIs: 23, Strings: 4, Instructions: 209memoryfiletimeCOMMON
                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                  APIs
                                                                                                                                                                                  • HeapAlloc.KERNEL32(00000000,EE553B4E,00000000,6CBFAA50,00000001), ref: 6CBF2FF9
                                                                                                                                                                                  • HeapAlloc.KERNEL32(00000000,EE553B4E), ref: 6CBF301B
                                                                                                                                                                                  • memset.NTDLL ref: 6CBF3035
                                                                                                                                                                                    • Part of subcall function 6CBF3585: ExpandEnvironmentStringsA.KERNEL32(00000000,00000000,00000000,00000000,6CBF0000,EE553B43,6CBF3047,%systemroot%\system32\c_1252.nls), ref: 6CBF3596
                                                                                                                                                                                    • Part of subcall function 6CBF3585: ExpandEnvironmentStringsA.KERNEL32(?,00000000,00000000,00000000), ref: 6CBF35B0
                                                                                                                                                                                  • CreateFileA.KERNELBASE(00000000,80000000,00000001,00000000,00000003,00000080,00000000,%systemroot%\system32\c_1252.nls), ref: 6CBF306C
                                                                                                                                                                                  • GetFileTime.KERNEL32(00000000,?,00000000,00000000), ref: 6CBF3080
                                                                                                                                                                                  • CloseHandle.KERNEL32(?), ref: 6CBF3097
                                                                                                                                                                                  • StrRChrA.KERNELBASE(6CBF11FC,00000000,0000005C), ref: 6CBF30A3
                                                                                                                                                                                  • lstrcatA.KERNEL32(6CBF11FC,\*.dll), ref: 6CBF30DD
                                                                                                                                                                                  • FindFirstFileA.KERNELBASE(6CBF11FC,?), ref: 6CBF30F3
                                                                                                                                                                                  • CompareFileTime.KERNEL32(?,?), ref: 6CBF3111
                                                                                                                                                                                  • FindNextFileA.KERNEL32(?,?), ref: 6CBF3125
                                                                                                                                                                                  • FindClose.KERNEL32(?), ref: 6CBF3132
                                                                                                                                                                                  • FindFirstFileA.KERNEL32(6CBF11FC,?), ref: 6CBF313E
                                                                                                                                                                                  • CompareFileTime.KERNEL32(?,?), ref: 6CBF3160
                                                                                                                                                                                  • StrChrA.SHLWAPI(?,0000002E), ref: 6CBF3193
                                                                                                                                                                                  • memcpy.NTDLL(00000000,?,00000000), ref: 6CBF31CC
                                                                                                                                                                                  • FindNextFileA.KERNELBASE(?,?), ref: 6CBF31E1
                                                                                                                                                                                  • FindClose.KERNEL32(?), ref: 6CBF31EE
                                                                                                                                                                                  • FindFirstFileA.KERNEL32(6CBF11FC,?), ref: 6CBF31FA
                                                                                                                                                                                  • CompareFileTime.KERNEL32(?,?), ref: 6CBF320A
                                                                                                                                                                                  • FindClose.KERNELBASE(?), ref: 6CBF322E
                                                                                                                                                                                  • HeapFree.KERNEL32(00000000,00000000,%systemroot%\system32\c_1252.nls), ref: 6CBF3240
                                                                                                                                                                                  • HeapFree.KERNEL32(00000000,6CBF11FC), ref: 6CBF3250
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000003.00000002.1716573620.000000006CBF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 6CBF0000, based on PE: true
                                                                                                                                                                                  • Associated: 00000003.00000002.1716317614.000000006CBF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000003.00000002.1716573620.000000006CBFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_3_2_6cbf0000_regsvr32.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: File$Find$CloseHeapTime$CompareFirst$AllocEnvironmentExpandFreeNextStrings$CreateHandlelstrcatmemcpymemset
                                                                                                                                                                                  • String ID: %systemroot%\system32\c_1252.nls$C;U$N;U$\*.dll
                                                                                                                                                                                  • API String ID: 65366329-1666359264
                                                                                                                                                                                  • Opcode ID: 8bfe85c686b859e32d663bfbdc38469e68eb924290b9e3af41769beda2d7145c
                                                                                                                                                                                  • Instruction ID: 05d5463d24ce46c45770ecb8a2ba2b729a7eeb245f1c4261e05fee7f870330c0
                                                                                                                                                                                  • Opcode Fuzzy Hash: 8bfe85c686b859e32d663bfbdc38469e68eb924290b9e3af41769beda2d7145c
                                                                                                                                                                                  • Instruction Fuzzy Hash: 55815AB1E00159AFDF119FA5DC88AEEBBB9FB4A300F10416AE525E3350D7319A49CF61
                                                                                                                                                                                  Function 6CBF1000 Relevance: 22.8, APIs: 9, Strings: 4, Instructions: 97COMMON
                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                  APIs
                                                                                                                                                                                  • SetupDiGetClassDevsA.SETUPAPI(?,00000000,00000000,00000002), ref: 6CBF1022
                                                                                                                                                                                  • SetupDiEnumDeviceInfo.SETUPAPI(00000000,00000000,?), ref: 6CBF1043
                                                                                                                                                                                  • SetupDiGetDeviceRegistryPropertyA.SETUPAPI(00000000,0000001C,0000000C,?,00000000,00000000,?), ref: 6CBF1068
                                                                                                                                                                                    • Part of subcall function 6CBF11B2: RtlAllocateHeap.NTDLL(00000000,6CBF0000,6CBF1B4C,6CBF0000), ref: 6CBF11BE
                                                                                                                                                                                  • SetupDiGetDeviceRegistryPropertyA.SETUPAPI(?,0000001C,0000000C,?,00000000,?,?), ref: 6CBF1092
                                                                                                                                                                                  • StrStrIA.SHLWAPI(00000000,vbox), ref: 6CBF10A4
                                                                                                                                                                                  • StrStrIA.SHLWAPI(00000000,qemu), ref: 6CBF10B0
                                                                                                                                                                                  • StrStrIA.SHLWAPI(00000000,vmware), ref: 6CBF10BC
                                                                                                                                                                                  • StrStrIA.SHLWAPI(00000000,virtual hd), ref: 6CBF10C8
                                                                                                                                                                                  • SetupDiDestroyDeviceInfoList.SETUPAPI(?), ref: 6CBF10DA
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000003.00000002.1716573620.000000006CBF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 6CBF0000, based on PE: true
                                                                                                                                                                                  • Associated: 00000003.00000002.1716317614.000000006CBF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000003.00000002.1716573620.000000006CBFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_3_2_6cbf0000_regsvr32.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: Setup$Device$InfoPropertyRegistry$AllocateClassDestroyDevsEnumHeapList
                                                                                                                                                                                  • String ID: qemu$vbox$virtual hd$vmware
                                                                                                                                                                                  • API String ID: 2901969455-1017834832
                                                                                                                                                                                  • Opcode ID: 8f012ec0d5601a490ebe33426e5b0493e48f26cd71df1a1425a387c5d675511a
                                                                                                                                                                                  • Instruction ID: fd22ef24022785b512a174992cb252a9fd1467c273b143b92da56823b82780ef
                                                                                                                                                                                  • Opcode Fuzzy Hash: 8f012ec0d5601a490ebe33426e5b0493e48f26cd71df1a1425a387c5d675511a
                                                                                                                                                                                  • Instruction Fuzzy Hash: 5B21697190115DBAEF01DAA5CD80DFFBBBCEB06758F140526F920E3640D7719E0A9B61
                                                                                                                                                                                  Function 6CBF3ED3 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 166nativeCOMMON
                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                  • Executed
                                                                                                                                                                                  • Not Executed
                                                                                                                                                                                  control_flow_graph 296 6cbf3ed3-6cbf3ef6 297 6cbf3ef8-6cbf3eff 296->297 298 6cbf3f10-6cbf3f15 296->298 297->298 299 6cbf3f01-6cbf3f0e 297->299 300 6cbf3f17-6cbf3f19 298->300 299->300 301 6cbf3f1b-6cbf3f22 300->301 302 6cbf3f27-6cbf3f62 call 6cbf4943 300->302 303 6cbf40c4-6cbf40ca 301->303 306 6cbf409d-6cbf40a1 302->306 307 6cbf3f68-6cbf3f92 call 6cbf4904 302->307 309 6cbf40b5-6cbf40b9 306->309 310 6cbf40a3-6cbf40af NtUnmapViewOfSection RtlNtStatusToDosError 306->310 307->306 313 6cbf3f98-6cbf3fab call 6cbf4a02 307->313 309->303 312 6cbf40bb-6cbf40be CloseHandle 309->312 310->309 312->303 313->306 316 6cbf3fb1-6cbf3fb6 313->316 317 6cbf3fb8-6cbf3fc1 memcpy 316->317 318 6cbf3fc4-6cbf3fc9 316->318 317->318 319 6cbf3fcb-6cbf3fd3 318->319 320 6cbf3ff6-6cbf4019 memcpy 318->320 319->320 321 6cbf3fd5 319->321 322 6cbf402c-6cbf4030 320->322 323 6cbf401b-6cbf4029 320->323 326 6cbf3fda-6cbf3ff4 321->326 324 6cbf4048-6cbf404c 322->324 325 6cbf4032-6cbf4045 322->325 323->322 327 6cbf404e-6cbf4055 324->327 328 6cbf4064-6cbf4065 call 6cbf3d87 324->328 325->324 326->320 329 6cbf3fd7 326->329 327->328 330 6cbf4057-6cbf405d call 6cbf3e34 327->330 333 6cbf406a-6cbf406f 328->333 329->326 334 6cbf4062 330->334 333->306 335 6cbf4071-6cbf4095 memcpy call 6cbf29aa 333->335 334->333 337 6cbf409a 335->337 337->306
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • memcpy.NTDLL(?,CCCCFEEB,?,?,?,6CBF45C5,?,6CBF45C5,6CBF45C5,?,?,?,?,00000000), ref: 6CBF3FBC
                                                                                                                                                                                  • memcpy.NTDLL(?,CCCCFEEB,00000018,?,?,6CBF45C5,?,6CBF45C5,6CBF45C5,?,?,?,?,00000000), ref: 6CBF400D
                                                                                                                                                                                    • Part of subcall function 6CBF3E34: memcpy.NTDLL(CCCCFEEB,6CBFA9DC,00000018,CCCCFEEB,ZwProtectVirtualMemory,CCCCFEEB,LdrGetProcedureAddress,CCCCFEEB,LdrLoadDll,CCCCFEEB,6CBF4062,?,6CBF45C5,?,?,00000000), ref: 6CBF3EC5
                                                                                                                                                                                  • memcpy.NTDLL(?,6CBF46C5,00000800,?,?,?,00000000), ref: 6CBF407D
                                                                                                                                                                                    • Part of subcall function 6CBF29AA: memset.NTDLL ref: 6CBF29C9
                                                                                                                                                                                  • NtUnmapViewOfSection.NTDLL ref: 6CBF40A8
                                                                                                                                                                                  • RtlNtStatusToDosError.NTDLL ref: 6CBF40AF
                                                                                                                                                                                  • CloseHandle.KERNELBASE(00000000,?,?,?,?,00000000), ref: 6CBF40BE
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000003.00000002.1716573620.000000006CBF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 6CBF0000, based on PE: true
                                                                                                                                                                                  • Associated: 00000003.00000002.1716317614.000000006CBF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000003.00000002.1716573620.000000006CBFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_3_2_6cbf0000_regsvr32.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: memcpy$CloseErrorHandleSectionStatusUnmapViewmemset
                                                                                                                                                                                  • String ID: N;U
                                                                                                                                                                                  • API String ID: 742001727-3665909347
                                                                                                                                                                                  • Opcode ID: 6a2aff8036133dcb8dda18dd985905ccb66f3271b6975419e560affa78638d94
                                                                                                                                                                                  • Instruction ID: 77e417ceb0d9adca1ac51cfcdb02af875be58890c25355191e9974a46a12a127
                                                                                                                                                                                  • Opcode Fuzzy Hash: 6a2aff8036133dcb8dda18dd985905ccb66f3271b6975419e560affa78638d94
                                                                                                                                                                                  • Instruction Fuzzy Hash: 6D613AB1A0124AEFDF10CFA8C984A9EBBB9FF04308F104569E925A7751D731A64ACF51
                                                                                                                                                                                  Function 6CBF1ACC Relevance: 10.6, APIs: 7, Instructions: 81nativeCOMMON
                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                  APIs
                                                                                                                                                                                  • ZwOpenProcess.NTDLL(6CBF0000,00000400,?,?,?,00000000,00000000), ref: 6CBF1B14
                                                                                                                                                                                  • ZwOpenProcessToken.NTDLL(6CBF0000,00000008,00000000), ref: 6CBF1B27
                                                                                                                                                                                  • ZwQueryInformationToken.NTDLL(00000000,00000001,00000000,00000000,6CBF0000), ref: 6CBF1B42
                                                                                                                                                                                    • Part of subcall function 6CBF11B2: RtlAllocateHeap.NTDLL(00000000,6CBF0000,6CBF1B4C,6CBF0000), ref: 6CBF11BE
                                                                                                                                                                                  • ZwQueryInformationToken.NTDLL(00000000,00000001,00000000,6CBF0000,6CBF0000,6CBF0000), ref: 6CBF1B5F
                                                                                                                                                                                  • memcpy.NTDLL(00000000,00000000,0000001C), ref: 6CBF1B6C
                                                                                                                                                                                  • ZwClose.NTDLL(00000000,6CBF0000), ref: 6CBF1B7E
                                                                                                                                                                                  • ZwClose.NTDLL(6CBF0000), ref: 6CBF1B87
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000003.00000002.1716573620.000000006CBF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 6CBF0000, based on PE: true
                                                                                                                                                                                  • Associated: 00000003.00000002.1716317614.000000006CBF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000003.00000002.1716573620.000000006CBFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_3_2_6cbf0000_regsvr32.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: Token$CloseInformationOpenProcessQuery$AllocateHeapmemcpy
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 2575439697-0
                                                                                                                                                                                  • Opcode ID: c48102cee9c17cd9f4ffe5241106520557f460b3a1b033464a67b59e6be0c962
                                                                                                                                                                                  • Instruction ID: 835a9d551e7a3b4cbb89d56226c5fc3c20b14dc4dff64b5f9f73d6a45fe889c3
                                                                                                                                                                                  • Opcode Fuzzy Hash: c48102cee9c17cd9f4ffe5241106520557f460b3a1b033464a67b59e6be0c962
                                                                                                                                                                                  • Instruction Fuzzy Hash: F22119B1A00118BBDF01DFA5CC449DEBFBDEF09750F104066F514E6221D7719A4A9BA0
                                                                                                                                                                                  Function 6CBF2492 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 166librarynativeloaderCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • GetProcAddress.KERNEL32(ZwWow64QueryInformationProcess64,00000318), ref: 6CBF24B0
                                                                                                                                                                                  • NtWow64QueryInformationProcess64.NTDLL(00000000,00000000,?,00000030,00000000), ref: 6CBF24CC
                                                                                                                                                                                    • Part of subcall function 6CBF11B2: RtlAllocateHeap.NTDLL(00000000,6CBF0000,6CBF1B4C,6CBF0000), ref: 6CBF11BE
                                                                                                                                                                                    • Part of subcall function 6CBF241D: GetProcAddress.KERNEL32(ZwWow64ReadVirtualMemory64,00000000), ref: 6CBF243F
                                                                                                                                                                                    • Part of subcall function 6CBF241D: NtWow64ReadVirtualMemory64.NTDLL(00000100,?,?,00000028,00000000,00000000,00000100,00000000,?,?,?,6CBF250D,00000000,00000000,00000028,00000100), ref: 6CBF2461
                                                                                                                                                                                  • StrRChrA.SHLWAPI(00000018,00000000,0000005C,00000000,00000318,?,00000000,00000068,00000098,00000000,00000028,00000040,00000000,00000000,00000028,00000100), ref: 6CBF2636
                                                                                                                                                                                  Strings
                                                                                                                                                                                  • ZwWow64QueryInformationProcess64, xrefs: 6CBF24A3
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000003.00000002.1716573620.000000006CBF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 6CBF0000, based on PE: true
                                                                                                                                                                                  • Associated: 00000003.00000002.1716317614.000000006CBF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000003.00000002.1716573620.000000006CBFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_3_2_6cbf0000_regsvr32.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: AddressProcWow64$AllocateHeapInformationMemory64Process64QueryReadVirtual
                                                                                                                                                                                  • String ID: ZwWow64QueryInformationProcess64
                                                                                                                                                                                  • API String ID: 3547194813-1903490642
                                                                                                                                                                                  • Opcode ID: 05f1efe74f99b7656b22f72659955ac0f70f50a459cbac4813125ac03fea6f88
                                                                                                                                                                                  • Instruction ID: bf70ba9ce6e551137f06e5f2f295773d0e82bfd0e0e834d7786fb84ced7a2c54
                                                                                                                                                                                  • Opcode Fuzzy Hash: 05f1efe74f99b7656b22f72659955ac0f70f50a459cbac4813125ac03fea6f88
                                                                                                                                                                                  • Instruction Fuzzy Hash: 62616270A01286EBDF05CFA5D894BEEBBB4FF08304F104529E964A7741D770E959CBA2
                                                                                                                                                                                  Function 6CBF4943 Relevance: 6.1, APIs: 4, Instructions: 79nativeCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • NtCreateSection.NTDLL(?,000F001F,?,?,00000040,08000000,00000000), ref: 6CBF499E
                                                                                                                                                                                  • memset.NTDLL ref: 6CBF49C3
                                                                                                                                                                                  • RtlNtStatusToDosError.NTDLL ref: 6CBF49DF
                                                                                                                                                                                  • ZwClose.NTDLL(?), ref: 6CBF49F3
                                                                                                                                                                                    • Part of subcall function 6CBF4904: NtMapViewOfSection.NTDLL ref: 6CBF4931
                                                                                                                                                                                    • Part of subcall function 6CBF4904: RtlNtStatusToDosError.NTDLL ref: 6CBF4938
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000003.00000002.1716573620.000000006CBF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 6CBF0000, based on PE: true
                                                                                                                                                                                  • Associated: 00000003.00000002.1716317614.000000006CBF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000003.00000002.1716573620.000000006CBFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_3_2_6cbf0000_regsvr32.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: ErrorSectionStatus$CloseCreateViewmemset
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 783833395-0
                                                                                                                                                                                  • Opcode ID: 261faad25c5984be6ea00c71347fb2d77715250537ddec8c28c4c14ea1fb5024
                                                                                                                                                                                  • Instruction ID: 73a2bb660cde6f3345ac6d6d02d1d5e594ad71e821b93691309b4e7821b780b6
                                                                                                                                                                                  • Opcode Fuzzy Hash: 261faad25c5984be6ea00c71347fb2d77715250537ddec8c28c4c14ea1fb5024
                                                                                                                                                                                  • Instruction Fuzzy Hash: 55215975A00269AFCF01CFA8CD449EEBBB8EB09720F104516F920E7240D7719A598FA5
                                                                                                                                                                                  Function 6CBF241D Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 33librarynativeloaderCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • GetProcAddress.KERNEL32(ZwWow64ReadVirtualMemory64,00000000), ref: 6CBF243F
                                                                                                                                                                                  • NtWow64ReadVirtualMemory64.NTDLL(00000100,?,?,00000028,00000000,00000000,00000100,00000000,?,?,?,6CBF250D,00000000,00000000,00000028,00000100), ref: 6CBF2461
                                                                                                                                                                                  Strings
                                                                                                                                                                                  • ZwWow64ReadVirtualMemory64, xrefs: 6CBF2434
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000003.00000002.1716573620.000000006CBF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 6CBF0000, based on PE: true
                                                                                                                                                                                  • Associated: 00000003.00000002.1716317614.000000006CBF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000003.00000002.1716573620.000000006CBFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_3_2_6cbf0000_regsvr32.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: AddressMemory64ProcReadVirtualWow64
                                                                                                                                                                                  • String ID: ZwWow64ReadVirtualMemory64
                                                                                                                                                                                  • API String ID: 752694512-2880279267
                                                                                                                                                                                  • Opcode ID: 8b80fd60fe25bdc1351b822f87e780fb6ca7762dad24d9f9044d44fe3caa4518
                                                                                                                                                                                  • Instruction ID: 31dffb25bcd454abb4ef14d41b2bda261722909730cd7705e27962e654375083
                                                                                                                                                                                  • Opcode Fuzzy Hash: 8b80fd60fe25bdc1351b822f87e780fb6ca7762dad24d9f9044d44fe3caa4518
                                                                                                                                                                                  • Instruction Fuzzy Hash: EFF03A76600644BFCF068F96DC04C4EFFBAEB89350B108429F96093320D271D956DF21
                                                                                                                                                                                  Function 6CBF2286 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 21librarynativeloaderCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • GetProcAddress.KERNEL32(ZwWow64QueryInformationProcess64,00000000), ref: 6CBF22A0
                                                                                                                                                                                  • NtWow64QueryInformationProcess64.NTDLL(6CBF4211,00000000,00000000,00000030,6CBF4211,00000000,6CBF4211,?,?,C000009A,?,00000000,00000000), ref: 6CBF22BF
                                                                                                                                                                                  Strings
                                                                                                                                                                                  • ZwWow64QueryInformationProcess64, xrefs: 6CBF2295
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000003.00000002.1716573620.000000006CBF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 6CBF0000, based on PE: true
                                                                                                                                                                                  • Associated: 00000003.00000002.1716317614.000000006CBF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000003.00000002.1716573620.000000006CBFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_3_2_6cbf0000_regsvr32.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: AddressInformationProcProcess64QueryWow64
                                                                                                                                                                                  • String ID: ZwWow64QueryInformationProcess64
                                                                                                                                                                                  • API String ID: 1650446693-1903490642
                                                                                                                                                                                  • Opcode ID: 03dbfdff6cd75c8ea48697c67881109ea3a60b4359ae4a5203fb201d46f21fe0
                                                                                                                                                                                  • Instruction ID: 70f10d12b7686bd382422908f4539a7a2e55624809dfc16690092b60b051b051
                                                                                                                                                                                  • Opcode Fuzzy Hash: 03dbfdff6cd75c8ea48697c67881109ea3a60b4359ae4a5203fb201d46f21fe0
                                                                                                                                                                                  • Instruction Fuzzy Hash: 64E04F31305351AFEB028A54EC05F057BB4AB5A754F054425B534E3350D321CD15DF52
                                                                                                                                                                                  Function 6CBF2E32 Relevance: 4.5, APIs: 3, Instructions: 29memorynativeCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • NtAllocateVirtualMemory.NTDLL(6CBF28CF,00000000,00000000,6CBF28CF,00003000,00000040), ref: 6CBF2E63
                                                                                                                                                                                  • RtlNtStatusToDosError.NTDLL ref: 6CBF2E6A
                                                                                                                                                                                  • SetLastError.KERNEL32(00000000), ref: 6CBF2E71
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000003.00000002.1716573620.000000006CBF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 6CBF0000, based on PE: true
                                                                                                                                                                                  • Associated: 00000003.00000002.1716317614.000000006CBF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000003.00000002.1716573620.000000006CBFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_3_2_6cbf0000_regsvr32.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: Error$AllocateLastMemoryStatusVirtual
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 722216270-0
                                                                                                                                                                                  • Opcode ID: 75bb827979cdcd05515bbc0a4a26ac162cff3245928404c257da9dd8c04c69e4
                                                                                                                                                                                  • Instruction ID: e1696c6e52f82c8b35b8127d70b07aa4c4083810d5045a848bfb14f64b6b2c96
                                                                                                                                                                                  • Opcode Fuzzy Hash: 75bb827979cdcd05515bbc0a4a26ac162cff3245928404c257da9dd8c04c69e4
                                                                                                                                                                                  • Instruction Fuzzy Hash: A4F05E71A11309FBEB04CB95D819B9EB7BCAB05305F104048A210A6280EBB4EB04CB65
                                                                                                                                                                                  Function 6CBF2DF1 Relevance: 4.5, APIs: 3, Instructions: 26nativeCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • NtWriteVirtualMemory.NTDLL(?,00000004,6CBF468D,6CBF468D,00000000,74E05030,?,6CBF3C80,?,00000004,6CBF468D,00000004,?), ref: 6CBF2E0F
                                                                                                                                                                                  • RtlNtStatusToDosError.NTDLL ref: 6CBF2E1E
                                                                                                                                                                                  • SetLastError.KERNEL32(00000000,?,6CBF3C80,?,00000004,6CBF468D,00000004,?,?,?,?,6CBF453C,00000000,6CBF468D,CCCCFEEB,00000000), ref: 6CBF2E25
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000003.00000002.1716573620.000000006CBF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 6CBF0000, based on PE: true
                                                                                                                                                                                  • Associated: 00000003.00000002.1716317614.000000006CBF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000003.00000002.1716573620.000000006CBFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_3_2_6cbf0000_regsvr32.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: Error$LastMemoryStatusVirtualWrite
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 1089604434-0
                                                                                                                                                                                  • Opcode ID: 1816e23932a08f6edab7dbc4c08106460807a28bf86feace411f7ace092c444e
                                                                                                                                                                                  • Instruction ID: b68facb3353404949bade2746c938b6a2a580ca39d6f051695f5ef0a5dfee969
                                                                                                                                                                                  • Opcode Fuzzy Hash: 1816e23932a08f6edab7dbc4c08106460807a28bf86feace411f7ace092c444e
                                                                                                                                                                                  • Instruction Fuzzy Hash: 08E01232241299ABDF015FE9AC08D8B7B69EB0D751B104425BA21C6711C731D5219BA1
                                                                                                                                                                                  Function 03460000 Relevance: 3.4, APIs: 2, Instructions: 387nativememoryCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • NtProtectVirtualMemory.NTDLL(000000FF,?,?,00000040,?,?,00000000,DF18C02A), ref: 03460532
                                                                                                                                                                                  • NtAllocateVirtualMemory.NTDLL(000000FF,00000000,00000000,?,00003000,00000040), ref: 03460569
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000003.00000002.1715618898.0000000003460000.00000040.00001000.00020000.00000000.sdmp, Offset: 03460000, based on PE: false
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_3_2_3460000_regsvr32.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: MemoryVirtual$AllocateProtect
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 2931642484-0
                                                                                                                                                                                  • Opcode ID: 0276ce237686d955ecd96cb5b1eef00a4676b752b1876b5eb49befe3360d61fd
                                                                                                                                                                                  • Instruction ID: de3d41514ed3d9597c82469951611cca03137540cab08f1e8fdb1a811deacd43
                                                                                                                                                                                  • Opcode Fuzzy Hash: 0276ce237686d955ecd96cb5b1eef00a4676b752b1876b5eb49befe3360d61fd
                                                                                                                                                                                  • Instruction Fuzzy Hash: 59F14876E002189FDF14CFA6C980A9EBBB2FF88310F25816AD519BB255D734A942CF54
                                                                                                                                                                                  Function 6CBF2D19 Relevance: 3.0, APIs: 2, Instructions: 48nativeCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • NtQuerySystemInformation.NTDLL ref: 6CBF2D4A
                                                                                                                                                                                  • RtlNtStatusToDosError.NTDLL ref: 6CBF2D83
                                                                                                                                                                                    • Part of subcall function 6CBF11C7: RtlFreeHeap.NTDLL(00000000,00000000,6CBF1B7B,00000000), ref: 6CBF11D3
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000003.00000002.1716573620.000000006CBF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 6CBF0000, based on PE: true
                                                                                                                                                                                  • Associated: 00000003.00000002.1716317614.000000006CBF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000003.00000002.1716573620.000000006CBFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_3_2_6cbf0000_regsvr32.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: ErrorFreeHeapInformationQueryStatusSystem
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 2533303245-0
                                                                                                                                                                                  • Opcode ID: 018a6a352cd8302c377f9c1458485a88046f2ded7464776cd8e5e7db952c1dcf
                                                                                                                                                                                  • Instruction ID: f03f2fbc581efe32e4f056fd35d422eeb25efae4bed09f61f2f51062f8b05a37
                                                                                                                                                                                  • Opcode Fuzzy Hash: 018a6a352cd8302c377f9c1458485a88046f2ded7464776cd8e5e7db952c1dcf
                                                                                                                                                                                  • Instruction Fuzzy Hash: D701F27A9039F4AAD7124655890CBDE7968CF46B58F110114ED30A7B00D770CE0A82F3
                                                                                                                                                                                  Function 6CBF4904 Relevance: 3.0, APIs: 2, Instructions: 28nativeCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000003.00000002.1716573620.000000006CBF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 6CBF0000, based on PE: true
                                                                                                                                                                                  • Associated: 00000003.00000002.1716317614.000000006CBF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000003.00000002.1716573620.000000006CBFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_3_2_6cbf0000_regsvr32.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: ErrorSectionStatusView
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 1313840181-0
                                                                                                                                                                                  • Opcode ID: 19fc8330002138bc4df6f376718265aa4d97c29fc6e373bfe2bd4d1a22473c08
                                                                                                                                                                                  • Instruction ID: 83790d556e31726be7f376e3c44faf6c4d30b93a27a300a62e93d82d0fcede85
                                                                                                                                                                                  • Opcode Fuzzy Hash: 19fc8330002138bc4df6f376718265aa4d97c29fc6e373bfe2bd4d1a22473c08
                                                                                                                                                                                  • Instruction Fuzzy Hash: 31E0E5B6900208FFEF059F95DC0FDEF7B7DEB45300F00856AF615A6151E6B1AA149B60
                                                                                                                                                                                  Function 6CBF4B80 Relevance: 1.5, APIs: 1, Instructions: 37nativeCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • NtProtectVirtualMemory.NTDLL ref: 6CBF4BCB
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000003.00000002.1716573620.000000006CBF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 6CBF0000, based on PE: true
                                                                                                                                                                                  • Associated: 00000003.00000002.1716317614.000000006CBF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000003.00000002.1716573620.000000006CBFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_3_2_6cbf0000_regsvr32.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: MemoryProtectVirtual
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 2706961497-0
                                                                                                                                                                                  • Opcode ID: af5b7e29ad1b2268868168bc09b01d4086c669db7eb639983e2640be428b1d8f
                                                                                                                                                                                  • Instruction ID: 28cc42cccdb4055abea283a3ea790c5e4a853cf746611ce8e43d63e46f8e3474
                                                                                                                                                                                  • Opcode Fuzzy Hash: af5b7e29ad1b2268868168bc09b01d4086c669db7eb639983e2640be428b1d8f
                                                                                                                                                                                  • Instruction Fuzzy Hash: 75F0243101860A5BD714EB58CC82EA6B3ECFF49310F04065CBCA5873D1E671B964CBC2
                                                                                                                                                                                  Function 6CBF1F0F Relevance: 72.0, APIs: 33, Strings: 8, Instructions: 278registrystringmemoryCOMMON
                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                  • Executed
                                                                                                                                                                                  • Not Executed
                                                                                                                                                                                  control_flow_graph 0 6cbf1f0f-6cbf1f2a 1 6cbf1f2c 0->1 2 6cbf1f33-6cbf1f39 0->2 1->2 3 6cbf1f3f-6cbf1f47 2->3 4 6cbf2277-6cbf2283 2->4 3->4 5 6cbf1f4d-6cbf1f5a StrChrA 3->5 5->4 6 6cbf1f60-6cbf1fa8 lstrcpyA lstrcatA * 2 RegOpenKeyA 5->6 6->4 7 6cbf1fae-6cbf1fcb RegQueryValueExW 6->7 8 6cbf2267 7->8 9 6cbf1fd1-6cbf1ff9 lstrlenW HeapAlloc 7->9 11 6cbf226e-6cbf2271 RegCloseKey 8->11 9->8 10 6cbf1fff-6cbf2015 RegQueryValueExW 9->10 12 6cbf201b-6cbf2068 PathCombineW CreateDirectoryW PathCombineW CreateDirectoryW PathCombineW lstrcmpiW 10->12 13 6cbf2257-6cbf2265 HeapFree 10->13 11->4 14 6cbf206e-6cbf2076 12->14 15 6cbf2250 12->15 13->11 16 6cbf2078-6cbf207f call 6cbf32ee 14->16 17 6cbf2081-6cbf2082 call 6cbf35c6 14->17 15->13 21 6cbf2087-6cbf208c 16->21 17->21 22 6cbf2247-6cbf224e 21->22 23 6cbf2092-6cbf20cb lstrcpyA RegOpenKeyExA 21->23 22->13 24 6cbf20cd-6cbf20ff lstrlenW RegSetValueExW RegCloseKey 23->24 25 6cbf2105-6cbf210a 23->25 24->25 28 6cbf2235-6cbf2245 HeapFree 24->28 26 6cbf210c-6cbf2111 call 6cbf1be5 25->26 27 6cbf2121-6cbf2129 call 6cbf1c30 25->27 31 6cbf2116-6cbf211b 26->31 32 6cbf212e-6cbf2133 27->32 28->13 31->27 33 6cbf2232 31->33 34 6cbf21de-6cbf21e1 32->34 35 6cbf2139-6cbf213b 32->35 33->28 36 6cbf222f 34->36 37 6cbf21e3-6cbf21fd RegOpenKeyExA 34->37 38 6cbf213d-6cbf2145 call 6cbf35c6 35->38 39 6cbf2147-6cbf2174 lstrcpyA RegCreateKeyA 35->39 36->33 37->33 40 6cbf21ff-6cbf2218 RegOpenKeyW 37->40 38->39 39->33 42 6cbf217a-6cbf219d RegQueryValueExA 39->42 43 6cbf221a-6cbf222d RegDeleteValueW RegCloseKey 40->43 44 6cbf21d3-6cbf21dc RegCloseKey 40->44 46 6cbf219f-6cbf21a3 42->46 47 6cbf21bb-6cbf21c0 42->47 43->44 44->33 46->47 48 6cbf21a5-6cbf21b9 RegSetValueExA 46->48 47->44 49 6cbf21c2-6cbf21d1 RegSetValueExA 47->49 48->47 49->44
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • StrChrA.SHLWAPI(?,0000005F,00000000,00000000,00000104), ref: 6CBF1F52
                                                                                                                                                                                  • lstrcpyA.KERNEL32(?,?), ref: 6CBF1F6A
                                                                                                                                                                                  • lstrcatA.KERNEL32(?,\Software\Microsoft\Windows\CurrentVersion), ref: 6CBF1F82
                                                                                                                                                                                  • lstrcatA.KERNEL32(?,\Explorer\Shell Folders), ref: 6CBF1F90
                                                                                                                                                                                  • RegOpenKeyA.ADVAPI32(?,?,?), ref: 6CBF1FA0
                                                                                                                                                                                  • RegQueryValueExW.KERNELBASE(?,AppData,00000000,?,00000000,?), ref: 6CBF1FC6
                                                                                                                                                                                  • lstrlenW.KERNEL32 ref: 6CBF1FD7
                                                                                                                                                                                  • HeapAlloc.KERNEL32(00000000,?), ref: 6CBF1FEC
                                                                                                                                                                                  • RegQueryValueExW.KERNELBASE(?,AppData,00000000,?,00000000,?), ref: 6CBF2011
                                                                                                                                                                                  • PathCombineW.SHLWAPI(00000000,00000000,Microsoft), ref: 6CBF2033
                                                                                                                                                                                  • CreateDirectoryW.KERNELBASE(00000000,00000000), ref: 6CBF2037
                                                                                                                                                                                  • PathCombineW.SHLWAPI(00000000,00000000), ref: 6CBF2045
                                                                                                                                                                                  • CreateDirectoryW.KERNELBASE(00000000,00000000), ref: 6CBF2049
                                                                                                                                                                                  • PathCombineW.SHLWAPI(00000000,00000000), ref: 6CBF2057
                                                                                                                                                                                  • lstrcmpiW.KERNEL32(00000000), ref: 6CBF2060
                                                                                                                                                                                    • Part of subcall function 6CBF32EE: lstrlenW.KERNEL32(00000000,00000000,?,6CBF207F,00000000,FF571A75), ref: 6CBF3301
                                                                                                                                                                                    • Part of subcall function 6CBF32EE: lstrlenA.KERNEL32(6CBF207F,?,6CBF207F,00000000,FF571A75), ref: 6CBF330C
                                                                                                                                                                                    • Part of subcall function 6CBF32EE: HeapAlloc.KERNEL32(00000000,00000022,?,6CBF207F,00000000,FF571A75), ref: 6CBF3321
                                                                                                                                                                                    • Part of subcall function 6CBF32EE: wsprintfW.USER32 ref: 6CBF3339
                                                                                                                                                                                  • lstrcpyA.KERNEL32(?,\Run,00000000), ref: 6CBF20A2
                                                                                                                                                                                  • RegOpenKeyExA.KERNELBASE(?,?,00000000,6CBF3417,?), ref: 6CBF20C3
                                                                                                                                                                                  • lstrlenW.KERNEL32(?), ref: 6CBF20D0
                                                                                                                                                                                  • RegSetValueExW.KERNELBASE(?,00000000,00000001,?,?), ref: 6CBF20EA
                                                                                                                                                                                  • RegCloseKey.KERNELBASE(?), ref: 6CBF20F6
                                                                                                                                                                                  • lstrcpyA.KERNEL32(?,?,6CBF342F,0AEBFFFF), ref: 6CBF2158
                                                                                                                                                                                  • RegCreateKeyA.ADVAPI32(?,?,?), ref: 6CBF216C
                                                                                                                                                                                  • RegQueryValueExA.ADVAPI32(?,Client,00000000,?,?,?), ref: 6CBF218F
                                                                                                                                                                                  • RegSetValueExA.ADVAPI32(?,Client,00000000,00000003,?,00000028), ref: 6CBF21B9
                                                                                                                                                                                  • RegSetValueExA.ADVAPI32(?,Client32,00000000,00000003,BFA98035,3D6CBF80), ref: 6CBF21D1
                                                                                                                                                                                  • RegCloseKey.ADVAPI32(?), ref: 6CBF21D6
                                                                                                                                                                                  • RegOpenKeyExA.ADVAPI32(?,?,00000000,6CBF3417,?,?,6CBF342F,0AEBFFFF), ref: 6CBF21F5
                                                                                                                                                                                  • RegOpenKeyW.ADVAPI32(?,00000000,?), ref: 6CBF2210
                                                                                                                                                                                  • RegDeleteValueW.ADVAPI32(?,056586E0), ref: 6CBF221E
                                                                                                                                                                                  • RegCloseKey.ADVAPI32(?), ref: 6CBF2227
                                                                                                                                                                                  • HeapFree.KERNEL32(00000000,?,?,6CBF342F,0AEBFFFF), ref: 6CBF223F
                                                                                                                                                                                  • HeapFree.KERNEL32(00000000,00000000), ref: 6CBF225F
                                                                                                                                                                                  • RegCloseKey.ADVAPI32(?), ref: 6CBF2271
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000003.00000002.1716573620.000000006CBF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 6CBF0000, based on PE: true
                                                                                                                                                                                  • Associated: 00000003.00000002.1716317614.000000006CBF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000003.00000002.1716573620.000000006CBFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_3_2_6cbf0000_regsvr32.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: Value$CloseHeapOpenlstrlen$CombineCreatePathQuerylstrcpy$AllocDirectoryFreelstrcat$Deletelstrcmpiwsprintf
                                                                                                                                                                                  • String ID: ($AppData$Client$Client32$Microsoft$\Explorer\Shell Folders$\Run$\Software\Microsoft\Windows\CurrentVersion
                                                                                                                                                                                  • API String ID: 4063272932-2954684206
                                                                                                                                                                                  • Opcode ID: d6ba58318e9012b8fabbc5c54a49635f953442c0bf75067a8ade2a0ff9c3dac8
                                                                                                                                                                                  • Instruction ID: d5b5995981af87601f0265e63448b9721a9a69c03413a0e9ad7d1cc960552da6
                                                                                                                                                                                  • Opcode Fuzzy Hash: d6ba58318e9012b8fabbc5c54a49635f953442c0bf75067a8ade2a0ff9c3dac8
                                                                                                                                                                                  • Instruction Fuzzy Hash: 23A12671A00189FFDF119FA2DC88DAEBB7DFB0A344F104422F925A6610D7319A5ADF52
                                                                                                                                                                                  Function 6CBF16B2 Relevance: 42.3, APIs: 20, Strings: 4, Instructions: 286filetimesleepCOMMON
                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                  • Executed
                                                                                                                                                                                  • Not Executed
                                                                                                                                                                                  control_flow_graph 84 6cbf16b2-6cbf16dc call 6cbf1a53 87 6cbf1a48-6cbf1a50 84->87 88 6cbf16e2-6cbf16ed 84->88 89 6cbf16f1-6cbf1729 GetCursorInfo call 6cbf345b 88->89 92 6cbf172b-6cbf172d 89->92 92->87 93 6cbf1733-6cbf1740 call 6cbf22c9 92->93 96 6cbf1754-6cbf1757 93->96 97 6cbf1742-6cbf174c 93->97 98 6cbf1759-6cbf176d call 6cbf2c92 96->98 99 6cbf17b2-6cbf17d8 CreateFileA 96->99 97->96 98->99 109 6cbf176f-6cbf1781 GetLongPathNameW 98->109 101 6cbf17fd-6cbf1801 99->101 102 6cbf17da-6cbf17f0 ReadFile 99->102 103 6cbf1818-6cbf1830 call 6cbf389c 101->103 104 6cbf1803 call 6cbf1000 101->104 106 6cbf17f6-6cbf17f7 CloseHandle 102->106 107 6cbf17f2 102->107 117 6cbf1843-6cbf186b call 6cbf150f call 6cbf1b96 103->117 118 6cbf1832-6cbf1837 103->118 111 6cbf1808-6cbf180e 104->111 106->101 107->106 112 6cbf17a9-6cbf17ad 109->112 113 6cbf1783-6cbf1794 call 6cbf11b2 109->113 111->103 115 6cbf1810 111->115 112->99 113->112 123 6cbf1796-6cbf17a2 GetLongPathNameW call 6cbf11c7 113->123 119 6cbf1812-6cbf1813 115->119 130 6cbf186d-6cbf187f call 6cbf1b96 117->130 131 6cbf1885-6cbf1898 call 6cbf2e82 117->131 118->117 121 6cbf1839-6cbf183e call 6cbf1638 118->121 119->87 121->117 129 6cbf17a7 123->129 129->99 130->131 136 6cbf1a40-6cbf1a46 GetLastError 130->136 137 6cbf189e-6cbf18a5 call 6cbf11dc 131->137 138 6cbf1a3b-6cbf1a3e 131->138 136->87 137->87 141 6cbf18ab-6cbf18b1 137->141 138->87 138->136 142 6cbf18bc-6cbf18c1 call 6cbf2f05 141->142 143 6cbf18b3 call 6cbf128f 141->143 146 6cbf18c6-6cbf18c8 142->146 147 6cbf18b8-6cbf18ba 143->147 148 6cbf190b-6cbf1916 call 6cbf137f 146->148 149 6cbf18ca-6cbf18d2 146->149 147->142 147->148 154 6cbf191f-6cbf193a 148->154 155 6cbf1918 148->155 149->148 150 6cbf18d4-6cbf18db call 6cbf14c3 149->150 150->148 159 6cbf18dd-6cbf18e3 150->159 157 6cbf193c-6cbf1941 154->157 158 6cbf1943 154->158 155->154 160 6cbf1948-6cbf196a ConvertStringSecurityDescriptorToSecurityDescriptorA CreateEventA 157->160 158->160 161 6cbf18fb-6cbf1906 call 6cbf1ddb 159->161 162 6cbf18e5-6cbf18f9 call 6cbf1d2e 159->162 163 6cbf196c-6cbf1974 GetLastError 160->163 164 6cbf1996-6cbf19b9 call 6cbf3349 160->164 161->119 162->148 162->161 167 6cbf198f-6cbf1990 CloseHandle 163->167 168 6cbf1976-6cbf1989 SetEvent Sleep ResetEvent 163->168 173 6cbf19bb-6cbf19bd 164->173 174 6cbf19e2-6cbf19f0 call 6cbf2d19 164->174 167->164 168->167 176 6cbf1a2f-6cbf1a39 LocalFree 173->176 177 6cbf19bf-6cbf19c6 173->177 174->138 180 6cbf19f2-6cbf1a09 CreateWaitableTimerA 174->180 176->138 177->174 179 6cbf19c8-6cbf19d1 DeleteFileW 177->179 179->174 181 6cbf19d3-6cbf19dc MoveFileExW 179->181 180->176 182 6cbf1a0b-6cbf1a29 SetWaitableTimer CloseHandle 180->182 181->174 182->176
                                                                                                                                                                                  APIs
                                                                                                                                                                                    • Part of subcall function 6CBF1A53: CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,?,6CBF16D8), ref: 6CBF1A62
                                                                                                                                                                                    • Part of subcall function 6CBF1A53: GetVersion.KERNEL32(?,6CBF16D8), ref: 6CBF1A71
                                                                                                                                                                                    • Part of subcall function 6CBF1A53: GetCurrentProcessId.KERNEL32(?,6CBF16D8), ref: 6CBF1A8D
                                                                                                                                                                                    • Part of subcall function 6CBF1A53: OpenProcess.KERNEL32(0000047A,00000000,00000000,?,6CBF16D8), ref: 6CBF1AA6
                                                                                                                                                                                  • GetCursorInfo.USER32 ref: 6CBF16FE
                                                                                                                                                                                    • Part of subcall function 6CBF345B: lstrcpynA.KERNEL32(?,.bss,00000008,?,00000000,00000000,?,?,?,?,?,?,?), ref: 6CBF3489
                                                                                                                                                                                  • GetLongPathNameW.KERNELBASE(?,00000000,00000000), ref: 6CBF177B
                                                                                                                                                                                  • GetLongPathNameW.KERNELBASE(?,00000000,00000000), ref: 6CBF179C
                                                                                                                                                                                  • CreateFileA.KERNELBASE(c:\321.txt,80000000,00000001,00000000,00000003,00000080,00000000,00000000,?), ref: 6CBF17CD
                                                                                                                                                                                  • ReadFile.KERNEL32(00000000,?,00000004,?,00000000), ref: 6CBF17E8
                                                                                                                                                                                  • CloseHandle.KERNEL32(00000000), ref: 6CBF17F7
                                                                                                                                                                                    • Part of subcall function 6CBF389C: lstrcmpA.KERNEL32(?,?,00000000,00000000), ref: 6CBF3950
                                                                                                                                                                                  • ConvertStringSecurityDescriptorToSecurityDescriptorA.ADVAPI32(S:(ML;;NW;;;LW)D:(A;;0x1fffff;;;WD)(A;;0x1fffff;;;S-1-15-2-1),00000001,?,00000000), ref: 6CBF1948
                                                                                                                                                                                  • CreateEventA.KERNEL32(?,00000001,00000000,?,EE553B4E,00000001,00000000,6CBFA95C), ref: 6CBF195B
                                                                                                                                                                                  • GetLastError.KERNEL32 ref: 6CBF196C
                                                                                                                                                                                  • SetEvent.KERNEL32(00000000), ref: 6CBF1977
                                                                                                                                                                                  • Sleep.KERNEL32(00000BB8), ref: 6CBF1982
                                                                                                                                                                                  • ResetEvent.KERNEL32(00000000), ref: 6CBF1989
                                                                                                                                                                                  • CloseHandle.KERNEL32(00000000), ref: 6CBF1990
                                                                                                                                                                                  • DeleteFileW.KERNELBASE(056587C8,?), ref: 6CBF19C9
                                                                                                                                                                                  • MoveFileExW.KERNELBASE(00000000,00000004), ref: 6CBF19DC
                                                                                                                                                                                  • CreateWaitableTimerA.KERNEL32(?,00000001,?), ref: 6CBF19FF
                                                                                                                                                                                  • SetWaitableTimer.KERNELBASE(00000000,0000000C,00000000,00000000,00000000,00000000), ref: 6CBF1A22
                                                                                                                                                                                  • CloseHandle.KERNEL32(00000000), ref: 6CBF1A29
                                                                                                                                                                                  • LocalFree.KERNEL32(?), ref: 6CBF1A33
                                                                                                                                                                                  • GetLastError.KERNEL32(EE553B4E,00000001,00000000,6CBFA95C), ref: 6CBF1A40
                                                                                                                                                                                  Strings
                                                                                                                                                                                  • S:(ML;;NW;;;LW)D:(A;;0x1fffff;;;WD)(A;;0x1fffff;;;S-1-15-2-1), xrefs: 6CBF1943
                                                                                                                                                                                  • N;U, xrefs: 6CBF1851
                                                                                                                                                                                  • D:(D;OICI;GA;;;BG)(D;OICI;GA;;;AN)(A;OICI;GA;;;AU)(A;OICI;GA;;;BA), xrefs: 6CBF193C
                                                                                                                                                                                  • c:\321.txt, xrefs: 6CBF17C4
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000003.00000002.1716573620.000000006CBF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 6CBF0000, based on PE: true
                                                                                                                                                                                  • Associated: 00000003.00000002.1716317614.000000006CBF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000003.00000002.1716573620.000000006CBFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_3_2_6cbf0000_regsvr32.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: CreateEventFile$CloseHandle$DescriptorErrorLastLongNamePathProcessSecurityTimerWaitable$ConvertCurrentCursorDeleteFreeInfoLocalMoveOpenReadResetSleepStringVersionlstrcmplstrcpyn
                                                                                                                                                                                  • String ID: D:(D;OICI;GA;;;BG)(D;OICI;GA;;;AN)(A;OICI;GA;;;AU)(A;OICI;GA;;;BA)$N;U$S:(ML;;NW;;;LW)D:(A;;0x1fffff;;;WD)(A;;0x1fffff;;;S-1-15-2-1)$c:\321.txt
                                                                                                                                                                                  • API String ID: 400546999-400329992
                                                                                                                                                                                  • Opcode ID: 8a067fc74be49b56aa86a033110dc9262dd7eb954261ea7a8f4fcad245bd981d
                                                                                                                                                                                  • Instruction ID: 0bfabbcd689d29662f5e76863d64d4601979bad7f637ba32e1b45e975acdee41
                                                                                                                                                                                  • Opcode Fuzzy Hash: 8a067fc74be49b56aa86a033110dc9262dd7eb954261ea7a8f4fcad245bd981d
                                                                                                                                                                                  • Instruction Fuzzy Hash: 31A1B4B26052859FDB009F75D884A9E77F8EB45308F498E2AF571D3750D730D84E8B92
                                                                                                                                                                                  Function 6CBF150F Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 45libraryloaderCOMMON
                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                  • Executed
                                                                                                                                                                                  • Not Executed
                                                                                                                                                                                  control_flow_graph 199 6cbf150f-6cbf1526 LoadLibraryA 200 6cbf1528-6cbf153c GetProcAddress 199->200 201 6cbf1574-6cbf1579 199->201 202 6cbf153e-6cbf1551 GetModuleHandleA GetProcAddress 200->202 203 6cbf1572-6cbf1573 200->203 202->203 204 6cbf1553-6cbf155e FindWindowA 202->204 203->201 204->203 205 6cbf1560-6cbf1569 204->205 205->203 207 6cbf156b 205->207 207->203
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • LoadLibraryA.KERNEL32(USER32.DLL,6CBF0000,?,?,6CBF1851,00000001,00000000,6CBFA95C), ref: 6CBF151E
                                                                                                                                                                                  • GetProcAddress.KERNEL32(00000000,FindWindowA), ref: 6CBF1536
                                                                                                                                                                                  • GetModuleHandleA.KERNEL32(USER32.DLL,GetWindowThreadProcessId,?,?,6CBF1851,00000001,00000000,6CBFA95C), ref: 6CBF1544
                                                                                                                                                                                  • GetProcAddress.KERNEL32(00000000), ref: 6CBF154B
                                                                                                                                                                                  • FindWindowA.USER32(ProgMan,00000000,?,?,6CBF1851,00000001,00000000,6CBFA95C), ref: 6CBF155A
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000003.00000002.1716573620.000000006CBF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 6CBF0000, based on PE: true
                                                                                                                                                                                  • Associated: 00000003.00000002.1716317614.000000006CBF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000003.00000002.1716573620.000000006CBFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_3_2_6cbf0000_regsvr32.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: AddressProc$FindHandleLibraryLoadModuleWindow
                                                                                                                                                                                  • String ID: FindWindowA$GetWindowThreadProcessId$N;U$N;U$ProgMan$USER32.DLL
                                                                                                                                                                                  • API String ID: 2344282417-784344377
                                                                                                                                                                                  • Opcode ID: 422b2af1b541a86876b29d354e38b63c40898ec4c5ad9808d6f57bba39ac3f5d
                                                                                                                                                                                  • Instruction ID: 90303c8af2e5426ee61dd3f30d4da4a227fc22531a4cb19a3f2950c7a1b0db72
                                                                                                                                                                                  • Opcode Fuzzy Hash: 422b2af1b541a86876b29d354e38b63c40898ec4c5ad9808d6f57bba39ac3f5d
                                                                                                                                                                                  • Instruction Fuzzy Hash: 8EF0F6B2E01259B7EF0196B99C46FAF7AECDB06654F60041AA533E3700DA74DD0A86B1
                                                                                                                                                                                  Function 6CBF1C30 Relevance: 18.1, APIs: 12, Instructions: 98fileCOMMON
                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                  APIs
                                                                                                                                                                                  • CreateFileW.KERNELBASE(6CBF342F,C0000000,00000001,00000000,00000004,00000080,00000000,6CBF3417,00000000,6CBF342F,?,6CBF212E,?,6CBF342F,0AEBFFFF), ref: 6CBF1C6C
                                                                                                                                                                                  • WriteFile.KERNEL32(6CBF342F,?,?,6CBF212E,00000000,?,6CBF212E,?,6CBF342F,0AEBFFFF), ref: 6CBF1C92
                                                                                                                                                                                  • WriteFile.KERNEL32(6CBF342F,?,?,6CBF212E,00000000,?,6CBF212E,?,6CBF342F,0AEBFFFF), ref: 6CBF1CAB
                                                                                                                                                                                  • GetLastError.KERNEL32(?,6CBF212E,?,6CBF342F,0AEBFFFF), ref: 6CBF1CB1
                                                                                                                                                                                  • SetEndOfFile.KERNEL32(6CBF342F,?,6CBF212E,?,6CBF342F,0AEBFFFF), ref: 6CBF1CBD
                                                                                                                                                                                  • CloseHandle.KERNEL32(6CBF342F,?,6CBF212E,?,6CBF342F,0AEBFFFF), ref: 6CBF1CC6
                                                                                                                                                                                  • GetLastError.KERNEL32(?,6CBF212E,?,6CBF342F,0AEBFFFF), ref: 6CBF1CCE
                                                                                                                                                                                  • CreateFileW.KERNEL32(6CBF342F,C0000000,00000001,00000000,00000003,00000080,00000000,?,6CBF212E,?,6CBF342F,0AEBFFFF), ref: 6CBF1CED
                                                                                                                                                                                  • WriteFile.KERNEL32(00000000,?,?,6CBF212E,00000000,?,6CBF212E,?,6CBF342F,0AEBFFFF), ref: 6CBF1D03
                                                                                                                                                                                  • GetLastError.KERNEL32(?,6CBF212E,?,6CBF342F,0AEBFFFF), ref: 6CBF1D09
                                                                                                                                                                                  • FlushFileBuffers.KERNEL32(00000000,?,6CBF212E,?,6CBF342F,0AEBFFFF), ref: 6CBF1D13
                                                                                                                                                                                  • GetLastError.KERNEL32(?,6CBF212E,?,6CBF342F,0AEBFFFF), ref: 6CBF1D1B
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000003.00000002.1716573620.000000006CBF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 6CBF0000, based on PE: true
                                                                                                                                                                                  • Associated: 00000003.00000002.1716317614.000000006CBF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000003.00000002.1716573620.000000006CBFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_3_2_6cbf0000_regsvr32.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: File$ErrorLast$Write$Create$BuffersCloseFlushHandle
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 2625730619-0
                                                                                                                                                                                  • Opcode ID: 8c9d14119bf1386cb7670a2b000947b6485c6d57e9bee74cb1d5ba9eb7cc7bcf
                                                                                                                                                                                  • Instruction ID: 71b52acd720305bbb8fdd735e3808596cbd223411343c519a1023ed0fa8217e4
                                                                                                                                                                                  • Opcode Fuzzy Hash: 8c9d14119bf1386cb7670a2b000947b6485c6d57e9bee74cb1d5ba9eb7cc7bcf
                                                                                                                                                                                  • Instruction Fuzzy Hash: E83162B1A00208FFEF00DFA5CD44BAEBBB9EB4A754F148515F920E7290D7719A019B21
                                                                                                                                                                                  Function 6CBF13E7 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 81processmemorysynchronizationCOMMON
                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                  APIs
                                                                                                                                                                                  • memset.NTDLL ref: 6CBF1407
                                                                                                                                                                                    • Part of subcall function 6CBF3585: ExpandEnvironmentStringsA.KERNEL32(00000000,00000000,00000000,00000000,6CBF0000,EE553B43,6CBF3047,%systemroot%\system32\c_1252.nls), ref: 6CBF3596
                                                                                                                                                                                    • Part of subcall function 6CBF3585: ExpandEnvironmentStringsA.KERNEL32(?,00000000,00000000,00000000), ref: 6CBF35B0
                                                                                                                                                                                    • Part of subcall function 6CBF2344: GetProcAddress.KERNEL32(Wow64EnableWow64FsRedirection,6CBF3278), ref: 6CBF2358
                                                                                                                                                                                  • CreateProcessA.KERNELBASE(00000000,00000000,00000000,00000000,00000000,04000004,00000000,00000000,00000044,?,00000000,%systemroot%\system32\svchost.exe,C000009A,?,00000000), ref: 6CBF1444
                                                                                                                                                                                  • WaitForSingleObject.KERNEL32(?,000000FF,?,00000000,00000001), ref: 6CBF1470
                                                                                                                                                                                  • GetExitCodeProcess.KERNEL32(?,00000000), ref: 6CBF1481
                                                                                                                                                                                  • CloseHandle.KERNELBASE(00000000,?,00000000,00000001), ref: 6CBF1490
                                                                                                                                                                                  • CloseHandle.KERNEL32(?), ref: 6CBF1495
                                                                                                                                                                                  • GetLastError.KERNEL32(00000001), ref: 6CBF1499
                                                                                                                                                                                  • HeapFree.KERNEL32(00000000,00000000), ref: 6CBF14AA
                                                                                                                                                                                    • Part of subcall function 6CBF449E: memset.NTDLL ref: 6CBF44C1
                                                                                                                                                                                    • Part of subcall function 6CBF449E: ResumeThread.KERNEL32(?,00000000,6CBF468D,CCCCFEEB,00000000,6CBF468D,6CBF468D,00000004,?,00000000,00000000,74DEF550,00000000), ref: 6CBF454C
                                                                                                                                                                                    • Part of subcall function 6CBF449E: WaitForSingleObject.KERNEL32(00000064), ref: 6CBF455A
                                                                                                                                                                                    • Part of subcall function 6CBF449E: SuspendThread.KERNEL32(?), ref: 6CBF456D
                                                                                                                                                                                    • Part of subcall function 6CBF449E: GetLastError.KERNEL32(00000000,6CBF468D,6CBF468D,00000004,?,00000000,00000000,74DEF550,00000000), ref: 6CBF45D9
                                                                                                                                                                                    • Part of subcall function 6CBF449E: ResumeThread.KERNELBASE(?), ref: 6CBF45E4
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000003.00000002.1716573620.000000006CBF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 6CBF0000, based on PE: true
                                                                                                                                                                                  • Associated: 00000003.00000002.1716317614.000000006CBF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000003.00000002.1716573620.000000006CBFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_3_2_6cbf0000_regsvr32.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: Thread$CloseEnvironmentErrorExpandHandleLastObjectProcessResumeSingleStringsWaitmemset$AddressCodeCreateExitFreeHeapProcSuspend
                                                                                                                                                                                  • String ID: %systemroot%\system32\svchost.exe$D
                                                                                                                                                                                  • API String ID: 3646439427-390745801
                                                                                                                                                                                  • Opcode ID: 3226b7cf6666db76aabcd5813f02de8ff0de0ed93508c22fe017790b0f40e487
                                                                                                                                                                                  • Instruction ID: dff90efabb4aff0f65664f43ecb5f690705236365ede14db7bfd50482c3267fd
                                                                                                                                                                                  • Opcode Fuzzy Hash: 3226b7cf6666db76aabcd5813f02de8ff0de0ed93508c22fe017790b0f40e487
                                                                                                                                                                                  • Instruction Fuzzy Hash: 012169B1901168BFCB019FA6DC489EF7F7DEF46365F108426F625A6250C7318A098FA2
                                                                                                                                                                                  Function 6CBF128F Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 78memoryregistrystringCOMMON
                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                  • Executed
                                                                                                                                                                                  • Not Executed
                                                                                                                                                                                  control_flow_graph 241 6cbf128f-6cbf12ac 242 6cbf12ae 241->242 243 6cbf12b3-6cbf12c9 call 6cbf32ee 241->243 242->243 246 6cbf12cf-6cbf12f4 RegOpenKeyExA 243->246 247 6cbf1378-6cbf137e 243->247 248 6cbf136b-6cbf1377 RtlFreeHeap 246->248 249 6cbf12f6-6cbf1318 lstrlenW HeapAlloc 246->249 248->247 250 6cbf131a-6cbf1335 RegQueryValueExW 249->250 251 6cbf1362-6cbf1365 RegCloseKey 249->251 252 6cbf1358-6cbf1360 HeapFree 250->252 253 6cbf1337-6cbf134f lstrcmpiW 250->253 251->248 252->251 253->252 254 6cbf1351 253->254 254->252
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • RegOpenKeyExA.KERNELBASE(80000001,Software\Microsoft\Windows\CurrentVersion\Run,00000000,00000000,?,6CBF0000,00000000,00000000), ref: 6CBF12E6
                                                                                                                                                                                  • lstrlenW.KERNEL32(?), ref: 6CBF12F9
                                                                                                                                                                                  • HeapAlloc.KERNEL32(00000000,?), ref: 6CBF130E
                                                                                                                                                                                  • RegQueryValueExW.KERNELBASE(?,00000000,00000001,00000000,?), ref: 6CBF132D
                                                                                                                                                                                  • lstrcmpiW.KERNEL32(00000000,?), ref: 6CBF1347
                                                                                                                                                                                  • HeapFree.KERNEL32(00000000,00000000), ref: 6CBF1360
                                                                                                                                                                                  • RegCloseKey.KERNELBASE(?), ref: 6CBF1365
                                                                                                                                                                                  • RtlFreeHeap.NTDLL(00000000,?), ref: 6CBF1375
                                                                                                                                                                                  Strings
                                                                                                                                                                                  • Software\Microsoft\Windows\CurrentVersion\Run, xrefs: 6CBF12DC
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000003.00000002.1716573620.000000006CBF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 6CBF0000, based on PE: true
                                                                                                                                                                                  • Associated: 00000003.00000002.1716317614.000000006CBF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000003.00000002.1716573620.000000006CBFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_3_2_6cbf0000_regsvr32.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: Heap$Free$AllocCloseOpenQueryValuelstrcmpilstrlen
                                                                                                                                                                                  • String ID: Software\Microsoft\Windows\CurrentVersion\Run
                                                                                                                                                                                  • API String ID: 464076213-1428018034
                                                                                                                                                                                  • Opcode ID: 2eb2d9785ab97c7024d2949fd165d2bec1b261a6866681cc40e673d1e9812e36
                                                                                                                                                                                  • Instruction ID: fe687682966ef18a9cadcd1d6bf5c1e12d65ed12d7db68d216dd488f7ad79e6e
                                                                                                                                                                                  • Opcode Fuzzy Hash: 2eb2d9785ab97c7024d2949fd165d2bec1b261a6866681cc40e673d1e9812e36
                                                                                                                                                                                  • Instruction Fuzzy Hash: BF217C72A01119BFDF119FA2DC48EAFBBBCFB06348B554565E921E3310D3729915CBA0
                                                                                                                                                                                  Function 6CBF45F3 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 78libraryloaderCOMMON
                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                  • Executed
                                                                                                                                                                                  • Not Executed
                                                                                                                                                                                  control_flow_graph 255 6cbf45f3-6cbf4629 call 6cbf22c9 OpenProcess 258 6cbf462f-6cbf4631 255->258 259 6cbf46b4-6cbf46ba GetLastError 255->259 261 6cbf4633-6cbf463a 258->261 262 6cbf4641-6cbf4665 GetProcAddress * 2 258->262 260 6cbf46bc-6cbf46c2 259->260 261->262 263 6cbf463c-6cbf463f 261->263 264 6cbf4667-6cbf4669 262->264 265 6cbf46a4 262->265 266 6cbf46a9-6cbf46b2 CloseHandle 263->266 264->265 267 6cbf466b-6cbf467f 264->267 265->266 266->260 269 6cbf469a-6cbf46a2 GetLastError 267->269 270 6cbf4681-6cbf4698 call 6cbf449e CloseHandle 267->270 269->266 270->266
                                                                                                                                                                                  APIs
                                                                                                                                                                                    • Part of subcall function 6CBF22C9: GetModuleHandleA.KERNEL32(KERNEL32.DLL,?,00000000,?,?,6CBF173E,00000000,?), ref: 6CBF22E3
                                                                                                                                                                                    • Part of subcall function 6CBF22C9: GetProcAddress.KERNEL32(00000000,IsWow64Process), ref: 6CBF22F4
                                                                                                                                                                                    • Part of subcall function 6CBF22C9: OpenProcess.KERNEL32(00000400,00000000,?,?,00000000,?,?,6CBF173E,00000000,?), ref: 6CBF2311
                                                                                                                                                                                    • Part of subcall function 6CBF22C9: IsWow64Process.KERNEL32(0000028C,?,?,00000000,?,?,6CBF173E,00000000,?), ref: 6CBF2322
                                                                                                                                                                                    • Part of subcall function 6CBF22C9: CloseHandle.KERNELBASE(0000028C,?,?,6CBF173E,00000000,?), ref: 6CBF2335
                                                                                                                                                                                  • OpenProcess.KERNEL32(001F0FFF,00000000,6CBF1623,6CBF1623,C000009A,?,00000000,?,?,6CBF1623,?,?), ref: 6CBF461E
                                                                                                                                                                                  • GetProcAddress.KERNEL32(RtlExitUserThread), ref: 6CBF4652
                                                                                                                                                                                  • GetProcAddress.KERNEL32(CreateRemoteThread), ref: 6CBF4661
                                                                                                                                                                                  • CloseHandle.KERNEL32(6CBF1623,?,00000000,?,?,6CBF1623,?,?), ref: 6CBF4692
                                                                                                                                                                                  • GetLastError.KERNEL32(?,?,6CBF1623,?,?), ref: 6CBF469A
                                                                                                                                                                                  • CloseHandle.KERNEL32(?,?,?,6CBF1623,?,?), ref: 6CBF46AC
                                                                                                                                                                                  • GetLastError.KERNEL32(?,?,6CBF1623,?,?), ref: 6CBF46B4
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000003.00000002.1716573620.000000006CBF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 6CBF0000, based on PE: true
                                                                                                                                                                                  • Associated: 00000003.00000002.1716317614.000000006CBF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000003.00000002.1716573620.000000006CBFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_3_2_6cbf0000_regsvr32.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: Handle$AddressCloseProcProcess$ErrorLastOpen$ModuleWow64
                                                                                                                                                                                  • String ID: CreateRemoteThread$RtlExitUserThread
                                                                                                                                                                                  • API String ID: 1303122091-3466022969
                                                                                                                                                                                  • Opcode ID: d2ad6cd9443b06fecb3b4a5cdf75bfdd9f2c83ac8ba909801f1b076520ecd619
                                                                                                                                                                                  • Instruction ID: 82551c7240de48624df413532e57212cef16f453a4b6d6d5af3e551ea2f3c787
                                                                                                                                                                                  • Opcode Fuzzy Hash: d2ad6cd9443b06fecb3b4a5cdf75bfdd9f2c83ac8ba909801f1b076520ecd619
                                                                                                                                                                                  • Instruction Fuzzy Hash: 7B219272A00198BFDF015FF5DD4889EBBB9EB0A354B114876E931E3710D6714D0E8E91
                                                                                                                                                                                  Function 6CBF2A18 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 108memorystringCOMMON
                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                  • Executed
                                                                                                                                                                                  • Not Executed
                                                                                                                                                                                  control_flow_graph 273 6cbf2a18-6cbf2a57 call 6cbf2492 VirtualAlloc 276 6cbf2a5d-6cbf2a68 call 6cbf2492 273->276 277 6cbf2b23 273->277 280 6cbf2a6d-6cbf2a73 276->280 279 6cbf2b2b-6cbf2b2d 277->279 281 6cbf2b2f-6cbf2b37 VirtualFree 279->281 282 6cbf2b3d-6cbf2b48 279->282 283 6cbf2a9b-6cbf2a9d 280->283 284 6cbf2a75-6cbf2a79 280->284 281->282 283->277 286 6cbf2aa3-6cbf2aa7 283->286 284->283 285 6cbf2a7b-6cbf2a99 VirtualFree VirtualAlloc 284->285 285->276 285->283 286->277 287 6cbf2aa9-6cbf2ab4 286->287 287->279 288 6cbf2ab6 287->288 289 6cbf2abc-6cbf2ace lstrcmpiA 288->289 290 6cbf2b00-6cbf2b1a 289->290 291 6cbf2ad0-6cbf2adb StrChrA 289->291 290->279 294 6cbf2b1c-6cbf2b21 290->294 292 6cbf2add-6cbf2aea lstrcmpiA 291->292 293 6cbf2aec-6cbf2afc 291->293 292->290 292->293 293->289 295 6cbf2afe 293->295 294->279 295->279
                                                                                                                                                                                  APIs
                                                                                                                                                                                    • Part of subcall function 6CBF2492: GetProcAddress.KERNEL32(ZwWow64QueryInformationProcess64,00000318), ref: 6CBF24B0
                                                                                                                                                                                    • Part of subcall function 6CBF2492: NtWow64QueryInformationProcess64.NTDLL(00000000,00000000,?,00000030,00000000), ref: 6CBF24CC
                                                                                                                                                                                  • VirtualAlloc.KERNELBASE(00000000,00000000,00003000,00000004), ref: 6CBF2A51
                                                                                                                                                                                  • VirtualFree.KERNELBASE(00000000,00000000,00008000), ref: 6CBF2B37
                                                                                                                                                                                    • Part of subcall function 6CBF2492: StrRChrA.SHLWAPI(00000018,00000000,0000005C,00000000,00000318,?,00000000,00000068,00000098,00000000,00000028,00000040,00000000,00000000,00000028,00000100), ref: 6CBF2636
                                                                                                                                                                                  • VirtualFree.KERNEL32(00000000,00000000,00008000,?,00000000,00000000,00000000), ref: 6CBF2A87
                                                                                                                                                                                  • VirtualAlloc.KERNEL32(00000000,00000000,00003000,00000004), ref: 6CBF2A93
                                                                                                                                                                                  • lstrcmpiA.KERNEL32(?,NTDLL.DLL), ref: 6CBF2ACA
                                                                                                                                                                                  • StrChrA.SHLWAPI(?,0000002E), ref: 6CBF2AD3
                                                                                                                                                                                  • lstrcmpiA.KERNEL32(?,NTDLL.DLL), ref: 6CBF2AE6
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000003.00000002.1716573620.000000006CBF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 6CBF0000, based on PE: true
                                                                                                                                                                                  • Associated: 00000003.00000002.1716317614.000000006CBF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000003.00000002.1716573620.000000006CBFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_3_2_6cbf0000_regsvr32.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: Virtual$AllocFreelstrcmpi$AddressInformationProcProcess64QueryWow64
                                                                                                                                                                                  • String ID: NTDLL.DLL
                                                                                                                                                                                  • API String ID: 3901270786-1613819793
                                                                                                                                                                                  • Opcode ID: a828508e122c45feefb8b31460300ed9a2abf809ba81c706b52b66a93b1e3de2
                                                                                                                                                                                  • Instruction ID: 6feb7925d7ff07bc43edbcc22aa82d619937076948661425e6b66be1e10d63d6
                                                                                                                                                                                  • Opcode Fuzzy Hash: a828508e122c45feefb8b31460300ed9a2abf809ba81c706b52b66a93b1e3de2
                                                                                                                                                                                  • Instruction Fuzzy Hash: 2A31C371205792ABD321CF56C888F1BBBE8EF85754F110909F9A457781C730D90ACBA3
                                                                                                                                                                                  Function 6CBF22C9 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 44libraryloaderCOMMON
                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                  • Executed
                                                                                                                                                                                  • Not Executed
                                                                                                                                                                                  control_flow_graph 338 6cbf22c9-6cbf22dc 339 6cbf22de-6cbf2301 GetModuleHandleA GetProcAddress 338->339 340 6cbf2303-6cbf2306 338->340 339->340 341 6cbf233b-6cbf2341 339->341 342 6cbf2319-6cbf231b 340->342 343 6cbf2308-6cbf2317 OpenProcess 340->343 342->341 344 6cbf231d-6cbf232a IsWow64Process 342->344 343->342 345 6cbf232f-6cbf2332 344->345 346 6cbf232c 344->346 345->341 347 6cbf2334-6cbf2335 CloseHandle 345->347 346->345 347->341
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • GetModuleHandleA.KERNEL32(KERNEL32.DLL,?,00000000,?,?,6CBF173E,00000000,?), ref: 6CBF22E3
                                                                                                                                                                                  • GetProcAddress.KERNEL32(00000000,IsWow64Process), ref: 6CBF22F4
                                                                                                                                                                                  • OpenProcess.KERNEL32(00000400,00000000,?,?,00000000,?,?,6CBF173E,00000000,?), ref: 6CBF2311
                                                                                                                                                                                  • IsWow64Process.KERNEL32(0000028C,?,?,00000000,?,?,6CBF173E,00000000,?), ref: 6CBF2322
                                                                                                                                                                                  • CloseHandle.KERNELBASE(0000028C,?,?,6CBF173E,00000000,?), ref: 6CBF2335
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000003.00000002.1716573620.000000006CBF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 6CBF0000, based on PE: true
                                                                                                                                                                                  • Associated: 00000003.00000002.1716317614.000000006CBF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000003.00000002.1716573620.000000006CBFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_3_2_6cbf0000_regsvr32.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: HandleProcess$AddressCloseModuleOpenProcWow64
                                                                                                                                                                                  • String ID: IsWow64Process$KERNEL32.DLL
                                                                                                                                                                                  • API String ID: 4157061983-1193389583
                                                                                                                                                                                  • Opcode ID: abfbc6cb4203a526b09b802b7cb11e2d9689af0901e908783d2001414961af3e
                                                                                                                                                                                  • Instruction ID: c0ab2c1abe1b4340081c7cdf9fe61c6d41a4c2e604a853c51e3d6d59090e8d96
                                                                                                                                                                                  • Opcode Fuzzy Hash: abfbc6cb4203a526b09b802b7cb11e2d9689af0901e908783d2001414961af3e
                                                                                                                                                                                  • Instruction Fuzzy Hash: 1601A7B5A02584FFDB069F66D90C89E7BBDEBCA7557204126E534D3300D2718B45CB63
                                                                                                                                                                                  Function 6CBF2F05 Relevance: 10.6, APIs: 7, Instructions: 75COMMON
                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                  APIs
                                                                                                                                                                                  • OpenProcessToken.ADVAPI32(000000FF,00020008,?,00000000), ref: 6CBF2F37
                                                                                                                                                                                  • GetTokenInformation.KERNELBASE(?,00000014(TokenIntegrityLevel),00000001,00000004,?,00000000), ref: 6CBF2F57
                                                                                                                                                                                  • GetTokenInformation.KERNELBASE(?,00000019(TokenIntegrityLevel),00000000,00000000,?), ref: 6CBF2F67
                                                                                                                                                                                  • CloseHandle.KERNELBASE(?), ref: 6CBF2FB7
                                                                                                                                                                                    • Part of subcall function 6CBF11B2: RtlAllocateHeap.NTDLL(00000000,6CBF0000,6CBF1B4C,6CBF0000), ref: 6CBF11BE
                                                                                                                                                                                  • GetTokenInformation.KERNELBASE(?,00000019(TokenIntegrityLevel),00000000,?,?,?,6CBF0000), ref: 6CBF2F8A
                                                                                                                                                                                  • GetSidSubAuthorityCount.ADVAPI32(00000000), ref: 6CBF2F92
                                                                                                                                                                                  • GetSidSubAuthority.ADVAPI32(00000000,?), ref: 6CBF2FA2
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000003.00000002.1716573620.000000006CBF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 6CBF0000, based on PE: true
                                                                                                                                                                                  • Associated: 00000003.00000002.1716317614.000000006CBF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000003.00000002.1716573620.000000006CBFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_3_2_6cbf0000_regsvr32.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: Token$Information$Authority$AllocateCloseCountHandleHeapOpenProcess
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 1295030180-0
                                                                                                                                                                                  • Opcode ID: 313d0a405886b0580eabe38f40e1753d7e03a7272633623284ae07fee2ae8ef2
                                                                                                                                                                                  • Instruction ID: 9fc0a7b9fc51d0eebef006e9924587aee81be6ddab7e764d3136aa0c5d05aec2
                                                                                                                                                                                  • Opcode Fuzzy Hash: 313d0a405886b0580eabe38f40e1753d7e03a7272633623284ae07fee2ae8ef2
                                                                                                                                                                                  • Instruction Fuzzy Hash: 94212A75900249BFEF019FA5DD44DEEBBBDEB09304F104066E920A6350C7719A09EF61
                                                                                                                                                                                  Function 6CBF449E Relevance: 9.1, APIs: 6, Instructions: 105threadsynchronizationinjectionCOMMON
                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                  APIs
                                                                                                                                                                                  • memset.NTDLL ref: 6CBF44C1
                                                                                                                                                                                    • Part of subcall function 6CBF22C9: GetModuleHandleA.KERNEL32(KERNEL32.DLL,?,00000000,?,?,6CBF173E,00000000,?), ref: 6CBF22E3
                                                                                                                                                                                    • Part of subcall function 6CBF22C9: GetProcAddress.KERNEL32(00000000,IsWow64Process), ref: 6CBF22F4
                                                                                                                                                                                    • Part of subcall function 6CBF22C9: OpenProcess.KERNEL32(00000400,00000000,?,?,00000000,?,?,6CBF173E,00000000,?), ref: 6CBF2311
                                                                                                                                                                                    • Part of subcall function 6CBF22C9: IsWow64Process.KERNEL32(0000028C,?,?,00000000,?,?,6CBF173E,00000000,?), ref: 6CBF2322
                                                                                                                                                                                    • Part of subcall function 6CBF22C9: CloseHandle.KERNELBASE(0000028C,?,?,6CBF173E,00000000,?), ref: 6CBF2335
                                                                                                                                                                                  • ResumeThread.KERNEL32(?,00000000,6CBF468D,CCCCFEEB,00000000,6CBF468D,6CBF468D,00000004,?,00000000,00000000,74DEF550,00000000), ref: 6CBF454C
                                                                                                                                                                                  • WaitForSingleObject.KERNEL32(00000064), ref: 6CBF455A
                                                                                                                                                                                  • SuspendThread.KERNEL32(?), ref: 6CBF456D
                                                                                                                                                                                  • GetLastError.KERNEL32(00000000,6CBF468D,6CBF468D,00000004,?,00000000,00000000,74DEF550,00000000), ref: 6CBF45D9
                                                                                                                                                                                  • ResumeThread.KERNELBASE(?), ref: 6CBF45E4
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000003.00000002.1716573620.000000006CBF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 6CBF0000, based on PE: true
                                                                                                                                                                                  • Associated: 00000003.00000002.1716317614.000000006CBF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000003.00000002.1716573620.000000006CBFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_3_2_6cbf0000_regsvr32.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: Thread$HandleProcessResume$AddressCloseErrorLastModuleObjectOpenProcSingleSuspendWaitWow64memset
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 3158980537-0
                                                                                                                                                                                  • Opcode ID: 3734b34cf50187578fea0984291a79839d0a1556893063e23c8320d4cbbb88c1
                                                                                                                                                                                  • Instruction ID: b7bf53af608e10ce6e97ce3a8b46c8b9165ff845f5aff955d537bd41850555bf
                                                                                                                                                                                  • Opcode Fuzzy Hash: 3734b34cf50187578fea0984291a79839d0a1556893063e23c8320d4cbbb88c1
                                                                                                                                                                                  • Instruction Fuzzy Hash: A231DD71900258BBDF02AFA5C944ADEBB78EF01368F008162F934A7750D7319E5ACF91
                                                                                                                                                                                  Function 6CBF11DC Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 59memorystringCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • lstrcatW.KERNEL32(.dll,?,6CBF0000,00000000,?), ref: 6CBF120F
                                                                                                                                                                                    • Part of subcall function 6CBF3723: lstrlenA.KERNEL32(6CBF1224,00000000,?,00000027,6CBF0000,00000000,00000000,?,?,?,6CBF1224,Software\AppDataLow\Software\Microsoft\,00000000), ref: 6CBF3759
                                                                                                                                                                                    • Part of subcall function 6CBF3723: lstrcpyA.KERNEL32(00000000,00000000,00000027,00000000,?,00000027,6CBF0000,00000000,00000000), ref: 6CBF377D
                                                                                                                                                                                    • Part of subcall function 6CBF3723: lstrcatA.KERNEL32(00000000,00000000,00000027,00000000,?,00000027,6CBF0000,00000000,00000000), ref: 6CBF3785
                                                                                                                                                                                  • HeapFree.KERNEL32(00000000,?,Local\,00000001,00000000,00000001,Local\,00000001,Software\AppDataLow\Software\Microsoft\,00000000), ref: 6CBF1282
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000003.00000002.1716573620.000000006CBF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 6CBF0000, based on PE: true
                                                                                                                                                                                  • Associated: 00000003.00000002.1716317614.000000006CBF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000003.00000002.1716573620.000000006CBFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_3_2_6cbf0000_regsvr32.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: lstrcat$FreeHeaplstrcpylstrlen
                                                                                                                                                                                  • String ID: .dll$Local\$Software\AppDataLow\Software\Microsoft\
                                                                                                                                                                                  • API String ID: 2335496509-1273941773
                                                                                                                                                                                  • Opcode ID: 99acfeb630928c054cac7ebc5f14a659af525726996e787b8d8c49110735b278
                                                                                                                                                                                  • Instruction ID: f9ee55973e922b6819aef8c67e07787b0fef87324c2b223b26c882a5c12a0ba0
                                                                                                                                                                                  • Opcode Fuzzy Hash: 99acfeb630928c054cac7ebc5f14a659af525726996e787b8d8c49110735b278
                                                                                                                                                                                  • Instruction Fuzzy Hash: 3D115BB5A01289ABEF00CBA6ED45F9E7BB8EB91204F1050A6A431E7B40E730D609CF51
                                                                                                                                                                                  Function 6CBF3A18 Relevance: 7.6, APIs: 5, Instructions: 72fileCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • CreateFileW.KERNELBASE(6CBF342F,80000000,00000001,00000000,00000003,00000080,00000000,6CBF3417,056587C8,6CBF342F,?,?,6CBF1BFB,056587C8,00000000,00000000), ref: 6CBF3A36
                                                                                                                                                                                  • GetFileSize.KERNEL32(00000000,00000000,?,?,6CBF1BFB,056587C8,00000000,00000000,6CBF3417,00000000,6CBF2116,6CBF342F,6CBF3433), ref: 6CBF3A46
                                                                                                                                                                                  • ReadFile.KERNELBASE(6CBF342F,00000000,00000000,6CBF3433,00000000,00000001,?,?,6CBF1BFB,056587C8,00000000,00000000,6CBF3417,00000000,6CBF2116,6CBF342F), ref: 6CBF3A72
                                                                                                                                                                                  • GetLastError.KERNEL32(?,?,6CBF1BFB,056587C8,00000000,00000000,6CBF3417,00000000,6CBF2116,6CBF342F,6CBF3433), ref: 6CBF3A97
                                                                                                                                                                                  • CloseHandle.KERNEL32(000000FF,?,?,6CBF1BFB,056587C8,00000000,00000000,6CBF3417,00000000,6CBF2116), ref: 6CBF3AA8
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000003.00000002.1716573620.000000006CBF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 6CBF0000, based on PE: true
                                                                                                                                                                                  • Associated: 00000003.00000002.1716317614.000000006CBF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000003.00000002.1716573620.000000006CBFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_3_2_6cbf0000_regsvr32.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: File$CloseCreateErrorHandleLastReadSize
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 3577853679-0
                                                                                                                                                                                  • Opcode ID: fda3ee3730789d3e6899d9ef718ab1b151eb642e4fda446a0e8122473d36ff17
                                                                                                                                                                                  • Instruction ID: 41644cd9c9b9f97e9c6811693926bc9ec7671719c589b5331f1cc4fe94abf577
                                                                                                                                                                                  • Opcode Fuzzy Hash: fda3ee3730789d3e6899d9ef718ab1b151eb642e4fda446a0e8122473d36ff17
                                                                                                                                                                                  • Instruction Fuzzy Hash: 14115972201295FFDB105F76CC88E9E7B6DDB063A4F10422AF934A7350D3319D4A86A2
                                                                                                                                                                                  Function 6CBF4341 Relevance: 6.1, APIs: 4, Instructions: 107threadsynchronizationCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • memset.NTDLL ref: 6CBF436F
                                                                                                                                                                                    • Part of subcall function 6CBF41BA: memset.NTDLL ref: 6CBF41F6
                                                                                                                                                                                  • ResumeThread.KERNELBASE(?,?,00000004,00000004,?,?,?,?,?,00000004,?), ref: 6CBF43F9
                                                                                                                                                                                  • WaitForSingleObject.KERNEL32(00000064), ref: 6CBF4407
                                                                                                                                                                                  • Wow64SuspendThread.KERNEL32(?), ref: 6CBF441A
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000003.00000002.1716573620.000000006CBF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 6CBF0000, based on PE: true
                                                                                                                                                                                  • Associated: 00000003.00000002.1716317614.000000006CBF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000003.00000002.1716573620.000000006CBFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_3_2_6cbf0000_regsvr32.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: Threadmemset$ObjectResumeSingleSuspendWaitWow64
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 390528492-0
                                                                                                                                                                                  • Opcode ID: 5e0f3dc5824f10c5baaac7896e2811806b5f7e2b07f16bee91de0bc62893f99c
                                                                                                                                                                                  • Instruction ID: c5d6127d432ecac6846b5fedc38fa2e465c2ed4b195dba71b5713391a7266aa7
                                                                                                                                                                                  • Opcode Fuzzy Hash: 5e0f3dc5824f10c5baaac7896e2811806b5f7e2b07f16bee91de0bc62893f99c
                                                                                                                                                                                  • Instruction Fuzzy Hash: 8E317E71108381AFE711DF50C980AABBBA9FF88318F004929F6A492761DB71D95DDF93
                                                                                                                                                                                  Function 6CBF3349 Relevance: 6.1, APIs: 4, Instructions: 99registrysynchronizationCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • RegOpenKeyExA.KERNELBASE(80000003,00000000,00000000,?,?,00000000,000000B7,?,?,?,?), ref: 6CBF3370
                                                                                                                                                                                    • Part of subcall function 6CBF11B2: RtlAllocateHeap.NTDLL(00000000,6CBF0000,6CBF1B4C,6CBF0000), ref: 6CBF11BE
                                                                                                                                                                                  • RegEnumKeyExA.KERNELBASE(?,?,?,?,00000000,00000000,00000000,00000000,00000104,00000000,?,?,?,?), ref: 6CBF33B7
                                                                                                                                                                                  • WaitForSingleObject.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?), ref: 6CBF3424
                                                                                                                                                                                  • RegCloseKey.ADVAPI32(?,00000104,00000000,?,?,?,?), ref: 6CBF344C
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000003.00000002.1716573620.000000006CBF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 6CBF0000, based on PE: true
                                                                                                                                                                                  • Associated: 00000003.00000002.1716317614.000000006CBF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000003.00000002.1716573620.000000006CBFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_3_2_6cbf0000_regsvr32.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: AllocateCloseEnumHeapObjectOpenSingleWait
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 3664505660-0
                                                                                                                                                                                  • Opcode ID: 40b6ca95bbdaf3820844f406a47fd0e91415fbb473234a72c875cc56133f205b
                                                                                                                                                                                  • Instruction ID: c01a025978880df60076113d02ef46dac7817f8015366d424635c291b44ed363
                                                                                                                                                                                  • Opcode Fuzzy Hash: 40b6ca95bbdaf3820844f406a47fd0e91415fbb473234a72c875cc56133f205b
                                                                                                                                                                                  • Instruction Fuzzy Hash: 1B317A71D00169EBCF129BAACC448EFFFB9EB85754F104526E9A1B3310C2714A49DB92
                                                                                                                                                                                  Function 6CBF3E34 Relevance: 6.0, APIs: 1, Strings: 3, Instructions: 43COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • memcpy.NTDLL(CCCCFEEB,6CBFA9DC,00000018,CCCCFEEB,ZwProtectVirtualMemory,CCCCFEEB,LdrGetProcedureAddress,CCCCFEEB,LdrLoadDll,CCCCFEEB,6CBF4062,?,6CBF45C5,?,?,00000000), ref: 6CBF3EC5
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000003.00000002.1716573620.000000006CBF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 6CBF0000, based on PE: true
                                                                                                                                                                                  • Associated: 00000003.00000002.1716317614.000000006CBF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000003.00000002.1716573620.000000006CBFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_3_2_6cbf0000_regsvr32.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: memcpy
                                                                                                                                                                                  • String ID: LdrGetProcedureAddress$LdrLoadDll$ZwProtectVirtualMemory
                                                                                                                                                                                  • API String ID: 3510742995-2710412950
                                                                                                                                                                                  • Opcode ID: be35b3dbf3e632f08729bae97c3743b41f8eb14ba6ec141eeabd77bf1bb4688c
                                                                                                                                                                                  • Instruction ID: b26b4d089e5465923a51dcfe1ec991e96474259b2b81f3a0a30ba33eb298a4ef
                                                                                                                                                                                  • Opcode Fuzzy Hash: be35b3dbf3e632f08729bae97c3743b41f8eb14ba6ec141eeabd77bf1bb4688c
                                                                                                                                                                                  • Instruction Fuzzy Hash: AF0121707122819BCF48DF55E8C1896B7B1FB92354B12C836E2B497B21D331544E8FB2
                                                                                                                                                                                  Function 6CBF1142 Relevance: 6.0, APIs: 4, Instructions: 35memoryCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • InterlockedIncrement.KERNEL32(6CBFA948), ref: 6CBF1157
                                                                                                                                                                                  • HeapCreate.KERNELBASE(00000000,00400000,00000000), ref: 6CBF116A
                                                                                                                                                                                  • InterlockedDecrement.KERNEL32(6CBFA948), ref: 6CBF1196
                                                                                                                                                                                  • HeapDestroy.KERNELBASE ref: 6CBF11A6
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000003.00000002.1716573620.000000006CBF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 6CBF0000, based on PE: true
                                                                                                                                                                                  • Associated: 00000003.00000002.1716317614.000000006CBF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000003.00000002.1716573620.000000006CBFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_3_2_6cbf0000_regsvr32.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: HeapInterlocked$CreateDecrementDestroyIncrement
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 4057829272-0
                                                                                                                                                                                  • Opcode ID: 552f1dafefe9ba85d1af7ce82a349d281e3d4f78fa30776a43028946b294a158
                                                                                                                                                                                  • Instruction ID: bb848c8a35e7dee50c46aa7aba71969739e237411599ff4d1c02f77b26540bbe
                                                                                                                                                                                  • Opcode Fuzzy Hash: 552f1dafefe9ba85d1af7ce82a349d281e3d4f78fa30776a43028946b294a158
                                                                                                                                                                                  • Instruction Fuzzy Hash: 92F0F978786282AFEB049F2ADC09B06BEB4EB87764F598925E474D2740D730D54A8B12
                                                                                                                                                                                  Function 6CBF157A Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 63COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • RtlUpcaseUnicodeString.NTDLL ref: 6CBF15A6
                                                                                                                                                                                  • RtlFreeUnicodeString.NTDLL(?,?,?), ref: 6CBF1628
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000003.00000002.1716573620.000000006CBF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 6CBF0000, based on PE: true
                                                                                                                                                                                  • Associated: 00000003.00000002.1716317614.000000006CBF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000003.00000002.1716573620.000000006CBFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_3_2_6cbf0000_regsvr32.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: StringUnicode$FreeUpcase
                                                                                                                                                                                  • String ID: N;U
                                                                                                                                                                                  • API String ID: 941810394-3665909347
                                                                                                                                                                                  • Opcode ID: 695164c84c50c73660de2ab6641bf5705345b23967e03a015f90dae7595d5a1a
                                                                                                                                                                                  • Instruction ID: 04db9d4d0059404eb37b95737045e883904a8c4d1c567b8457c62cb36d00d5ec
                                                                                                                                                                                  • Opcode Fuzzy Hash: 695164c84c50c73660de2ab6641bf5705345b23967e03a015f90dae7595d5a1a
                                                                                                                                                                                  • Instruction Fuzzy Hash: A111D071A01385BADF109A21D84079E73A9EB09714F288D25E871D7FA0DB31E94ECB92
                                                                                                                                                                                  Function 6CBF272F Relevance: 5.1, APIs: 4, Instructions: 110COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • memset.NTDLL ref: 6CBF2755
                                                                                                                                                                                  • memcpy.NTDLL ref: 6CBF277D
                                                                                                                                                                                    • Part of subcall function 6CBF2E32: NtAllocateVirtualMemory.NTDLL(6CBF28CF,00000000,00000000,6CBF28CF,00003000,00000040), ref: 6CBF2E63
                                                                                                                                                                                    • Part of subcall function 6CBF2E32: RtlNtStatusToDosError.NTDLL ref: 6CBF2E6A
                                                                                                                                                                                    • Part of subcall function 6CBF2E32: SetLastError.KERNEL32(00000000), ref: 6CBF2E71
                                                                                                                                                                                  • GetLastError.KERNEL32(00000010,00000218,6CBF4BEC,00000100,?,00000318,00000008), ref: 6CBF2794
                                                                                                                                                                                  • GetLastError.KERNEL32(00000010,?,00000000,00000318,?,?,?,?,?,?,?,?,00000010,00000218,6CBF4BEC,00000100), ref: 6CBF2877
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000003.00000002.1716573620.000000006CBF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 6CBF0000, based on PE: true
                                                                                                                                                                                  • Associated: 00000003.00000002.1716317614.000000006CBF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000003.00000002.1716573620.000000006CBFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_3_2_6cbf0000_regsvr32.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: Error$Last$AllocateMemoryStatusVirtualmemcpymemset
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 685050087-0
                                                                                                                                                                                  • Opcode ID: 914ff4eeb014556cb12cd194d23102ba3f1fe404812df7a10e0d1ccb786377b5
                                                                                                                                                                                  • Instruction ID: 79cf99de8b29e72afb6cc3e27418fca29fd778fab988e2b27339a1c4fcd54735
                                                                                                                                                                                  • Opcode Fuzzy Hash: 914ff4eeb014556cb12cd194d23102ba3f1fe404812df7a10e0d1ccb786377b5
                                                                                                                                                                                  • Instruction Fuzzy Hash: 2E419FB1504381AFD720CF65C945B9BBBF8EB48314F004A29F5A8C6751E730D91A8B63
                                                                                                                                                                                  Function 6CBF137F Relevance: 4.5, APIs: 2, Strings: 1, Instructions: 40memoryCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • memset.NTDLL ref: 6CBF1386
                                                                                                                                                                                    • Part of subcall function 6CBF379A: memcpy.NTDLL(00000000,?,?,?,00000000,00000000,?,?,?,?,6CBF13A4,?,?), ref: 6CBF384F
                                                                                                                                                                                  • HeapFree.KERNEL32(00000000,?,?,?,00000008,EE553B4E,?,?,00000000,EE553B4E), ref: 6CBF13D8
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000003.00000002.1716573620.000000006CBF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 6CBF0000, based on PE: true
                                                                                                                                                                                  • Associated: 00000003.00000002.1716317614.000000006CBF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000003.00000002.1716573620.000000006CBFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_3_2_6cbf0000_regsvr32.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: FreeHeapmemcpymemset
                                                                                                                                                                                  • String ID: N;U
                                                                                                                                                                                  • API String ID: 2272576838-3665909347
                                                                                                                                                                                  • Opcode ID: e1b53ea86470dc1dc37a52fc579b615847ec6d0941bd605bcf93c11d8bbdd21a
                                                                                                                                                                                  • Instruction ID: f846aa8a4bedd2feff064d35cf0f8959c5c9789584d21487d1336933b26f5269
                                                                                                                                                                                  • Opcode Fuzzy Hash: e1b53ea86470dc1dc37a52fc579b615847ec6d0941bd605bcf93c11d8bbdd21a
                                                                                                                                                                                  • Instruction Fuzzy Hash: 51F06DB12022806ADB61CA76AC48E9736BCEBC2348F040925B861C3B40DB61D50E8B61
                                                                                                                                                                                  Function 6CBF112F Relevance: 3.0, APIs: 2, Instructions: 5COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                    • Part of subcall function 6CBF16B2: GetCursorInfo.USER32 ref: 6CBF16FE
                                                                                                                                                                                    • Part of subcall function 6CBF16B2: GetLongPathNameW.KERNELBASE(?,00000000,00000000), ref: 6CBF177B
                                                                                                                                                                                    • Part of subcall function 6CBF16B2: GetLongPathNameW.KERNELBASE(?,00000000,00000000), ref: 6CBF179C
                                                                                                                                                                                    • Part of subcall function 6CBF16B2: CreateFileA.KERNELBASE(c:\321.txt,80000000,00000001,00000000,00000003,00000080,00000000,00000000,?), ref: 6CBF17CD
                                                                                                                                                                                  • ExitProcess.KERNEL32 ref: 6CBF113B
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000003.00000002.1716573620.000000006CBF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 6CBF0000, based on PE: true
                                                                                                                                                                                  • Associated: 00000003.00000002.1716317614.000000006CBF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000003.00000002.1716573620.000000006CBFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_3_2_6cbf0000_regsvr32.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: LongNamePath$CreateCursorExitFileInfoProcess
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 1773960417-0
                                                                                                                                                                                  • Opcode ID: e3b4764ad7365777045b98ff9f1e3b29a9cd6f7917c4f96b04e820c8539f6bad
                                                                                                                                                                                  • Instruction ID: d67f01e87a2cb07e2a617664e22e2f7a955f37f86d688e3fd11fc16db191311b
                                                                                                                                                                                  • Opcode Fuzzy Hash: e3b4764ad7365777045b98ff9f1e3b29a9cd6f7917c4f96b04e820c8539f6bad
                                                                                                                                                                                  • Instruction Fuzzy Hash: A8A002F09102C077CD20A7F2981C99E256EAB0320D78CCD097471E3B10CF39D44E5669
                                                                                                                                                                                  Function 6CBF2B4B Relevance: 2.6, APIs: 2, Instructions: 69memoryCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                    • Part of subcall function 6CBF2A18: VirtualAlloc.KERNELBASE(00000000,00000000,00003000,00000004), ref: 6CBF2A51
                                                                                                                                                                                    • Part of subcall function 6CBF2A18: VirtualFree.KERNEL32(00000000,00000000,00008000,?,00000000,00000000,00000000), ref: 6CBF2A87
                                                                                                                                                                                    • Part of subcall function 6CBF2A18: VirtualAlloc.KERNEL32(00000000,00000000,00003000,00000004), ref: 6CBF2A93
                                                                                                                                                                                    • Part of subcall function 6CBF2A18: lstrcmpiA.KERNEL32(?,NTDLL.DLL), ref: 6CBF2ACA
                                                                                                                                                                                    • Part of subcall function 6CBF2A18: StrChrA.SHLWAPI(?,0000002E), ref: 6CBF2AD3
                                                                                                                                                                                    • Part of subcall function 6CBF2A18: lstrcmpiA.KERNEL32(?,NTDLL.DLL), ref: 6CBF2AE6
                                                                                                                                                                                    • Part of subcall function 6CBF2A18: VirtualFree.KERNELBASE(00000000,00000000,00008000), ref: 6CBF2B37
                                                                                                                                                                                  • VirtualAlloc.KERNELBASE(00000000,?,00003000,00000004,00000010,?,?,6CBF8410,00000030,6CBF26CC,ZwGetContextThread,?,6CBF2762,?,00000318,00000008), ref: 6CBF2B87
                                                                                                                                                                                    • Part of subcall function 6CBF241D: GetProcAddress.KERNEL32(ZwWow64ReadVirtualMemory64,00000000), ref: 6CBF243F
                                                                                                                                                                                    • Part of subcall function 6CBF241D: NtWow64ReadVirtualMemory64.NTDLL(00000100,?,?,00000028,00000000,00000000,00000100,00000000,?,?,?,6CBF250D,00000000,00000000,00000028,00000100), ref: 6CBF2461
                                                                                                                                                                                  • VirtualFree.KERNELBASE(?,00000000,00008000,00000010,?,?,6CBF8410,00000030,6CBF26CC,ZwGetContextThread,?,6CBF2762,?,00000318,00000008), ref: 6CBF2C12
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000003.00000002.1716573620.000000006CBF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 6CBF0000, based on PE: true
                                                                                                                                                                                  • Associated: 00000003.00000002.1716317614.000000006CBF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000003.00000002.1716573620.000000006CBFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_3_2_6cbf0000_regsvr32.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: Virtual$AllocFree$lstrcmpi$AddressMemory64ProcReadWow64
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 4138075514-0
                                                                                                                                                                                  • Opcode ID: 461a0d5f64f94fdcb38babb22293be19be242b49ce4518d4d1cbdd14bd51cd1e
                                                                                                                                                                                  • Instruction ID: 349b2e1dac7b352ec203c28e6d01593987971f3df7588759c45d7327db196996
                                                                                                                                                                                  • Opcode Fuzzy Hash: 461a0d5f64f94fdcb38babb22293be19be242b49ce4518d4d1cbdd14bd51cd1e
                                                                                                                                                                                  • Instruction Fuzzy Hash: EA21C471D01268ABCF11CFE5DC84ACEBBB4FF09714F20412AE924B2650C3749A0ACF91
                                                                                                                                                                                  Function 6CBF11B2 Relevance: 1.5, APIs: 1, Instructions: 5memoryCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • RtlAllocateHeap.NTDLL(00000000,6CBF0000,6CBF1B4C,6CBF0000), ref: 6CBF11BE
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000003.00000002.1716573620.000000006CBF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 6CBF0000, based on PE: true
                                                                                                                                                                                  • Associated: 00000003.00000002.1716317614.000000006CBF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000003.00000002.1716573620.000000006CBFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_3_2_6cbf0000_regsvr32.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: AllocateHeap
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 1279760036-0
                                                                                                                                                                                  • Opcode ID: 23977dcb478b552ebb45a1d426bcfa155fb3a10993af1e104911ee3f834ff5dc
                                                                                                                                                                                  • Instruction ID: b8ce547b5503943abe1f2380b6df63760ba07a9de63245981ce5e6f619c5a836
                                                                                                                                                                                  • Opcode Fuzzy Hash: 23977dcb478b552ebb45a1d426bcfa155fb3a10993af1e104911ee3f834ff5dc
                                                                                                                                                                                  • Instruction Fuzzy Hash: BCB01231610100FFCF014B20DD09F057B71B752700F01C021B3140136082320420EF14
                                                                                                                                                                                  Function 6CBF11C7 Relevance: 1.5, APIs: 1, Instructions: 5memoryCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • RtlFreeHeap.NTDLL(00000000,00000000,6CBF1B7B,00000000), ref: 6CBF11D3
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000003.00000002.1716573620.000000006CBF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 6CBF0000, based on PE: true
                                                                                                                                                                                  • Associated: 00000003.00000002.1716317614.000000006CBF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000003.00000002.1716573620.000000006CBFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_3_2_6cbf0000_regsvr32.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: FreeHeap
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 3298025750-0
                                                                                                                                                                                  • Opcode ID: 284e62c275f0e935d674ad9e9211603806e6477f363f4826ec41c9b06cb38cf8
                                                                                                                                                                                  • Instruction ID: 82c2d1d36811edfd1c03c23f412d2c1185ad7d48691b39041a0e41481a5e6262
                                                                                                                                                                                  • Opcode Fuzzy Hash: 284e62c275f0e935d674ad9e9211603806e6477f363f4826ec41c9b06cb38cf8
                                                                                                                                                                                  • Instruction Fuzzy Hash: B7B01231200100AFCE014B20DD09F057B71B752700F118021B3180226082324420EF08
                                                                                                                                                                                  Function 6CBF3260 Relevance: 1.3, APIs: 1, Instructions: 57memoryCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                    • Part of subcall function 6CBF2344: GetProcAddress.KERNEL32(Wow64EnableWow64FsRedirection,6CBF3278), ref: 6CBF2358
                                                                                                                                                                                    • Part of subcall function 6CBF2FCE: HeapAlloc.KERNEL32(00000000,EE553B4E,00000000,6CBFAA50,00000001), ref: 6CBF2FF9
                                                                                                                                                                                    • Part of subcall function 6CBF2FCE: HeapAlloc.KERNEL32(00000000,EE553B4E), ref: 6CBF301B
                                                                                                                                                                                    • Part of subcall function 6CBF2FCE: memset.NTDLL ref: 6CBF3035
                                                                                                                                                                                    • Part of subcall function 6CBF2FCE: CreateFileA.KERNELBASE(00000000,80000000,00000001,00000000,00000003,00000080,00000000,%systemroot%\system32\c_1252.nls), ref: 6CBF306C
                                                                                                                                                                                    • Part of subcall function 6CBF2FCE: GetFileTime.KERNEL32(00000000,?,00000000,00000000), ref: 6CBF3080
                                                                                                                                                                                    • Part of subcall function 6CBF2FCE: CloseHandle.KERNEL32(?), ref: 6CBF3097
                                                                                                                                                                                    • Part of subcall function 6CBF2FCE: StrRChrA.KERNELBASE(6CBF11FC,00000000,0000005C), ref: 6CBF30A3
                                                                                                                                                                                    • Part of subcall function 6CBF2FCE: lstrcatA.KERNEL32(6CBF11FC,\*.dll), ref: 6CBF30DD
                                                                                                                                                                                    • Part of subcall function 6CBF2FCE: FindFirstFileA.KERNELBASE(6CBF11FC,?), ref: 6CBF30F3
                                                                                                                                                                                    • Part of subcall function 6CBF2FCE: CompareFileTime.KERNEL32(?,?), ref: 6CBF3111
                                                                                                                                                                                    • Part of subcall function 6CBF361F: lstrlenA.KERNEL32(6CBF11FC,00000000,6CBFAA50,00000001,6CBF3293,00000000,00000000,00000000,6CBF0000,00000000,00000000,?,?,?,6CBF11FC,?), ref: 6CBF3628
                                                                                                                                                                                    • Part of subcall function 6CBF361F: mbstowcs.NTDLL ref: 6CBF364F
                                                                                                                                                                                    • Part of subcall function 6CBF361F: memset.NTDLL ref: 6CBF3661
                                                                                                                                                                                  • HeapFree.KERNEL32(00000000,00000000,00000000,00000000,00000000,6CBF0000,00000000,00000000,?,?,?,6CBF11FC,?,6CBF0000,00000000,?), ref: 6CBF32AF
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000003.00000002.1716573620.000000006CBF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 6CBF0000, based on PE: true
                                                                                                                                                                                  • Associated: 00000003.00000002.1716317614.000000006CBF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000003.00000002.1716573620.000000006CBFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_3_2_6cbf0000_regsvr32.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: File$Heap$AllocTimememset$AddressCloseCompareCreateFindFirstFreeHandleProclstrcatlstrlenmbstowcs
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 1861520213-0
                                                                                                                                                                                  • Opcode ID: 632c0a7c1917480f9722b3c4b5c66ef441b6baff53464fb0fa8255fc2ce78c89
                                                                                                                                                                                  • Instruction ID: ebcfe3817d436e011c8e8b27472f73346dde29b45614a4c710ced3c922e8d06a
                                                                                                                                                                                  • Opcode Fuzzy Hash: 632c0a7c1917480f9722b3c4b5c66ef441b6baff53464fb0fa8255fc2ce78c89
                                                                                                                                                                                  • Instruction Fuzzy Hash: 3401F5313002C47EEF005EE6CC85BAA76A8FB46218F600035E974D7750D661CD8F9767
                                                                                                                                                                                  Function 6CBF29AA Relevance: 1.3, APIs: 1, Instructions: 46COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                    • Part of subcall function 6CBF11B2: RtlAllocateHeap.NTDLL(00000000,6CBF0000,6CBF1B4C,6CBF0000), ref: 6CBF11BE
                                                                                                                                                                                  • memset.NTDLL ref: 6CBF29C9
                                                                                                                                                                                    • Part of subcall function 6CBF272F: memset.NTDLL ref: 6CBF2755
                                                                                                                                                                                    • Part of subcall function 6CBF272F: memcpy.NTDLL ref: 6CBF277D
                                                                                                                                                                                    • Part of subcall function 6CBF272F: GetLastError.KERNEL32(00000010,00000218,6CBF4BEC,00000100,?,00000318,00000008), ref: 6CBF2794
                                                                                                                                                                                    • Part of subcall function 6CBF272F: GetLastError.KERNEL32(00000010,?,00000000,00000318,?,?,?,?,?,?,?,?,00000010,00000218,6CBF4BEC,00000100), ref: 6CBF2877
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000003.00000002.1716573620.000000006CBF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 6CBF0000, based on PE: true
                                                                                                                                                                                  • Associated: 00000003.00000002.1716317614.000000006CBF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000003.00000002.1716573620.000000006CBFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_3_2_6cbf0000_regsvr32.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: ErrorLastmemset$AllocateHeapmemcpy
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 4290293647-0
                                                                                                                                                                                  • Opcode ID: 5ce2d39bcb20866ebbd57dce7cee95c78a89a614e1bba70ba642c17971872cf7
                                                                                                                                                                                  • Instruction ID: e20a20b4ffe397072f3337a5f6c6b14e1848c08153cef7b13dc2852d9c751d95
                                                                                                                                                                                  • Opcode Fuzzy Hash: 5ce2d39bcb20866ebbd57dce7cee95c78a89a614e1bba70ba642c17971872cf7
                                                                                                                                                                                  • Instruction Fuzzy Hash: E801D6715013C86BD321CF29DC44B8B3BE8EF45718F10862AF86497B41D774E90E87A2
                                                                                                                                                                                  Function 6CBF2BF8 Relevance: 1.3, APIs: 1, Instructions: 14COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • VirtualFree.KERNELBASE(?,00000000,00008000,00000010,?,?,6CBF8410,00000030,6CBF26CC,ZwGetContextThread,?,6CBF2762,?,00000318,00000008), ref: 6CBF2C12
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000003.00000002.1716573620.000000006CBF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 6CBF0000, based on PE: true
                                                                                                                                                                                  • Associated: 00000003.00000002.1716317614.000000006CBF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000003.00000002.1716573620.000000006CBFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_3_2_6cbf0000_regsvr32.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: FreeVirtual
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 1263568516-0
                                                                                                                                                                                  • Opcode ID: 589042aa51d45c6921daadf7d904c4c7d04190ad83041130710503daa941447a
                                                                                                                                                                                  • Instruction ID: 543552ed40ee6eae6b20bfc3490eeef5b903297026812cac47cae92350035e03
                                                                                                                                                                                  • Opcode Fuzzy Hash: 589042aa51d45c6921daadf7d904c4c7d04190ad83041130710503daa941447a
                                                                                                                                                                                  • Instruction Fuzzy Hash: 11D01730E01659ABCF10DB95D84A99EFB71BF09720F608220E87077690C3301A5ACF91

                                                                                                                                                                                  Non-executed Functions

                                                                                                                                                                                  Function 6CBF2E82 Relevance: 10.5, APIs: 2, Strings: 4, Instructions: 46COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • GetModuleHandleA.KERNEL32(NTDLL.DLL,6CBF0000,00000000,?,00000000,?,6CBF1894,EE553B4E,00000001,00000000,6CBFA95C), ref: 6CBF2E98
                                                                                                                                                                                  • GetModuleHandleA.KERNEL32(KERNEL32.DLL,?,00000000,?,6CBF1894,EE553B4E,00000001,00000000,6CBFA95C), ref: 6CBF2EA8
                                                                                                                                                                                    • Part of subcall function 6CBF389C: lstrcmpA.KERNEL32(?,?,00000000,00000000), ref: 6CBF3950
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000003.00000002.1716573620.000000006CBF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 6CBF0000, based on PE: true
                                                                                                                                                                                  • Associated: 00000003.00000002.1716317614.000000006CBF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000003.00000002.1716573620.000000006CBFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_3_2_6cbf0000_regsvr32.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: HandleModule$lstrcmp
                                                                                                                                                                                  • String ID: KERNEL32.DLL$N;U$NTDLL.DLL$~
                                                                                                                                                                                  • API String ID: 397996933-4041261047
                                                                                                                                                                                  • Opcode ID: c75f3fc916f4e1d08d367147cd98a7bead831588aa657aaf0338dd4b18985a79
                                                                                                                                                                                  • Instruction ID: 19f683aebdfabf4a7f57d7103aee2776fbd708fb934894f2d6cf2f36c3ea8b17
                                                                                                                                                                                  • Opcode Fuzzy Hash: c75f3fc916f4e1d08d367147cd98a7bead831588aa657aaf0338dd4b18985a79
                                                                                                                                                                                  • Instruction Fuzzy Hash: 5C01A772A073E59FE710CF59EC8451A7BE8EB4E294B22052AE83097740C771A90D4F93
                                                                                                                                                                                  Function 6CBF2885 Relevance: 6.1, APIs: 4, Instructions: 93COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • memset.NTDLL ref: 6CBF28A7
                                                                                                                                                                                  • GetLastError.KERNEL32(?,00000318,00000008), ref: 6CBF299A
                                                                                                                                                                                    • Part of subcall function 6CBF2E32: NtAllocateVirtualMemory.NTDLL(6CBF28CF,00000000,00000000,6CBF28CF,00003000,00000040), ref: 6CBF2E63
                                                                                                                                                                                    • Part of subcall function 6CBF2E32: RtlNtStatusToDosError.NTDLL ref: 6CBF2E6A
                                                                                                                                                                                    • Part of subcall function 6CBF2E32: SetLastError.KERNEL32(00000000), ref: 6CBF2E71
                                                                                                                                                                                    • Part of subcall function 6CBF2D8F: RtlNtStatusToDosError.NTDLL ref: 6CBF2DA7
                                                                                                                                                                                  • memcpy.NTDLL(00000218,6CBF4C11,00000100,?,00010003,?,?,00000318,00000008), ref: 6CBF2922
                                                                                                                                                                                  • RtlNtStatusToDosError.NTDLL ref: 6CBF297C
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000003.00000002.1716573620.000000006CBF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 6CBF0000, based on PE: true
                                                                                                                                                                                  • Associated: 00000003.00000002.1716317614.000000006CBF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000003.00000002.1716573620.000000006CBFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_3_2_6cbf0000_regsvr32.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: Error$Status$Last$AllocateMemoryVirtualmemcpymemset
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 2966525677-0
                                                                                                                                                                                  • Opcode ID: 17528c22e1ccc223da11ebd04ec031f5d6751a80abf4e0853c70a829936daa3b
                                                                                                                                                                                  • Instruction ID: b074362c9688eb71973382dc2ea38a9388693c49841304976b1dd1f9fc47c78e
                                                                                                                                                                                  • Opcode Fuzzy Hash: 17528c22e1ccc223da11ebd04ec031f5d6751a80abf4e0853c70a829936daa3b
                                                                                                                                                                                  • Instruction Fuzzy Hash: F931C27190124AAFDB10CF64C998ADEB7B8EB04308F10857AE566D7B40D730EE4A8F52
                                                                                                                                                                                  Function 6CBF1DDB Relevance: 36.9, APIs: 13, Strings: 8, Instructions: 108stringCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • memset.NTDLL ref: 6CBF1DF9
                                                                                                                                                                                  • CoInitializeEx.OLE32(00000000,00000002,6CBF0000,00000000,00000000), ref: 6CBF1E04
                                                                                                                                                                                  • PathFindExtensionW.SHLWAPI(00000000,00000750), ref: 6CBF1E1F
                                                                                                                                                                                  • lstrcpyW.KERNEL32(00000000,.dll), ref: 6CBF1E34
                                                                                                                                                                                  • lstrlenW.KERNEL32(00000000), ref: 6CBF1E41
                                                                                                                                                                                  • lstrlenW.KERNEL32(?), ref: 6CBF1E4A
                                                                                                                                                                                  • lstrlenA.KERNEL32(?), ref: 6CBF1E51
                                                                                                                                                                                  • lstrcpyW.KERNEL32(00000000,.exe), ref: 6CBF1E82
                                                                                                                                                                                  • lstrlenW.KERNEL32(00000000), ref: 6CBF1E8F
                                                                                                                                                                                  • lstrlenW.KERNEL32(056587C8), ref: 6CBF1E95
                                                                                                                                                                                  • wsprintfW.USER32 ref: 6CBF1EB9
                                                                                                                                                                                  • ShellExecuteExW.SHELL32(0000003C), ref: 6CBF1EEE
                                                                                                                                                                                  • CoUninitialize.OLE32(00000000), ref: 6CBF1F02
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000003.00000002.1716573620.000000006CBF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 6CBF0000, based on PE: true
                                                                                                                                                                                  • Associated: 00000003.00000002.1716317614.000000006CBF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000003.00000002.1716573620.000000006CBFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_3_2_6cbf0000_regsvr32.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: lstrlen$lstrcpy$ExecuteExtensionFindInitializePathShellUninitializememsetwsprintf
                                                                                                                                                                                  • String ID: .dll$.exe$/C "copy "%s" "%s" /y && "%s" "%s""$/C "copy "%s" "%s" /y && rundll32 "%s",%S"$<$PDu$cmd.exe$runas
                                                                                                                                                                                  • API String ID: 1734841466-4037923481
                                                                                                                                                                                  • Opcode ID: 9e9647a51e4acdab2d58de727921fac9f03d9bb0f85fee244261edb201bdbe23
                                                                                                                                                                                  • Instruction ID: 92d29e734af3ffaaaf88026adfeb7d1a2061a2e86b4f72d9d148a6fcf97133ee
                                                                                                                                                                                  • Opcode Fuzzy Hash: 9e9647a51e4acdab2d58de727921fac9f03d9bb0f85fee244261edb201bdbe23
                                                                                                                                                                                  • Instruction Fuzzy Hash: 6131E6B2D01258ABCF119BA69C44D9F7ABCEF06748B084916F920A7701D734CE0ACBA1
                                                                                                                                                                                  Function 6CBF5810 Relevance: 19.4, APIs: 6, Strings: 5, Instructions: 128registryCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • RegisterClassExW.USER32(00000030), ref: 6CBF589A
                                                                                                                                                                                  • CreateWindowExW.USER32(00000000,WndClass1_56,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000), ref: 6CBF58D4
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000003.00000002.1716573620.000000006CBF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 6CBF0000, based on PE: true
                                                                                                                                                                                  • Associated: 00000003.00000002.1716317614.000000006CBF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000003.00000002.1716573620.000000006CBFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_3_2_6cbf0000_regsvr32.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: ClassCreateRegisterWindow
                                                                                                                                                                                  • String ID: 0$WndClass1_56$WndClass1_56$WndClass2_56$WndClass2_56
                                                                                                                                                                                  • API String ID: 3469048531-2885991380
                                                                                                                                                                                  • Opcode ID: 3fc918456768c9c925a8391f982a81897f6227de3abe050279e10ff85aabba21
                                                                                                                                                                                  • Instruction ID: 1da1817ac81876e7fe78940ce27b6f698a9a8a0e4fe90b04bb89c4cb50f8de6e
                                                                                                                                                                                  • Opcode Fuzzy Hash: 3fc918456768c9c925a8391f982a81897f6227de3abe050279e10ff85aabba21
                                                                                                                                                                                  • Instruction Fuzzy Hash: 0B513AB0E40248EFDB08CF95C858B9EBBB4FB0A318F14C51AE5256B780D7755A4ACF94
                                                                                                                                                                                  Function 6CBF5500 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 137threadregistryinjectionCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • memcpy.NTDLL(?,0123456789ABCDEF,00000022), ref: 6CBF553B
                                                                                                                                                                                  • EnterCriticalSection.KERNEL32(-0000044C), ref: 6CBF5668
                                                                                                                                                                                  • SuspendThread.KERNEL32(?), ref: 6CBF567B
                                                                                                                                                                                  • RemoveFontResourceExW.GDI32(-0000000C,00000010,00000000), ref: 6CBF56B9
                                                                                                                                                                                  • RegisterClassExW.USER32(00000030), ref: 6CBF56C3
                                                                                                                                                                                  • ResumeThread.KERNEL32(?), ref: 6CBF572E
                                                                                                                                                                                  • LeaveCriticalSection.KERNEL32(-0000044C), ref: 6CBF5741
                                                                                                                                                                                  • SwitchToThread.KERNEL32 ref: 6CBF5747
                                                                                                                                                                                    • Part of subcall function 6CBF5240: UnregisterClassW.USER32(?,?), ref: 6CBF528B
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000003.00000002.1716573620.000000006CBF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 6CBF0000, based on PE: true
                                                                                                                                                                                  • Associated: 00000003.00000002.1716317614.000000006CBF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000003.00000002.1716573620.000000006CBFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_3_2_6cbf0000_regsvr32.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: Thread$ClassCriticalSection$EnterFontLeaveRegisterRemoveResourceResumeSuspendSwitchUnregistermemcpy
                                                                                                                                                                                  • String ID: 0$0123456789ABCDEF
                                                                                                                                                                                  • API String ID: 196111645-1037189808
                                                                                                                                                                                  • Opcode ID: e3e7ff359721d26cf74c09781693cf8e9494aaee3b637eb2a86ea3c6dd347adb
                                                                                                                                                                                  • Instruction ID: ec8ae05ca656cbd865962590630f0c9e5ad1a008833ab2aeeebbd841a51fc812
                                                                                                                                                                                  • Opcode Fuzzy Hash: e3e7ff359721d26cf74c09781693cf8e9494aaee3b637eb2a86ea3c6dd347adb
                                                                                                                                                                                  • Instruction Fuzzy Hash: 5C6149B4A00248CFCB08CF94E594B9DBBB5FB49318F14C16AE9286BB51C735694ECF58
                                                                                                                                                                                  Function 6CBF667A Relevance: 13.6, APIs: 9, Instructions: 72threadsleepwindowCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • ResumeThread.KERNEL32(?), ref: 6CBF677E
                                                                                                                                                                                  • ResumeThread.KERNEL32(?), ref: 6CBF6791
                                                                                                                                                                                  • Sleep.KERNEL32(00000000), ref: 6CBF6799
                                                                                                                                                                                  • LeaveCriticalSection.KERNEL32(-0000044C), ref: 6CBF67D0
                                                                                                                                                                                  • memset.NTDLL ref: 6CBF67EE
                                                                                                                                                                                  • AddFontResourceExW.GDI32(-0000000C,00000010,00000000), ref: 6CBF6804
                                                                                                                                                                                  • EnterCriticalSection.KERNEL32(-0000044C), ref: 6CBF6815
                                                                                                                                                                                  • GetWindowLongW.USER32(?,000000F0), ref: 6CBF682A
                                                                                                                                                                                  • SetMenu.USER32(?,00000000), ref: 6CBF6863
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000003.00000002.1716573620.000000006CBF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 6CBF0000, based on PE: true
                                                                                                                                                                                  • Associated: 00000003.00000002.1716317614.000000006CBF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000003.00000002.1716573620.000000006CBFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_3_2_6cbf0000_regsvr32.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: CriticalResumeSectionThread$EnterFontLeaveLongMenuResourceSleepWindowmemset
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 1405369809-0
                                                                                                                                                                                  • Opcode ID: 7f94438b8bd17f9050a9dea7b246f9eb85ee1498fe1288e9b50cf8e19cf6b4ae
                                                                                                                                                                                  • Instruction ID: 08df507158272cc273856123b5602cc3088f27b00d71314dcbc0f5dee1ae3187
                                                                                                                                                                                  • Opcode Fuzzy Hash: 7f94438b8bd17f9050a9dea7b246f9eb85ee1498fe1288e9b50cf8e19cf6b4ae
                                                                                                                                                                                  • Instruction Fuzzy Hash: 1E312A757402009FDB08DF14E998B527379E746319F14826AFE298BB92C732A88ACF55
                                                                                                                                                                                  Function 6CBF6645 Relevance: 13.6, APIs: 9, Instructions: 72threadsleepwindowCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • ResumeThread.KERNEL32(?), ref: 6CBF677E
                                                                                                                                                                                  • ResumeThread.KERNEL32(?), ref: 6CBF6791
                                                                                                                                                                                  • Sleep.KERNEL32(00000000), ref: 6CBF6799
                                                                                                                                                                                  • LeaveCriticalSection.KERNEL32(-0000044C), ref: 6CBF67D0
                                                                                                                                                                                  • memset.NTDLL ref: 6CBF67EE
                                                                                                                                                                                  • AddFontResourceExW.GDI32(-0000000C,00000010,00000000), ref: 6CBF6804
                                                                                                                                                                                  • EnterCriticalSection.KERNEL32(-0000044C), ref: 6CBF6815
                                                                                                                                                                                  • GetWindowLongW.USER32(?,000000F0), ref: 6CBF682A
                                                                                                                                                                                  • SetMenu.USER32(?,00000000), ref: 6CBF6863
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000003.00000002.1716573620.000000006CBF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 6CBF0000, based on PE: true
                                                                                                                                                                                  • Associated: 00000003.00000002.1716317614.000000006CBF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000003.00000002.1716573620.000000006CBFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_3_2_6cbf0000_regsvr32.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: CriticalResumeSectionThread$EnterFontLeaveLongMenuResourceSleepWindowmemset
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 1405369809-0
                                                                                                                                                                                  • Opcode ID: 00dd64ca0e21d73653d67ea303f3724bdefa5fcafd8374b4fd996931f36af477
                                                                                                                                                                                  • Instruction ID: 08df507158272cc273856123b5602cc3088f27b00d71314dcbc0f5dee1ae3187
                                                                                                                                                                                  • Opcode Fuzzy Hash: 00dd64ca0e21d73653d67ea303f3724bdefa5fcafd8374b4fd996931f36af477
                                                                                                                                                                                  • Instruction Fuzzy Hash: 1E312A757402009FDB08DF14E998B527379E746319F14826AFE298BB92C732A88ACF55
                                                                                                                                                                                  Function 6CBF3B2B Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 45stringCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • GetTempPathA.KERNEL32(00000000,00000000,00000000,00000000,00000000,6CBF3BA2,?,056587C8,00000000,6CBF1E14,00000750), ref: 6CBF3B38
                                                                                                                                                                                    • Part of subcall function 6CBF11B2: RtlAllocateHeap.NTDLL(00000000,6CBF0000,6CBF1B4C,6CBF0000), ref: 6CBF11BE
                                                                                                                                                                                  • GetTempPathA.KERNEL32(00000000,00000000,0000001D), ref: 6CBF3B51
                                                                                                                                                                                  • GetTickCount.KERNEL32 ref: 6CBF3B58
                                                                                                                                                                                  • GetTempFileNameA.KERNEL32(00000000,00000000,?), ref: 6CBF3B66
                                                                                                                                                                                  • PathFindExtensionA.SHLWAPI(00000000,.bin), ref: 6CBF3B76
                                                                                                                                                                                  • lstrcpyA.KERNEL32(00000000), ref: 6CBF3B7D
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000003.00000002.1716573620.000000006CBF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 6CBF0000, based on PE: true
                                                                                                                                                                                  • Associated: 00000003.00000002.1716317614.000000006CBF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000003.00000002.1716573620.000000006CBFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_3_2_6cbf0000_regsvr32.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: PathTemp$AllocateCountExtensionFileFindHeapNameTicklstrcpy
                                                                                                                                                                                  • String ID: .bin
                                                                                                                                                                                  • API String ID: 1954728293-886015214
                                                                                                                                                                                  • Opcode ID: b47c474c7be8c3763d66592e43e6b9d4e67011f2490b85173f382be863f10d08
                                                                                                                                                                                  • Instruction ID: 3905d135d33b871c7896516b736e2a5dbd637fd96508635cecfa37c238bceb92
                                                                                                                                                                                  • Opcode Fuzzy Hash: b47c474c7be8c3763d66592e43e6b9d4e67011f2490b85173f382be863f10d08
                                                                                                                                                                                  • Instruction Fuzzy Hash: AAF0F6323429616786115AFB5C48D9F6A7CEF4B565B00021AF534D3700CB20C50F86F6
                                                                                                                                                                                  Function 6CBF1D2E Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 66stringCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                    • Part of subcall function 6CBF3AC5: CreateFileW.KERNEL32(?,C0000000,00000000,00000000,00000004,00000080,00000000,6CBF0000,00000000,?,6CBF1D64,00000000,?,?,00001FD1,00000000), ref: 6CBF3ADE
                                                                                                                                                                                    • Part of subcall function 6CBF3AC5: GetLastError.KERNEL32(?,6CBF1D64,00000000,?,?,00001FD1,00000000,00000000,?,?,6CBF18F2,?,?,?,EE553B4E,00000001), ref: 6CBF3AEB
                                                                                                                                                                                  • lstrlenW.KERNEL32(00000000,00000000,?,?,00001FD1,00000000,00000000,?,?,6CBF18F2,?,?,?,EE553B4E,00000001,00000000), ref: 6CBF1D69
                                                                                                                                                                                    • Part of subcall function 6CBF11B2: RtlAllocateHeap.NTDLL(00000000,6CBF0000,6CBF1B4C,6CBF0000), ref: 6CBF11BE
                                                                                                                                                                                  • PathFindFileNameW.SHLWAPI(00000000,6CBF0000,?,?,?,6CBF18F2,?,?,?,EE553B4E,00000001,00000000,6CBFA95C), ref: 6CBF1D81
                                                                                                                                                                                  • lstrcpyW.KERNEL32(00000000,00000000,?,?,6CBF18F2,?,?,?,EE553B4E,00000001,00000000,6CBFA95C), ref: 6CBF1D92
                                                                                                                                                                                  • lstrcpyW.KERNEL32(?,Low\,?,?,6CBF18F2,?,?,?,EE553B4E,00000001,00000000,6CBFA95C), ref: 6CBF1DA4
                                                                                                                                                                                  • lstrcatW.KERNEL32(00000000,?,?,?,6CBF18F2,?,?,?,EE553B4E,00000001,00000000,6CBFA95C), ref: 6CBF1DAA
                                                                                                                                                                                    • Part of subcall function 6CBF3AC5: WriteFile.KERNEL32(00000000,?,00001000,?,00000000,?,6CBF1D64,00000000,?,?,00001FD1,00000000,00000000,?,?,6CBF18F2), ref: 6CBF3B01
                                                                                                                                                                                    • Part of subcall function 6CBF3AC5: SetEndOfFile.KERNEL32(00000000,?,6CBF1D64,00000000,?,?,00001FD1,00000000,00000000,?,?,6CBF18F2,?,?,?,EE553B4E), ref: 6CBF3B0C
                                                                                                                                                                                    • Part of subcall function 6CBF3AC5: CloseHandle.KERNEL32(00000000,?,6CBF1D64,00000000,?,?,00001FD1,00000000,00000000,?,?,6CBF18F2,?,?,?,EE553B4E), ref: 6CBF3B1D
                                                                                                                                                                                    • Part of subcall function 6CBF11C7: RtlFreeHeap.NTDLL(00000000,00000000,6CBF1B7B,00000000), ref: 6CBF11D3
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000003.00000002.1716573620.000000006CBF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 6CBF0000, based on PE: true
                                                                                                                                                                                  • Associated: 00000003.00000002.1716317614.000000006CBF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000003.00000002.1716573620.000000006CBFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_3_2_6cbf0000_regsvr32.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: File$Heaplstrcpy$AllocateCloseCreateErrorFindFreeHandleLastNamePathWritelstrcatlstrlen
                                                                                                                                                                                  • String ID: Low\
                                                                                                                                                                                  • API String ID: 3723596976-2980988522
                                                                                                                                                                                  • Opcode ID: 3b92a28ca632eda3a4e2fb5cfbaba16a0c9f7dee6ad5ab181ed83807a4a05414
                                                                                                                                                                                  • Instruction ID: 5e8701f11d77c39a025a0949a0e6b88ad5f1dc7e94c412a8fb6a500fcdbcd2cb
                                                                                                                                                                                  • Opcode Fuzzy Hash: 3b92a28ca632eda3a4e2fb5cfbaba16a0c9f7dee6ad5ab181ed83807a4a05414
                                                                                                                                                                                  • Instruction Fuzzy Hash: 321191BA501669BBDF015BB68C44CDF76BCEF067587084915F92097B00CB75CA0A8BF1
                                                                                                                                                                                  Function 6CBF3D87 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 52COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • GetModuleHandleA.KERNEL32(NTDLL.DLL,?,CCCCFEEB,6CBF406A,?,?,?,00000000), ref: 6CBF3DBA
                                                                                                                                                                                  • memcpy.NTDLL(?,6CBFA9C4,00000018,ZwProtectVirtualMemory,LdrGetProcedureAddress,LdrLoadDll), ref: 6CBF3E25
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000003.00000002.1716573620.000000006CBF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 6CBF0000, based on PE: true
                                                                                                                                                                                  • Associated: 00000003.00000002.1716317614.000000006CBF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000003.00000002.1716573620.000000006CBFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_3_2_6cbf0000_regsvr32.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: HandleModulememcpy
                                                                                                                                                                                  • String ID: LdrGetProcedureAddress$LdrLoadDll$NTDLL.DLL$ZwProtectVirtualMemory
                                                                                                                                                                                  • API String ID: 1801490239-3173696408
                                                                                                                                                                                  • Opcode ID: a5ba9e34f1fc7414ccfd969a7f33db6b7387a18b50ad045d4e90e168e51874a6
                                                                                                                                                                                  • Instruction ID: ffeb380d8d970bc5294ced276848d6be44e6e33cb8b0d0530b48e838d2b55140
                                                                                                                                                                                  • Opcode Fuzzy Hash: a5ba9e34f1fc7414ccfd969a7f33db6b7387a18b50ad045d4e90e168e51874a6
                                                                                                                                                                                  • Instruction Fuzzy Hash: 530140B9B039819B9B09DA1AE945C573AB1F7C9318712C836E274D7B10D334944E8E73
                                                                                                                                                                                  Function 6CBF59F0 Relevance: 9.1, APIs: 6, Instructions: 115memoryCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • VirtualAlloc.KERNEL32(00000000,-00001000,00003000,00000004), ref: 6CBF5A8B
                                                                                                                                                                                    • Part of subcall function 6CBF5320: SetWindowLongW.USER32(?,?,6CBF5C0B), ref: 6CBF5386
                                                                                                                                                                                    • Part of subcall function 6CBF5320: GetAncestor.USER32(?,00000001,?,?,6CBF5C0B), ref: 6CBF539B
                                                                                                                                                                                    • Part of subcall function 6CBF5320: SetWindowLongW.USER32(?,?,?), ref: 6CBF53D9
                                                                                                                                                                                  • memset.NTDLL ref: 6CBF5AB1
                                                                                                                                                                                  • SetWindowLongW.USER32(?,?,00000000), ref: 6CBF5B2D
                                                                                                                                                                                  • SetClassLongW.USER32(?,00000000,00000000), ref: 6CBF5B47
                                                                                                                                                                                  • SetWindowLongW.USER32(?,?,-00000018), ref: 6CBF5B81
                                                                                                                                                                                  • VirtualFree.KERNEL32(00000000,-00001000,00010000), ref: 6CBF5B99
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000003.00000002.1716573620.000000006CBF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 6CBF0000, based on PE: true
                                                                                                                                                                                  • Associated: 00000003.00000002.1716317614.000000006CBF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000003.00000002.1716573620.000000006CBFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_3_2_6cbf0000_regsvr32.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: Long$Window$Virtual$AllocAncestorClassFreememset
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 210331842-0
                                                                                                                                                                                  • Opcode ID: 099376858564f34e83fcb847505bcc84499464a5c3dd242894f273dca5dc400a
                                                                                                                                                                                  • Instruction ID: 4b866780d81807b53a4af51d80212cabb928143c0fb43d53a00e6ddbf7fe0d85
                                                                                                                                                                                  • Opcode Fuzzy Hash: 099376858564f34e83fcb847505bcc84499464a5c3dd242894f273dca5dc400a
                                                                                                                                                                                  • Instruction Fuzzy Hash: 83513AB5700104EFCB08CF98D594FAAB7B5FB89304F1082AAED299B755C731AA49CF54
                                                                                                                                                                                  Function 6CBF345B Relevance: 9.1, APIs: 1, Strings: 5, Instructions: 103stringCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • lstrcpynA.KERNEL32(?,.bss,00000008,?,00000000,00000000,?,?,?,?,?,?,?), ref: 6CBF3489
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000003.00000002.1716573620.000000006CBF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 6CBF0000, based on PE: true
                                                                                                                                                                                  • Associated: 00000003.00000002.1716317614.000000006CBF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000003.00000002.1716573620.000000006CBFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_3_2_6cbf0000_regsvr32.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: lstrcpyn
                                                                                                                                                                                  • String ID: .bss$Apr 11 2017$N;U$N;U$version=%u&soft=1&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s
                                                                                                                                                                                  • API String ID: 97706510-2121357827
                                                                                                                                                                                  • Opcode ID: b06b3e2116854ffa93fee49613f331b886caa7b5254e56c7cd7ebd406dd6e688
                                                                                                                                                                                  • Instruction ID: bb5a7339562cc7116cf36ba3f756b68a3f4c171f1f3ff192e00d3cceaef4690d
                                                                                                                                                                                  • Opcode Fuzzy Hash: b06b3e2116854ffa93fee49613f331b886caa7b5254e56c7cd7ebd406dd6e688
                                                                                                                                                                                  • Instruction Fuzzy Hash: 20419F71A002599BDB05CF89C4C0AAEB7B2FF89318F258159DD206B705C374E94ACF92
                                                                                                                                                                                  Function 6CBF53F0 Relevance: 9.1, APIs: 6, Instructions: 71threadCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • RemoveFontResourceExW.GDI32(-0000000C,00000010,00000000), ref: 6CBF543C
                                                                                                                                                                                  • SetThreadAffinityMask.KERNEL32(?,-00000001), ref: 6CBF545C
                                                                                                                                                                                  • SetThreadAffinityMask.KERNEL32(?,-00000001), ref: 6CBF548C
                                                                                                                                                                                  • SetThreadPriority.KERNEL32(?,?), ref: 6CBF54AE
                                                                                                                                                                                  • ResumeThread.KERNEL32(?), ref: 6CBF54DF
                                                                                                                                                                                  • SwitchToThread.KERNEL32 ref: 6CBF54E5
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000003.00000002.1716573620.000000006CBF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 6CBF0000, based on PE: true
                                                                                                                                                                                  • Associated: 00000003.00000002.1716317614.000000006CBF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000003.00000002.1716573620.000000006CBFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_3_2_6cbf0000_regsvr32.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: Thread$AffinityMask$FontPriorityRemoveResourceResumeSwitch
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 3293583530-0
                                                                                                                                                                                  • Opcode ID: b1cbd5d15f2183d7deff43962c4bafc23a7e855a09c05997bd67676b716ae4d0
                                                                                                                                                                                  • Instruction ID: 9c0a5c3a3cfb1f3b8c9d6fc981a2cf4cc05864e3cf2f8c6865b2b463514c51b8
                                                                                                                                                                                  • Opcode Fuzzy Hash: b1cbd5d15f2183d7deff43962c4bafc23a7e855a09c05997bd67676b716ae4d0
                                                                                                                                                                                  • Instruction Fuzzy Hash: 10219F71704200DFCB08CF25D888B9A73BAFB86305F54C169E9298BB55CB75998DDF04
                                                                                                                                                                                  Function 6CBF3AC5 Relevance: 9.0, APIs: 6, Instructions: 40fileCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • CreateFileW.KERNEL32(?,C0000000,00000000,00000000,00000004,00000080,00000000,6CBF0000,00000000,?,6CBF1D64,00000000,?,?,00001FD1,00000000), ref: 6CBF3ADE
                                                                                                                                                                                  • GetLastError.KERNEL32(?,6CBF1D64,00000000,?,?,00001FD1,00000000,00000000,?,?,6CBF18F2,?,?,?,EE553B4E,00000001), ref: 6CBF3AEB
                                                                                                                                                                                  • WriteFile.KERNEL32(00000000,?,00001000,?,00000000,?,6CBF1D64,00000000,?,?,00001FD1,00000000,00000000,?,?,6CBF18F2), ref: 6CBF3B01
                                                                                                                                                                                  • SetEndOfFile.KERNEL32(00000000,?,6CBF1D64,00000000,?,?,00001FD1,00000000,00000000,?,?,6CBF18F2,?,?,?,EE553B4E), ref: 6CBF3B0C
                                                                                                                                                                                  • CloseHandle.KERNEL32(00000000,?,6CBF1D64,00000000,?,?,00001FD1,00000000,00000000,?,?,6CBF18F2,?,?,?,EE553B4E), ref: 6CBF3B1D
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000003.00000002.1716573620.000000006CBF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 6CBF0000, based on PE: true
                                                                                                                                                                                  • Associated: 00000003.00000002.1716317614.000000006CBF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000003.00000002.1716573620.000000006CBFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_3_2_6cbf0000_regsvr32.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: File$CloseCreateErrorHandleLastWrite
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 1150274393-0
                                                                                                                                                                                  • Opcode ID: 1fa98072f8eaf05507fa63ce1bc88c1eaf4cf7b32bb04cdbff0d4c69fa08c6ad
                                                                                                                                                                                  • Instruction ID: dec0df28a768cc174fd2adc2b05bf1900ad554e936af1e7c54224dd283fe291c
                                                                                                                                                                                  • Opcode Fuzzy Hash: 1fa98072f8eaf05507fa63ce1bc88c1eaf4cf7b32bb04cdbff0d4c69fa08c6ad
                                                                                                                                                                                  • Instruction Fuzzy Hash: AFF01D32341124BBDB111BA7AC4CEAB7F7DEB4B7B1F004216FA25D3690C632891196A2
                                                                                                                                                                                  Function 6CBF5090 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 73libraryloaderCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • LoadLibraryW.KERNEL32(USER32.dll,IsMenu,6CBF70E8), ref: 6CBF50A0
                                                                                                                                                                                  • GetProcAddress.KERNEL32(00000000), ref: 6CBF50A7
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000003.00000002.1716573620.000000006CBF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 6CBF0000, based on PE: true
                                                                                                                                                                                  • Associated: 00000003.00000002.1716317614.000000006CBF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000003.00000002.1716573620.000000006CBFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_3_2_6cbf0000_regsvr32.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: AddressLibraryLoadProc
                                                                                                                                                                                  • String ID: 0$IsMenu$USER32.dll
                                                                                                                                                                                  • API String ID: 2574300362-703140235
                                                                                                                                                                                  • Opcode ID: cc9a0f938fa14f8b072fec4081c3d8e5c63c78e31e07a8a098205318f7b74d17
                                                                                                                                                                                  • Instruction ID: 26210d2a029d98420bfd28eefd953acc5f0aa6ab2bbcbc41a9e975770cd4b0bf
                                                                                                                                                                                  • Opcode Fuzzy Hash: cc9a0f938fa14f8b072fec4081c3d8e5c63c78e31e07a8a098205318f7b74d17
                                                                                                                                                                                  • Instruction Fuzzy Hash: FB311430A45148EFCB04CFA8D594B9CBBB6FF42309F24C299C42567745C7306B9AEB49
                                                                                                                                                                                  Function 6CBF32EE Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 32memorystringCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • lstrlenW.KERNEL32(00000000,00000000,?,6CBF207F,00000000,FF571A75), ref: 6CBF3301
                                                                                                                                                                                  • lstrlenA.KERNEL32(6CBF207F,?,6CBF207F,00000000,FF571A75), ref: 6CBF330C
                                                                                                                                                                                  • HeapAlloc.KERNEL32(00000000,00000022,?,6CBF207F,00000000,FF571A75), ref: 6CBF3321
                                                                                                                                                                                  • wsprintfW.USER32 ref: 6CBF3339
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000003.00000002.1716573620.000000006CBF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 6CBF0000, based on PE: true
                                                                                                                                                                                  • Associated: 00000003.00000002.1716317614.000000006CBF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000003.00000002.1716573620.000000006CBFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_3_2_6cbf0000_regsvr32.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: lstrlen$AllocHeapwsprintf
                                                                                                                                                                                  • String ID: rundll32 "%s",%S
                                                                                                                                                                                  • API String ID: 458455750-2508549009
                                                                                                                                                                                  • Opcode ID: 5af5c74a5b491cc25dd7be06e68711dc9dbaa5a98aa34cbbcfee8b58046cc697
                                                                                                                                                                                  • Instruction ID: 03e81d6da2243d981d6fd24f2f93a5315b66ed2a564a357d18a82a0696aadbd9
                                                                                                                                                                                  • Opcode Fuzzy Hash: 5af5c74a5b491cc25dd7be06e68711dc9dbaa5a98aa34cbbcfee8b58046cc697
                                                                                                                                                                                  • Instruction Fuzzy Hash: 51F05E32942528FBCF125F65DC0899A7B78EB0AB55B40C122FD39A7710D632CA258BD1
                                                                                                                                                                                  Function 6CBF5760 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 56COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • CreateWindowExW.USER32(00000000,00008002,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000), ref: 6CBF5792
                                                                                                                                                                                  • SetWindowLongW.USER32(00000000,00000000,31323334), ref: 6CBF57C5
                                                                                                                                                                                  • DestroyWindow.USER32(00000000,00000000), ref: 6CBF57FE
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000003.00000002.1716573620.000000006CBF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 6CBF0000, based on PE: true
                                                                                                                                                                                  • Associated: 00000003.00000002.1716317614.000000006CBF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000003.00000002.1716573620.000000006CBFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_3_2_6cbf0000_regsvr32.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: Window$CreateDestroyLong
                                                                                                                                                                                  • String ID: 4321
                                                                                                                                                                                  • API String ID: 409825929-3297689448
                                                                                                                                                                                  • Opcode ID: f3e5668419dce49ce9031371069b3d43b96762121ee3f97bc444d27e37a12afa
                                                                                                                                                                                  • Instruction ID: 1fe00eda46727468619b96eb3d1efaf5705df8dbaf8bad668acc8303ba3c5ac7
                                                                                                                                                                                  • Opcode Fuzzy Hash: f3e5668419dce49ce9031371069b3d43b96762121ee3f97bc444d27e37a12afa
                                                                                                                                                                                  • Instruction Fuzzy Hash: 76112A74E40288EFDB00DFA8CC49BAEB7B5FB05309F108599E5216B780C7746A49CF89
                                                                                                                                                                                  Function 6CBF236C Relevance: 6.1, APIs: 4, Instructions: 72fileCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                    • Part of subcall function 6CBF2C92: GetModuleFileNameW.KERNEL32(0000007F,00000000,00000104,00000208,00000000,00000000,?,?,6CBF2386,00000000), ref: 6CBF2CB8
                                                                                                                                                                                    • Part of subcall function 6CBF389C: lstrcmpA.KERNEL32(?,?,00000000,00000000), ref: 6CBF3950
                                                                                                                                                                                  • CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000,00000000,?,?,00000000,00000000,00000000,?,00000000,0000007F), ref: 6CBF23C0
                                                                                                                                                                                  • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,?,?,6CBF3DD0,LdrLoadDll), ref: 6CBF23D2
                                                                                                                                                                                  • ReadFile.KERNEL32(?,?,00000004,?,00000000,?,?,?,?,?,6CBF3DD0,LdrLoadDll), ref: 6CBF23EA
                                                                                                                                                                                  • CloseHandle.KERNEL32(?,?,?,?,?,?,6CBF3DD0,LdrLoadDll), ref: 6CBF2405
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000003.00000002.1716573620.000000006CBF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 6CBF0000, based on PE: true
                                                                                                                                                                                  • Associated: 00000003.00000002.1716317614.000000006CBF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000003.00000002.1716573620.000000006CBFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_3_2_6cbf0000_regsvr32.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: File$CloseCreateHandleModuleNamePointerReadlstrcmp
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 3110218675-0
                                                                                                                                                                                  • Opcode ID: 905bf694174791799d3bf9d739f0a8b9a0c00a4c0e4b26336a5cb7e89f5f89f7
                                                                                                                                                                                  • Instruction ID: 42d5959779e206ba71a5bb1d240cd1dbc444fba2413c5b7adac5cfad64f60da8
                                                                                                                                                                                  • Opcode Fuzzy Hash: 905bf694174791799d3bf9d739f0a8b9a0c00a4c0e4b26336a5cb7e89f5f89f7
                                                                                                                                                                                  • Instruction Fuzzy Hash: 161181B1601158BBDB11DA66CC49EEF7E7DEF42758F104021F625E3650D371CA4AC6A2
                                                                                                                                                                                  Function 6CBF1A53 Relevance: 6.0, APIs: 4, Instructions: 40COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,?,6CBF16D8), ref: 6CBF1A62
                                                                                                                                                                                  • GetVersion.KERNEL32(?,6CBF16D8), ref: 6CBF1A71
                                                                                                                                                                                  • GetCurrentProcessId.KERNEL32(?,6CBF16D8), ref: 6CBF1A8D
                                                                                                                                                                                  • OpenProcess.KERNEL32(0000047A,00000000,00000000,?,6CBF16D8), ref: 6CBF1AA6
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000003.00000002.1716573620.000000006CBF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 6CBF0000, based on PE: true
                                                                                                                                                                                  • Associated: 00000003.00000002.1716317614.000000006CBF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000003.00000002.1716573620.000000006CBFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_3_2_6cbf0000_regsvr32.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: Process$CreateCurrentEventOpenVersion
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 845504543-0
                                                                                                                                                                                  • Opcode ID: ab5e7f3a4ed1d2a6a77747dbfbb83043efea3962590a7fb60e60a03e6a8c6304
                                                                                                                                                                                  • Instruction ID: 03ed0ff2bfeded511f8297972549a02d162fba300a47181b58eb7df4853f71a8
                                                                                                                                                                                  • Opcode Fuzzy Hash: ab5e7f3a4ed1d2a6a77747dbfbb83043efea3962590a7fb60e60a03e6a8c6304
                                                                                                                                                                                  • Instruction Fuzzy Hash: 62F0DCB13827008BEF044B69B9197503BB8EB87B11F158626E231DB3C0D361C002CF15
                                                                                                                                                                                  Function 6CBF5070 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 10libraryloaderCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • LoadLibraryW.KERNEL32(ntdll.dll,6CBF51A0,?,6CBF51A0,NtAllocateVirtualMemory), ref: 6CBF507C
                                                                                                                                                                                  • GetProcAddress.KERNEL32(00000000), ref: 6CBF5083
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000003.00000002.1716573620.000000006CBF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 6CBF0000, based on PE: true
                                                                                                                                                                                  • Associated: 00000003.00000002.1716317614.000000006CBF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000003.00000002.1716573620.000000006CBFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_3_2_6cbf0000_regsvr32.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: AddressLibraryLoadProc
                                                                                                                                                                                  • String ID: ntdll.dll
                                                                                                                                                                                  • API String ID: 2574300362-2227199552
                                                                                                                                                                                  • Opcode ID: e5078b9ffba2687853459310ebf7c7746a89487c93fe6f6b41bbfde43f9fbaa9
                                                                                                                                                                                  • Instruction ID: 556942d24cc67699f56b70155a36ee8af9bc5f9ffd6a01f0db05e7033bb3bd89
                                                                                                                                                                                  • Opcode Fuzzy Hash: e5078b9ffba2687853459310ebf7c7746a89487c93fe6f6b41bbfde43f9fbaa9
                                                                                                                                                                                  • Instruction Fuzzy Hash: 28C04C76600208AB8A005AF9AC08C9677AC965A6117404412B61983600C635A4588A65

                                                                                                                                                                                  Execution Graph

                                                                                                                                                                                  Execution Coverage:27.7%
                                                                                                                                                                                  Dynamic/Decrypted Code Coverage:1.1%
                                                                                                                                                                                  Signature Coverage:0%
                                                                                                                                                                                  Total number of Nodes:959
                                                                                                                                                                                  Total number of Limit Nodes:79
                                                                                                                                                                                  execution_graph 3740 6cbf733c 3741 6cbf7344 3740->3741 3743 6cbf73f8 3741->3743 3746 6cbf755d 3741->3746 3744 6cbf737d 3744->3743 3750 6cbf7448 RtlUnwind 3744->3750 3748 6cbf7572 3746->3748 3749 6cbf758e 3746->3749 3747 6cbf75fd NtQueryVirtualMemory 3747->3749 3748->3747 3748->3749 3749->3744 3751 6cbf7460 3750->3751 3751->3744 3706 6cbf2bf8 3707 6cbf2c02 3706->3707 3708 6cbf2c09 VirtualFree 3707->3708 3709 6cbf2c18 3707->3709 3708->3709 3763 6cbf6c74 3766 6cbf6c7d 3763->3766 3764 6cbf5760 5 API calls 3765 6cbf6fd5 3764->3765 3767 6cbf5810 8 API calls 3765->3767 3766->3764 3770 6cbf6fe6 3767->3770 3768 6cbf700f 3769 6cbf7032 RegisterClassExW 3769->3768 3772 6cbf70ab CreateWindowExW 3769->3772 3770->3768 3770->3769 3771 6cbf5190 3 API calls 3770->3771 3773 6cbf7026 3771->3773 3774 6cbf70df 3772->3774 3775 6cbf70e8 3772->3775 3773->3769 3776 6cbf51f0 2 API calls 3774->3776 3775->3768 3777 6cbf714e CreateThread 3775->3777 3776->3775 3778 6cbf72a7 UnregisterClassW VirtualFree 3777->3778 3779 6cbf7182 WaitForSingleObject 3777->3779 3790 6cbf5e30 67 API calls 3777->3790 3778->3768 3780 6cbf71a8 3779->3780 3781 6cbf71b7 TerminateThread 3779->3781 3780->3781 3782 6cbf71da WaitForSingleObject TerminateThread 3781->3782 3783 6cbf7206 3781->3783 3782->3783 3784 6cbf7215 WaitForSingleObject TerminateThread 3783->3784 3785 6cbf7241 RemoveFontResourceExW 3783->3785 3784->3785 3786 6cbf725b 3785->3786 3787 6cbf7259 3785->3787 3788 6cbf5240 UnregisterClassW 3786->3788 3787->3785 3789 6cbf7260 UnregisterClassW UnregisterClassW UnregisterClassW 3788->3789 3789->3778 3791 6cbf5973 3792 6cbf59c6 DestroyWindow DestroyWindow 3791->3792 3793 6cbf59dd 3792->3793 2621 6cbf112f 2622 6cbf1134 2621->2622 2625 6cbf16b2 2622->2625 2692 6cbf1a53 CreateEventA 2625->2692 2627 6cbf113a ExitProcess 2628 6cbf16f1 GetCursorInfo 2699 6cbf345b lstrcpynA 2628->2699 2630 6cbf16d8 2630->2627 2630->2628 2631 6cbf172b 2630->2631 2631->2627 2701 6cbf22c9 2631->2701 2634 6cbf17b2 CreateFileA 2635 6cbf17fd 2634->2635 2636 6cbf17da ReadFile 2634->2636 2640 6cbf1808 2635->2640 2724 6cbf1000 SetupDiGetClassDevsA 2635->2724 2638 6cbf17f6 CloseHandle 2636->2638 2639 6cbf17f2 2636->2639 2638->2635 2639->2638 2640->2627 2739 6cbf389c 2640->2739 2643 6cbf176f GetLongPathNameW 2645 6cbf17a7 2643->2645 2646 6cbf1783 2643->2646 2645->2634 2722 6cbf11b2 RtlAllocateHeap 2646->2722 2647 6cbf182a 2744 6cbf150f LoadLibraryA 2647->2744 2650 6cbf178d 2650->2645 2652 6cbf1796 GetLongPathNameW 2650->2652 2723 6cbf11c7 RtlFreeHeap 2652->2723 2656 6cbf1878 2660 6cbf1a40 GetLastError 2656->2660 2752 6cbf2e82 GetModuleHandleA 2656->2752 2657 6cbf1b96 9 API calls 2657->2656 2660->2627 2661 6cbf1a3b 2661->2627 2661->2660 2664 6cbf18b8 2668 6cbf190b 2664->2668 2785 6cbf2f05 2664->2785 2798 6cbf137f memset 2668->2798 2674 6cbf18fb 2850 6cbf1ddb memset CoInitializeEx 2674->2850 2675 6cbf196c GetLastError 2679 6cbf198f CloseHandle 2675->2679 2680 6cbf1976 SetEvent Sleep ResetEvent 2675->2680 2676 6cbf1996 2805 6cbf3349 RegOpenKeyExA 2676->2805 2679->2676 2680->2679 2684 6cbf19e2 2818 6cbf2d19 2684->2818 2685 6cbf1a2f LocalFree 2685->2661 2687 6cbf19c8 DeleteFileW 2687->2684 2689 6cbf19d3 MoveFileExW 2687->2689 2688 6cbf19ec 2688->2661 2690 6cbf19f2 CreateWaitableTimerA 2688->2690 2689->2684 2690->2685 2691 6cbf1a0b SetWaitableTimer CloseHandle 2690->2691 2691->2685 2693 6cbf1ac5 GetLastError 2692->2693 2694 6cbf1a71 GetVersion 2692->2694 2695 6cbf1a7b 2694->2695 2696 6cbf1a88 GetCurrentProcessId OpenProcess 2695->2696 2697 6cbf1ac0 2695->2697 2698 6cbf1ab5 2696->2698 2697->2630 2698->2630 2700 6cbf34a0 2699->2700 2700->2630 2702 6cbf22de GetModuleHandleA GetProcAddress 2701->2702 2703 6cbf2303 2701->2703 2702->2703 2704 6cbf173e 2702->2704 2705 6cbf2319 2703->2705 2706 6cbf2308 OpenProcess 2703->2706 2704->2634 2710 6cbf2c92 2704->2710 2705->2704 2707 6cbf231d IsWow64Process 2705->2707 2706->2705 2708 6cbf232c 2707->2708 2708->2704 2709 6cbf2334 CloseHandle 2708->2709 2709->2704 2869 6cbf11b2 RtlAllocateHeap 2710->2869 2712 6cbf176b 2712->2634 2712->2643 2713 6cbf2cad 2714 6cbf2cb8 GetModuleFileNameW 2713->2714 2715 6cbf2cc0 GetModuleFileNameA 2713->2715 2720 6cbf2ca7 2714->2720 2715->2720 2716 6cbf2cec 2716->2712 2718 6cbf2cfe GetLastError 2716->2718 2872 6cbf11c7 RtlFreeHeap 2718->2872 2720->2712 2720->2713 2720->2716 2870 6cbf11c7 RtlFreeHeap 2720->2870 2871 6cbf11b2 RtlAllocateHeap 2720->2871 2722->2650 2723->2645 2725 6cbf1036 SetupDiEnumDeviceInfo 2724->2725 2726 6cbf10e0 2724->2726 2727 6cbf10d7 SetupDiDestroyDeviceInfoList 2725->2727 2728 6cbf1051 SetupDiGetDeviceRegistryPropertyA 2725->2728 2726->2640 2727->2726 2728->2727 2729 6cbf106f 2728->2729 2873 6cbf11b2 RtlAllocateHeap 2729->2873 2731 6cbf1077 2731->2727 2732 6cbf107d SetupDiGetDeviceRegistryPropertyA 2731->2732 2733 6cbf1098 StrStrIA 2732->2733 2735 6cbf10ce 2732->2735 2733->2735 2736 6cbf10aa StrStrIA 2733->2736 2874 6cbf11c7 RtlFreeHeap 2735->2874 2736->2735 2737 6cbf10b6 StrStrIA 2736->2737 2737->2735 2738 6cbf10c2 StrStrIA 2737->2738 2738->2735 2741 6cbf38b6 2739->2741 2740 6cbf398a 2740->2647 2741->2740 2742 6cbf394e lstrcmpA 2741->2742 2743 6cbf395a lstrlenA 2741->2743 2742->2741 2743->2741 2745 6cbf1528 GetProcAddress 2744->2745 2746 6cbf1560 2744->2746 2745->2746 2747 6cbf153e GetModuleHandleA GetProcAddress 2745->2747 2749 6cbf1b96 2746->2749 2747->2746 2748 6cbf1553 FindWindowA 2747->2748 2748->2746 2875 6cbf1acc ZwOpenProcess 2749->2875 2753 6cbf1894 2752->2753 2754 6cbf2ea3 GetModuleHandleA 2752->2754 2753->2661 2758 6cbf11dc 2753->2758 2756 6cbf2eaf 2754->2756 2755 6cbf389c 2 API calls 2755->2756 2756->2755 2757 6cbf2ee7 2756->2757 2757->2753 2889 6cbf3260 2758->2889 2761 6cbf1288 2761->2627 2761->2664 2772 6cbf128f 2761->2772 2762 6cbf1204 lstrcatW 2898 6cbf3723 2762->2898 2765 6cbf3723 6 API calls 2766 6cbf1246 2765->2766 2766->2761 2767 6cbf3723 6 API calls 2766->2767 2768 6cbf125a 2767->2768 2768->2761 2769 6cbf3723 6 API calls 2768->2769 2770 6cbf126b HeapFree 2769->2770 2770->2761 2773 6cbf12ae 2772->2773 2963 6cbf32ee 2773->2963 2776 6cbf12cf RegOpenKeyExA 2778 6cbf136b RtlFreeHeap 2776->2778 2779 6cbf12f6 lstrlenW HeapAlloc 2776->2779 2777 6cbf1378 2777->2664 2778->2777 2780 6cbf131a RegQueryValueExW 2779->2780 2781 6cbf1362 RegCloseKey 2779->2781 2782 6cbf1358 HeapFree 2780->2782 2783 6cbf1337 lstrcmpiW 2780->2783 2781->2778 2782->2781 2783->2782 2784 6cbf1351 2783->2784 2784->2782 2786 6cbf18c6 2785->2786 2787 6cbf2f26 OpenProcessToken 2785->2787 2786->2668 2826 6cbf14c3 2786->2826 2787->2786 2788 6cbf2f41 GetTokenInformation GetTokenInformation 2787->2788 2789 6cbf2f6e 2788->2789 2790 6cbf2fb4 CloseHandle 2788->2790 2968 6cbf11b2 RtlAllocateHeap 2789->2968 2790->2786 2792 6cbf2f77 2793 6cbf2f7d GetTokenInformation 2792->2793 2794 6cbf2fb3 2792->2794 2795 6cbf2fad 2793->2795 2796 6cbf2f90 GetSidSubAuthorityCount GetSidSubAuthority 2793->2796 2794->2790 2969 6cbf11c7 RtlFreeHeap 2795->2969 2796->2795 2970 6cbf379a 2798->2970 2801 6cbf13e0 ConvertStringSecurityDescriptorToSecurityDescriptorA CreateEventA 2801->2675 2801->2676 2802 6cbf379a 3 API calls 2803 6cbf13cb 2802->2803 2803->2801 2804 6cbf13cf HeapFree 2803->2804 2804->2801 2806 6cbf19b7 2805->2806 2807 6cbf3380 2805->2807 2806->2684 2806->2685 2806->2687 2978 6cbf11b2 RtlAllocateHeap 2807->2978 2809 6cbf3449 RegCloseKey 2809->2806 2810 6cbf339d RegEnumKeyExA 2813 6cbf338f 2810->2813 2811 6cbf33f6 3024 6cbf11c7 RtlFreeHeap 2811->3024 2813->2809 2813->2810 2813->2811 2815 6cbf341d WaitForSingleObject 2813->2815 2979 6cbf1f0f 2813->2979 3022 6cbf11c7 RtlFreeHeap 2813->3022 3023 6cbf11b2 RtlAllocateHeap 2813->3023 2815->2810 2815->2811 2819 6cbf2d28 2818->2819 2822 6cbf2d40 NtQuerySystemInformation 2819->2822 2825 6cbf2d5a 2819->2825 3069 6cbf11b2 RtlAllocateHeap 2819->3069 3083 6cbf11c7 RtlFreeHeap 2819->3083 2822->2819 2822->2825 2823 6cbf2d82 RtlNtStatusToDosError 2823->2688 2825->2823 3070 6cbf157a 2825->3070 2827 6cbf14fc 2826->2827 2828 6cbf14d6 2826->2828 3413 6cbf68c0 Sleep VirtualAlloc 2827->3413 2829 6cbf137f 5 API calls 2828->2829 2831 6cbf14de 2829->2831 2832 6cbf14f0 2831->2832 2833 6cbf13e7 94 API calls 2831->2833 2832->2668 2832->2674 2834 6cbf1d2e 2832->2834 2833->2832 2835 6cbf1d3e 2834->2835 2836 6cbf18f2 2834->2836 2835->2836 3605 6cbf3b95 2835->3605 2836->2668 2836->2674 2840 6cbf1d64 2840->2836 2841 6cbf1d68 lstrlenW 2840->2841 3619 6cbf11b2 RtlAllocateHeap 2841->3619 2843 6cbf1d79 2844 6cbf1d7f PathFindFileNameW lstrcpyW lstrcpyW lstrcatW 2843->2844 2849 6cbf1dc7 2843->2849 2845 6cbf3ac5 6 API calls 2844->2845 2847 6cbf1dbc 2845->2847 2847->2849 3620 6cbf11c7 RtlFreeHeap 2847->3620 3621 6cbf11c7 RtlFreeHeap 2849->3621 2851 6cbf3b95 11 API calls 2850->2851 2852 6cbf1e14 2851->2852 2853 6cbf1e1e PathFindExtensionW 2852->2853 2864 6cbf1ec8 2852->2864 2854 6cbf1e2a 2853->2854 2855 6cbf1e78 2853->2855 2856 6cbf1e2e lstrcpyW 2854->2856 2857 6cbf1e3a lstrlenW lstrlenW lstrlenA 2854->2857 2858 6cbf1e7c lstrcpyW 2855->2858 2859 6cbf1e88 lstrlenW lstrlenW 2855->2859 2856->2857 3635 6cbf11b2 RtlAllocateHeap 2857->3635 2858->2859 3636 6cbf11b2 RtlAllocateHeap 2859->3636 2862 6cbf1e63 2863 6cbf1ec2 2862->2863 2865 6cbf1eb8 wsprintfW 2862->2865 3637 6cbf11c7 RtlFreeHeap 2863->3637 2866 6cbf1f02 CoUninitialize 2864->2866 3638 6cbf11c7 RtlFreeHeap 2864->3638 2865->2863 2866->2627 2869->2720 2870->2720 2871->2720 2872->2712 2873->2731 2874->2727 2876 6cbf1b1e ZwOpenProcessToken 2875->2876 2877 6cbf1864 2875->2877 2878 6cbf1b84 ZwClose 2876->2878 2879 6cbf1b31 ZwQueryInformationToken 2876->2879 2877->2656 2877->2657 2878->2877 2887 6cbf11b2 RtlAllocateHeap 2879->2887 2881 6cbf1b4c 2882 6cbf1b7b ZwClose 2881->2882 2883 6cbf1b52 ZwQueryInformationToken 2881->2883 2882->2878 2884 6cbf1b75 2883->2884 2885 6cbf1b65 memcpy 2883->2885 2888 6cbf11c7 RtlFreeHeap 2884->2888 2885->2884 2887->2881 2888->2882 2913 6cbf2344 2889->2913 2892 6cbf3278 2893 6cbf32a2 2892->2893 2896 6cbf32a4 HeapFree 2892->2896 2916 6cbf2fce HeapAlloc 2892->2916 2940 6cbf361f lstrlenA 2892->2940 2895 6cbf2344 GetProcAddress 2893->2895 2897 6cbf11fc 2895->2897 2896->2893 2897->2761 2897->2762 2899 6cbf3739 2898->2899 2957 6cbf11b2 RtlAllocateHeap 2899->2957 2901 6cbf373f 2902 6cbf1224 2901->2902 2958 6cbf36c4 2901->2958 2902->2761 2902->2765 2904 6cbf3751 2905 6cbf3756 lstrlenA 2904->2905 2906 6cbf3764 2904->2906 2905->2906 2961 6cbf11b2 RtlAllocateHeap 2906->2961 2908 6cbf376a 2909 6cbf378b 2908->2909 2911 6cbf3779 lstrcpyA 2908->2911 2912 6cbf3783 lstrcatA 2908->2912 2962 6cbf11c7 RtlFreeHeap 2909->2962 2911->2912 2912->2909 2914 6cbf234d GetProcAddress 2913->2914 2915 6cbf2367 2913->2915 2914->2915 2915->2892 2917 6cbf3256 2916->2917 2918 6cbf3006 HeapAlloc 2916->2918 2917->2892 2919 6cbf302a memset 2918->2919 2920 6cbf3246 HeapFree 2918->2920 2946 6cbf3585 ExpandEnvironmentStringsA 2919->2946 2920->2917 2923 6cbf3236 HeapFree 2923->2920 2924 6cbf3052 CreateFileA 2925 6cbf309d StrRChrA lstrcatA FindFirstFileA 2924->2925 2926 6cbf3079 GetFileTime CloseHandle 2924->2926 2927 6cbf3234 2925->2927 2928 6cbf3100 CompareFileTime 2925->2928 2926->2925 2927->2923 2929 6cbf3162 2928->2929 2930 6cbf311b FindNextFileA 2929->2930 2936 6cbf3166 2929->2936 2931 6cbf312f FindClose FindFirstFileA 2930->2931 2932 6cbf3155 CompareFileTime 2930->2932 2931->2932 2932->2929 2933 6cbf321c FindClose 2933->2920 2934 6cbf318a StrChrA 2934->2936 2935 6cbf31d7 FindNextFileA 2937 6cbf31ff CompareFileTime 2935->2937 2938 6cbf31eb FindClose FindFirstFileA 2935->2938 2936->2933 2936->2934 2936->2935 2939 6cbf31bd memcpy 2936->2939 2937->2935 2937->2936 2938->2937 2939->2935 2941 6cbf3634 2940->2941 2956 6cbf11b2 RtlAllocateHeap 2941->2956 2943 6cbf3640 2944 6cbf3669 2943->2944 2945 6cbf3646 mbstowcs memset 2943->2945 2944->2892 2945->2944 2947 6cbf359e 2946->2947 2953 6cbf3047 2946->2953 2954 6cbf11b2 RtlAllocateHeap 2947->2954 2949 6cbf35a4 2950 6cbf35aa ExpandEnvironmentStringsA 2949->2950 2949->2953 2951 6cbf35b6 2950->2951 2950->2953 2955 6cbf11c7 RtlFreeHeap 2951->2955 2953->2923 2953->2924 2954->2949 2955->2953 2956->2943 2957->2901 2959 6cbf36d6 wsprintfA 2958->2959 2960 6cbf36d1 2958->2960 2959->2904 2960->2959 2961->2908 2962->2902 2964 6cbf32f9 2963->2964 2965 6cbf12c4 2963->2965 2964->2965 2966 6cbf32fe lstrlenW lstrlenA HeapAlloc 2964->2966 2965->2776 2965->2777 2966->2965 2967 6cbf332d wsprintfW 2966->2967 2967->2965 2968->2792 2969->2794 2974 6cbf37d5 2970->2974 2971 6cbf13a4 2971->2801 2971->2802 2973 6cbf3845 memcpy 2973->2971 2973->2974 2974->2971 2974->2973 2976 6cbf11b2 RtlAllocateHeap 2974->2976 2977 6cbf11c7 RtlFreeHeap 2974->2977 2976->2974 2977->2974 2978->2813 2980 6cbf1f2c 2979->2980 2981 6cbf2277 2980->2981 2982 6cbf1f4d StrChrA 2980->2982 2981->2813 2982->2981 2983 6cbf1f60 lstrcpyA lstrcatA lstrcatA RegOpenKeyA 2982->2983 2983->2981 2984 6cbf1fae RegQueryValueExW 2983->2984 2985 6cbf2267 2984->2985 2986 6cbf1fd1 lstrlenW HeapAlloc 2984->2986 2987 6cbf226e RegCloseKey 2985->2987 2986->2985 2988 6cbf1fff RegQueryValueExW 2986->2988 2987->2981 2989 6cbf201b 6 API calls 2988->2989 2990 6cbf2257 HeapFree 2988->2990 2991 6cbf206e 2989->2991 2992 6cbf2247 2989->2992 2990->2987 2993 6cbf2078 2991->2993 2994 6cbf2081 2991->2994 2992->2990 2995 6cbf32ee 4 API calls 2993->2995 3049 6cbf35c6 lstrlenW 2994->3049 2997 6cbf207f 2995->2997 2997->2992 2998 6cbf2092 lstrcpyA RegOpenKeyExA 2997->2998 2999 6cbf20cd lstrlenW RegSetValueExW RegCloseKey 2998->2999 3000 6cbf2105 2998->3000 2999->3000 3001 6cbf2235 HeapFree 2999->3001 3002 6cbf2116 3000->3002 3025 6cbf1be5 3000->3025 3001->2990 3006 6cbf222f 3002->3006 3034 6cbf1c30 3002->3034 3006->3001 3007 6cbf21de 3007->3006 3011 6cbf21e3 RegOpenKeyExA 3007->3011 3008 6cbf2139 3009 6cbf213d 3008->3009 3010 6cbf2147 lstrcpyA RegCreateKeyA 3008->3010 3012 6cbf35c6 4 API calls 3009->3012 3010->3006 3013 6cbf217a RegQueryValueExA 3010->3013 3011->3006 3014 6cbf21ff RegOpenKeyW 3011->3014 3015 6cbf2145 3012->3015 3016 6cbf219f 3013->3016 3017 6cbf21bb 3013->3017 3018 6cbf221a RegDeleteValueW RegCloseKey 3014->3018 3019 6cbf21d3 RegCloseKey 3014->3019 3015->3010 3016->3017 3020 6cbf21a5 RegSetValueExA 3016->3020 3017->3019 3021 6cbf21c2 RegSetValueExA 3017->3021 3018->3019 3019->3006 3020->3017 3021->3019 3022->2813 3023->2813 3024->2809 3054 6cbf3a18 CreateFileW 3025->3054 3028 6cbf1c29 3028->3002 3029 6cbf2344 GetProcAddress 3030 6cbf1c12 3029->3030 3031 6cbf3a18 7 API calls 3030->3031 3032 6cbf1c20 3031->3032 3033 6cbf2344 GetProcAddress 3032->3033 3033->3028 3035 6cbf1c4f CreateFileW 3034->3035 3036 6cbf1c4c 3034->3036 3037 6cbf1cce GetLastError 3035->3037 3038 6cbf1c7c WriteFile 3035->3038 3036->3035 3039 6cbf1cd7 3037->3039 3040 6cbf1c98 WriteFile 3038->3040 3041 6cbf1cb1 GetLastError 3038->3041 3043 6cbf1cde CreateFileW 3039->3043 3044 6cbf1d24 3039->3044 3040->3041 3042 6cbf1cba SetEndOfFile CloseHandle 3040->3042 3041->3042 3042->3039 3045 6cbf1d1b GetLastError 3043->3045 3046 6cbf1cf6 WriteFile 3043->3046 3044->3007 3044->3008 3045->3044 3047 6cbf1d09 GetLastError 3046->3047 3048 6cbf1d12 FlushFileBuffers 3046->3048 3047->3048 3048->3044 3068 6cbf11b2 RtlAllocateHeap 3049->3068 3051 6cbf35e9 3052 6cbf3616 3051->3052 3053 6cbf35f0 memcpy memset 3051->3053 3052->2997 3053->3052 3055 6cbf3a97 GetLastError 3054->3055 3056 6cbf3a44 GetFileSize 3054->3056 3058 6cbf3a52 3055->3058 3057 6cbf3a59 3056->3057 3056->3058 3066 6cbf11b2 RtlAllocateHeap 3057->3066 3060 6cbf3aa5 CloseHandle 3058->3060 3062 6cbf3aae 3058->3062 3060->3062 3061 6cbf1bfb 3061->3028 3061->3029 3062->3061 3067 6cbf11c7 RtlFreeHeap 3062->3067 3063 6cbf3a62 3063->3055 3064 6cbf3a68 ReadFile 3063->3064 3064->3055 3064->3058 3066->3063 3067->3061 3068->3051 3069->2819 3071 6cbf162e 3070->3071 3072 6cbf1591 3070->3072 3071->2825 3072->3071 3073 6cbf159e RtlUpcaseUnicodeString 3072->3073 3073->3071 3074 6cbf15b0 3073->3074 3075 6cbf1618 3074->3075 3078 6cbf15e2 3074->3078 3076 6cbf45f3 90 API calls 3075->3076 3077 6cbf1623 RtlFreeUnicodeString 3076->3077 3077->3071 3078->3077 3084 6cbf45f3 3078->3084 3083->2819 3085 6cbf22c9 5 API calls 3084->3085 3086 6cbf4613 OpenProcess 3085->3086 3087 6cbf462f 3086->3087 3088 6cbf46b4 GetLastError 3086->3088 3090 6cbf4633 3087->3090 3091 6cbf4641 GetProcAddress GetProcAddress 3087->3091 3089 6cbf1606 3088->3089 3089->3077 3099 6cbf13e7 memset 3089->3099 3090->3091 3093 6cbf463c 3090->3093 3092 6cbf4667 3091->3092 3091->3093 3092->3093 3095 6cbf469a GetLastError 3092->3095 3096 6cbf4681 3092->3096 3094 6cbf46a9 CloseHandle 3093->3094 3094->3089 3095->3094 3115 6cbf449e memset 3096->3115 3098 6cbf468d CloseHandle 3098->3094 3100 6cbf3585 4 API calls 3099->3100 3101 6cbf1419 3100->3101 3102 6cbf14b2 3101->3102 3103 6cbf2344 GetProcAddress 3101->3103 3102->3077 3104 6cbf1430 CreateProcessA 3103->3104 3105 6cbf2344 GetProcAddress 3104->3105 3106 6cbf1453 3105->3106 3107 6cbf1499 GetLastError 3106->3107 3108 6cbf1457 3106->3108 3110 6cbf14a2 HeapFree 3107->3110 3109 6cbf449e 83 API calls 3108->3109 3111 6cbf1463 3109->3111 3110->3102 3112 6cbf146b WaitForSingleObject 3111->3112 3113 6cbf1487 CloseHandle CloseHandle 3111->3113 3112->3113 3114 6cbf147b GetExitCodeProcess 3112->3114 3113->3110 3114->3113 3116 6cbf22c9 5 API calls 3115->3116 3117 6cbf44dd 3116->3117 3118 6cbf44e5 3117->3118 3119 6cbf45ad 3117->3119 3120 6cbf4507 3118->3120 3138 6cbf3ca4 3118->3138 3167 6cbf4341 memset 3119->3167 3153 6cbf2db0 3120->3153 3124 6cbf45b5 3125 6cbf45d9 GetLastError 3124->3125 3127 6cbf45e1 ResumeThread 3124->3127 3125->3127 3127->3098 3130 6cbf4549 ResumeThread WaitForSingleObject 3131 6cbf456a SuspendThread 3130->3131 3133 6cbf4544 3130->3133 3163 6cbf2d8f 3131->3163 3133->3130 3133->3131 3134 6cbf4594 3133->3134 3135 6cbf4599 3134->3135 3184 6cbf3ed3 3134->3184 3137 6cbf3c49 5 API calls 3135->3137 3137->3124 3208 6cbf11b2 RtlAllocateHeap 3138->3208 3140 6cbf3cbc 3141 6cbf3d7d 3140->3141 3209 6cbf2c25 memset ZwQueryInformationProcess 3140->3209 3141->3120 3144 6cbf2db0 2 API calls 3146 6cbf3ce7 3144->3146 3147 6cbf2db0 2 API calls 3146->3147 3152 6cbf3d6a 3146->3152 3148 6cbf3d03 3147->3148 3149 6cbf2db0 2 API calls 3148->3149 3148->3152 3150 6cbf3d4f 3149->3150 3151 6cbf2db0 2 API calls 3150->3151 3150->3152 3151->3152 3213 6cbf11c7 RtlFreeHeap 3152->3213 3154 6cbf2dbf 3153->3154 3155 6cbf2ddc RtlNtStatusToDosError SetLastError 3154->3155 3156 6cbf2dd4 3154->3156 3155->3156 3156->3125 3157 6cbf3c49 VirtualProtectEx 3156->3157 3158 6cbf3c9c 3157->3158 3159 6cbf3c6c 3157->3159 3158->3125 3158->3133 3214 6cbf2df1 3159->3214 3164 6cbf2dad 3163->3164 3165 6cbf2d9c RtlNtStatusToDosError 3163->3165 3164->3133 3165->3164 3219 6cbf26ae 3167->3219 3172 6cbf4494 3172->3124 3176 6cbf43dc 3176->3172 3177 6cbf43f6 ResumeThread WaitForSingleObject 3176->3177 3178 6cbf4417 Wow64SuspendThread 3176->3178 3181 6cbf4460 3176->3181 3177->3176 3177->3178 3259 6cbf4b80 3178->3259 3180 6cbf446c 3183 6cbf40cd 19 API calls 3180->3183 3181->3180 3182 6cbf3ed3 59 API calls 3181->3182 3182->3180 3183->3172 3186 6cbf3ef8 3184->3186 3185 6cbf3f1b 3185->3135 3186->3185 3315 6cbf4943 NtCreateSection 3186->3315 3189 6cbf409a 3190 6cbf40b5 3189->3190 3191 6cbf40a3 NtUnmapViewOfSection RtlNtStatusToDosError 3189->3191 3190->3185 3193 6cbf40bb CloseHandle 3190->3193 3191->3190 3193->3185 3194 6cbf3f8d 3194->3189 3325 6cbf4a02 memcpy 3194->3325 3197 6cbf3fb8 memcpy 3200 6cbf3fc4 memcpy 3197->3200 3199 6cbf401b 3201 6cbf4064 3199->3201 3202 6cbf4057 3199->3202 3200->3199 3339 6cbf3d87 3201->3339 3329 6cbf3e34 3202->3329 3205 6cbf4062 3205->3189 3206 6cbf4071 memcpy 3205->3206 3351 6cbf29aa 3206->3351 3208->3140 3210 6cbf2c81 3209->3210 3211 6cbf2c66 3209->3211 3210->3144 3210->3152 3212 6cbf2db0 2 API calls 3211->3212 3212->3210 3213->3141 3215 6cbf2e18 3214->3215 3216 6cbf2e00 NtWriteVirtualMemory 3214->3216 3217 6cbf2e1d RtlNtStatusToDosError SetLastError 3215->3217 3216->3217 3218 6cbf2e15 VirtualProtectEx 3216->3218 3217->3218 3218->3158 3220 6cbf26bc 3219->3220 3228 6cbf271d 3219->3228 3262 6cbf2b4b 3220->3262 3222 6cbf26cc 3223 6cbf2b4b 18 API calls 3222->3223 3224 6cbf26e7 3223->3224 3225 6cbf2b4b 18 API calls 3224->3225 3226 6cbf2702 3225->3226 3227 6cbf2b4b 18 API calls 3226->3227 3227->3228 3229 6cbf41ba 3228->3229 3309 6cbf11b2 RtlAllocateHeap 3229->3309 3231 6cbf41e0 3232 6cbf430a 3231->3232 3233 6cbf41ea memset 3231->3233 3234 6cbf4337 3232->3234 3314 6cbf11c7 RtlFreeHeap 3232->3314 3310 6cbf2286 3233->3310 3234->3172 3247 6cbf2471 3234->3247 3238 6cbf422c 3238->3232 3240 6cbf2471 2 API calls 3238->3240 3239 6cbf241d 2 API calls 3239->3238 3241 6cbf4267 3240->3241 3241->3232 3242 6cbf2471 2 API calls 3241->3242 3243 6cbf4289 3242->3243 3243->3232 3244 6cbf2471 2 API calls 3243->3244 3245 6cbf42ed 3244->3245 3245->3232 3246 6cbf2471 2 API calls 3245->3246 3246->3232 3248 6cbf241d 2 API calls 3247->3248 3249 6cbf2487 3248->3249 3249->3172 3250 6cbf40cd 3249->3250 3251 6cbf26ae 18 API calls 3250->3251 3252 6cbf40f6 3251->3252 3253 6cbf4b80 NtWriteVirtualMemory 3252->3253 3254 6cbf4145 3253->3254 3255 6cbf41ad 3254->3255 3256 6cbf4b80 NtWriteVirtualMemory 3254->3256 3255->3176 3257 6cbf4173 3256->3257 3258 6cbf4b80 NtWriteVirtualMemory 3257->3258 3258->3255 3260 6cbf4b98 3259->3260 3261 6cbf4bb8 NtWriteVirtualMemory 3260->3261 3261->3176 3263 6cbf2b57 3262->3263 3274 6cbf2a18 3263->3274 3266 6cbf2b7c VirtualAlloc 3269 6cbf2b94 3266->3269 3273 6cbf2bda 3266->3273 3267 6cbf2c09 VirtualFree 3268 6cbf2c18 3267->3268 3268->3222 3271 6cbf2bc8 3269->3271 3287 6cbf241d 3269->3287 3272 6cbf389c 2 API calls 3271->3272 3272->3273 3273->3267 3273->3268 3291 6cbf2492 GetProcAddress 3274->3291 3277 6cbf2492 7 API calls 3280 6cbf2a5d 3277->3280 3278 6cbf2b2f VirtualFree 3279 6cbf2b3d 3278->3279 3279->3266 3279->3273 3280->3277 3281 6cbf2a7b VirtualFree VirtualAlloc 3280->3281 3282 6cbf2a9b 3280->3282 3281->3280 3281->3282 3283 6cbf2abc lstrcmpiA 3282->3283 3284 6cbf2afe 3282->3284 3283->3284 3285 6cbf2ad0 StrChrA 3283->3285 3284->3278 3284->3279 3285->3282 3286 6cbf2add lstrcmpiA 3285->3286 3286->3282 3286->3284 3288 6cbf244e NtWow64ReadVirtualMemory64 3287->3288 3289 6cbf2434 GetProcAddress 3287->3289 3290 6cbf2467 3288->3290 3289->3288 3289->3290 3290->3269 3292 6cbf24be NtWow64QueryInformationProcess64 3291->3292 3296 6cbf268b VirtualAlloc 3291->3296 3293 6cbf24d6 3292->3293 3292->3296 3294 6cbf11b2 RtlAllocateHeap 3293->3294 3295 6cbf24e0 3294->3295 3295->3296 3297 6cbf11b2 RtlAllocateHeap 3295->3297 3296->3280 3296->3284 3298 6cbf24f5 3297->3298 3299 6cbf266a 3298->3299 3301 6cbf241d GetProcAddress NtWow64ReadVirtualMemory64 3298->3301 3300 6cbf11c7 RtlFreeHeap 3299->3300 3302 6cbf2681 3300->3302 3303 6cbf250d 3301->3303 3302->3296 3305 6cbf11c7 RtlFreeHeap 3302->3305 3303->3299 3304 6cbf241d GetProcAddress NtWow64ReadVirtualMemory64 3303->3304 3307 6cbf2529 3304->3307 3305->3296 3306 6cbf241d GetProcAddress NtWow64ReadVirtualMemory64 3306->3307 3307->3299 3307->3306 3308 6cbf2629 StrRChrA 3307->3308 3308->3307 3309->3231 3311 6cbf22af NtWow64QueryInformationProcess64 3310->3311 3312 6cbf2295 GetProcAddress 3310->3312 3313 6cbf22c3 3311->3313 3312->3311 3312->3313 3313->3238 3313->3239 3314->3234 3316 6cbf49de RtlNtStatusToDosError 3315->3316 3317 6cbf49a8 3315->3317 3323 6cbf49d7 3316->3323 3363 6cbf4904 NtMapViewOfSection RtlNtStatusToDosError 3317->3363 3319 6cbf49b6 3321 6cbf49bc memset 3319->3321 3319->3323 3320 6cbf3f5d 3320->3189 3324 6cbf4904 NtMapViewOfSection RtlNtStatusToDosError 3320->3324 3321->3323 3322 6cbf49f0 ZwClose 3322->3320 3323->3320 3323->3322 3324->3194 3326 6cbf4a4d 3325->3326 3328 6cbf3fa6 3325->3328 3327 6cbf4a67 memcpy 3326->3327 3326->3328 3327->3326 3328->3189 3328->3197 3328->3200 3330 6cbf3e44 3329->3330 3331 6cbf2b4b 18 API calls 3330->3331 3332 6cbf3eba memcpy 3330->3332 3333 6cbf3e6f 3331->3333 3334 6cbf3ecd 3332->3334 3333->3334 3335 6cbf2b4b 18 API calls 3333->3335 3334->3205 3336 6cbf3e8c 3335->3336 3336->3334 3337 6cbf2b4b 18 API calls 3336->3337 3338 6cbf3ea9 3337->3338 3338->3332 3338->3334 3340 6cbf3d98 3339->3340 3341 6cbf3db2 GetModuleHandleA 3339->3341 3340->3341 3344 6cbf3e1a memcpy 3340->3344 3342 6cbf3e2d 3341->3342 3343 6cbf3dc6 3341->3343 3342->3205 3364 6cbf236c 3343->3364 3344->3342 3347 6cbf236c 11 API calls 3348 6cbf3dec 3347->3348 3348->3342 3349 6cbf236c 11 API calls 3348->3349 3350 6cbf3e08 3349->3350 3350->3342 3350->3344 3378 6cbf11b2 RtlAllocateHeap 3351->3378 3353 6cbf29bf 3354 6cbf2a0e 3353->3354 3355 6cbf29c5 memset 3353->3355 3354->3189 3356 6cbf29fe 3355->3356 3357 6cbf29eb 3355->3357 3394 6cbf2885 memset 3356->3394 3357->3356 3358 6cbf29f4 3357->3358 3379 6cbf272f memset 3358->3379 3361 6cbf29fc 3408 6cbf11c7 RtlFreeHeap 3361->3408 3363->3319 3365 6cbf2c92 5 API calls 3364->3365 3366 6cbf2386 3365->3366 3367 6cbf2414 3366->3367 3368 6cbf389c 2 API calls 3366->3368 3367->3342 3367->3347 3369 6cbf2398 3368->3369 3371 6cbf23ad CreateFileA 3369->3371 3372 6cbf240b 3369->3372 3371->3372 3373 6cbf23ce SetFilePointer 3371->3373 3377 6cbf11c7 RtlFreeHeap 3372->3377 3374 6cbf23dc ReadFile 3373->3374 3375 6cbf2402 CloseHandle 3373->3375 3374->3375 3376 6cbf23f4 3374->3376 3375->3372 3376->3375 3377->3367 3378->3353 3380 6cbf26ae 18 API calls 3379->3380 3381 6cbf2762 memcpy 3380->3381 3409 6cbf2e32 3381->3409 3384 6cbf279f 3386 6cbf4b80 NtWriteVirtualMemory 3384->3386 3385 6cbf2794 GetLastError 3393 6cbf2865 3385->3393 3389 6cbf27c2 3386->3389 3387 6cbf27c9 3387->3361 3388 6cbf2877 GetLastError 3388->3387 3389->3387 3390 6cbf2df1 3 API calls 3389->3390 3391 6cbf281d 3390->3391 3391->3388 3392 6cbf4b80 NtWriteVirtualMemory 3391->3392 3392->3393 3393->3387 3393->3388 3395 6cbf28be 3394->3395 3400 6cbf2982 3394->3400 3396 6cbf2e32 3 API calls 3395->3396 3397 6cbf28cf 3396->3397 3398 6cbf299a GetLastError 3397->3398 3399 6cbf2d8f RtlNtStatusToDosError 3397->3399 3401 6cbf29a3 3398->3401 3402 6cbf28e8 3399->3402 3400->3398 3400->3401 3401->3361 3402->3400 3403 6cbf28f3 memcpy 3402->3403 3404 6cbf2935 3403->3404 3405 6cbf2df1 3 API calls 3404->3405 3406 6cbf295d 3405->3406 3406->3400 3406->3401 3407 6cbf297b RtlNtStatusToDosError 3406->3407 3407->3400 3408->3354 3410 6cbf278c 3409->3410 3411 6cbf2e44 NtAllocateVirtualMemory 3409->3411 3410->3384 3410->3385 3411->3410 3412 6cbf2e69 RtlNtStatusToDosError SetLastError 3411->3412 3412->3410 3414 6cbf692b memset GetModuleHandleA InitializeCriticalSection LoadLibraryW 3413->3414 3435 6cbf6924 3413->3435 3415 6cbf6976 LoadLibraryW 3414->3415 3414->3435 3416 6cbf698c 3415->3416 3415->3435 3454 6cbf4fc0 GetVersionExW 3416->3454 3419 6cbf7032 RegisterClassExW 3420 6cbf70ab CreateWindowExW 3419->3420 3419->3435 3423 6cbf70df 3420->3423 3436 6cbf70e8 3420->3436 3421 6cbf69bf 3426 6cbf6a81 IsWow64Process 3421->3426 3421->3435 3482 6cbf51f0 3423->3482 3425 6cbf714e CreateThread 3427 6cbf72a7 UnregisterClassW VirtualFree 3425->3427 3428 6cbf7182 WaitForSingleObject 3425->3428 3493 6cbf5e30 3425->3493 3441 6cbf6a91 3426->3441 3427->3435 3429 6cbf71a8 3428->3429 3430 6cbf71b7 TerminateThread 3428->3430 3429->3430 3431 6cbf71da WaitForSingleObject TerminateThread 3430->3431 3432 6cbf7206 3430->3432 3431->3432 3433 6cbf7215 WaitForSingleObject TerminateThread 3432->3433 3434 6cbf7241 RemoveFontResourceExW 3432->3434 3433->3434 3437 6cbf725b 3434->3437 3438 6cbf7259 3434->3438 3435->2832 3436->3425 3436->3435 3486 6cbf5240 3437->3486 3438->3434 3441->3435 3442 6cbf6bfe LoadLibraryExW 3441->3442 3443 6cbf6c12 3441->3443 3444 6cbf6c2e 3442->3444 3443->3444 3445 6cbf6c1c LoadLibraryExW 3443->3445 3446 6cbf6c38 GetProcAddress 3444->3446 3453 6cbf6c54 3444->3453 3445->3444 3446->3453 3458 6cbf5760 CreateWindowExW 3453->3458 3455 6cbf4fe4 3454->3455 3455->3419 3455->3421 3456 6cbf5020 GetModuleHandleW 3455->3456 3457 6cbf503a 3456->3457 3457->3421 3459 6cbf5804 3458->3459 3460 6cbf57a1 3458->3460 3466 6cbf5810 RegisterClassExW 3459->3466 3461 6cbf51f0 2 API calls 3460->3461 3462 6cbf57aa 3461->3462 3463 6cbf57fa DestroyWindow 3462->3463 3464 6cbf57b3 SetWindowLongW 3462->3464 3463->3459 3465 6cbf57cd 3464->3465 3465->3463 3467 6cbf58ae CreateWindowExW 3466->3467 3471 6cbf58a7 3466->3471 3468 6cbf58ea RegisterClassExW 3467->3468 3467->3471 3469 6cbf5910 CreateWindowExW 3468->3469 3468->3471 3470 6cbf594b 3469->3470 3469->3471 3472 6cbf51f0 2 API calls 3470->3472 3471->3419 3471->3435 3477 6cbf5190 3471->3477 3473 6cbf5954 3472->3473 3474 6cbf51f0 2 API calls 3473->3474 3475 6cbf5960 3474->3475 3475->3471 3476 6cbf59c6 DestroyWindow DestroyWindow 3475->3476 3476->3471 3490 6cbf5070 LoadLibraryW GetProcAddress 3477->3490 3479 6cbf51a0 3480 6cbf51a9 GetCurrentProcess 3479->3480 3481 6cbf51d2 3479->3481 3480->3481 3481->3419 3483 6cbf5204 3482->3483 3485 6cbf5209 3482->3485 3491 6cbf5090 LoadLibraryW GetProcAddress 3483->3491 3485->3436 3489 6cbf5254 3486->3489 3487 6cbf526e UnregisterClassW 3487->3489 3488 6cbf52a6 UnregisterClassW UnregisterClassW UnregisterClassW 3488->3427 3489->3487 3489->3488 3490->3479 3492 6cbf50b9 3491->3492 3492->3485 3494 6cbf5e9f 3493->3494 3495 6cbf5eae 3493->3495 3494->3495 3496 6cbf5eb5 VirtualAlloc 3494->3496 3497 6cbf5edc SHGetFolderPathW 3496->3497 3498 6cbf6162 3496->3498 3497->3498 3500 6cbf5f0b wcslen 3497->3500 3498->3495 3499 6cbf6174 RegisterClassExW 3498->3499 3499->3495 3501 6cbf6211 memset 3499->3501 3502 6cbf5f6d memset memcpy memcpy AddFontResourceExW 3500->3502 3503 6cbf5f36 3500->3503 3504 6cbf6233 3501->3504 3505 6cbf5fdf RemoveFontResourceExW 3502->3505 3506 6cbf5ff9 3502->3506 3503->3502 3507 6cbf624e CreateWindowExW 3504->3507 3514 6cbf6297 3504->3514 3505->3506 3506->3498 3508 6cbf6003 memset memcpy FindFirstFileW 3506->3508 3507->3504 3507->3514 3509 6cbf6127 3508->3509 3510 6cbf6073 FindNextFileW 3508->3510 3509->3498 3512 6cbf6130 AddFontResourceExW 3509->3512 3510->3509 3511 6cbf608f 3510->3511 3511->3510 3516 6cbf60aa memset memcpy wcslen memcpy 3511->3516 3512->3498 3513 6cbf6148 RemoveFontResourceExW 3512->3513 3513->3498 3517 6cbf51f0 2 API calls 3514->3517 3518 6cbf6419 3514->3518 3515 6cbf6525 3515->3495 3521 6cbf6549 SetParent SetWindowLongW GetWindowLongW 3515->3521 3516->3511 3519 6cbf6308 3517->3519 3518->3515 3520 6cbf650f DestroyWindow 3518->3520 3522 6cbf51f0 2 API calls 3519->3522 3520->3518 3521->3495 3523 6cbf6598 SetWindowLongW 3521->3523 3530 6cbf6324 3522->3530 3524 6cbf65d3 EnterCriticalSection CreateThread CreateThread SetThreadAffinityMask 3523->3524 3524->3495 3525 6cbf664a SetThreadAffinityMask 3524->3525 3586 6cbf5500 memcpy 3524->3586 3597 6cbf53f0 3524->3597 3525->3495 3526 6cbf667f SetThreadAffinityMask 3525->3526 3527 6cbf6698 7 API calls 3526->3527 3528 6cbf6706 7 API calls 3526->3528 3529 6cbf6772 ResumeThread ResumeThread Sleep 3527->3529 3528->3529 3534 6cbf679f 3529->3534 3530->3518 3535 6cbf51f0 2 API calls 3530->3535 3531 6cbf67c5 LeaveCriticalSection 3532 6cbf67f6 AddFontResourceExW EnterCriticalSection GetWindowLongW 3531->3532 3533 6cbf67e5 memset 3531->3533 3532->3534 3533->3532 3534->3495 3534->3531 3536 6cbf6854 SetMenu 3534->3536 3538 6cbf6886 3534->3538 3537 6cbf63fa 3535->3537 3536->3534 3540 6cbf51f0 2 API calls 3537->3540 3541 6cbf5bb0 3538->3541 3540->3518 3569 6cbf5320 SetWindowLongW GetAncestor SetWindowLongW 3541->3569 3543 6cbf5c0b 3570 6cbf5320 SetWindowLongW GetAncestor SetWindowLongW 3543->3570 3545 6cbf5c22 3548 6cbf5c5c 3545->3548 3552 6cbf5c75 3545->3552 3571 6cbf5320 SetWindowLongW GetAncestor SetWindowLongW 3545->3571 3572 6cbf5320 SetWindowLongW GetAncestor SetWindowLongW 3548->3572 3550 6cbf5ddb 3577 6cbf5320 SetWindowLongW GetAncestor SetWindowLongW 3550->3577 3551 6cbf5cf6 GetCurrentProcessId 3554 6cbf5cc1 3551->3554 3573 6cbf5320 SetWindowLongW GetAncestor SetWindowLongW 3552->3573 3553 6cbf5320 SetWindowLongW GetAncestor SetWindowLongW 3557 6cbf5d72 3553->3557 3554->3551 3554->3557 3561 6cbf5320 SetWindowLongW GetAncestor SetWindowLongW 3554->3561 3567 6cbf5d58 3554->3567 3557->3550 3557->3553 3563 6cbf5dc7 3557->3563 3558 6cbf5df1 3578 6cbf59f0 3558->3578 3559 6cbf5c85 3559->3554 3574 6cbf5320 SetWindowLongW GetAncestor SetWindowLongW 3559->3574 3561->3554 3576 6cbf5320 SetWindowLongW GetAncestor SetWindowLongW 3563->3576 3564 6cbf59f0 9 API calls 3565 6cbf5e1c 3564->3565 3565->3495 3575 6cbf5320 SetWindowLongW GetAncestor SetWindowLongW 3567->3575 3569->3543 3570->3545 3571->3545 3572->3552 3573->3559 3574->3559 3575->3557 3576->3550 3577->3558 3579 6cbf5a37 3578->3579 3580 6cbf5a5d VirtualAlloc 3579->3580 3584 6cbf5a50 3579->3584 3585 6cbf5320 SetWindowLongW GetAncestor SetWindowLongW 3579->3585 3582 6cbf5a9a 3580->3582 3583 6cbf5aa1 memset SetWindowLongW SetClassLongW SetWindowLongW VirtualFree 3580->3583 3582->3564 3583->3582 3584->3580 3585->3579 3591 6cbf5592 3586->3591 3587 6cbf5752 3588 6cbf5240 UnregisterClassW 3587->3588 3589 6cbf5757 3588->3589 3590 6cbf564e EnterCriticalSection SuspendThread 3590->3591 3591->3587 3591->3590 3592 6cbf5240 UnregisterClassW 3591->3592 3593 6cbf56bf RegisterClassExW 3591->3593 3594 6cbf56ab RemoveFontResourceExW 3591->3594 3595 6cbf5722 ResumeThread LeaveCriticalSection SwitchToThread 3591->3595 3596 6cbf5240 UnregisterClassW 3591->3596 3592->3591 3593->3591 3594->3593 3595->3591 3596->3595 3600 6cbf53fb 3597->3600 3598 6cbf54f0 3599 6cbf542f RemoveFontResourceExW SetThreadAffinityMask 3599->3600 3600->3598 3600->3599 3601 6cbf5494 SetThreadPriority 3600->3601 3602 6cbf5473 SetThreadAffinityMask 3600->3602 3603 6cbf54e5 SwitchToThread 3600->3603 3604 6cbf54d2 ResumeThread 3600->3604 3601->3600 3602->3600 3603->3600 3604->3603 3622 6cbf3b2b GetTempPathA 3605->3622 3607 6cbf3ba2 3608 6cbf1d52 3607->3608 3609 6cbf361f 4 API calls 3607->3609 3608->2836 3612 6cbf3ac5 CreateFileW 3608->3612 3610 6cbf3bb0 3609->3610 3632 6cbf11c7 RtlFreeHeap 3610->3632 3613 6cbf3aeb GetLastError 3612->3613 3614 6cbf3af5 WriteFile 3612->3614 3615 6cbf3b23 3613->3615 3616 6cbf3b0b SetEndOfFile 3614->3616 3617 6cbf3b14 GetLastError 3614->3617 3615->2840 3618 6cbf3b1c CloseHandle 3616->3618 3617->3618 3618->3615 3619->2843 3620->2849 3621->2836 3623 6cbf3b8b 3622->3623 3624 6cbf3b40 3622->3624 3623->3607 3633 6cbf11b2 RtlAllocateHeap 3624->3633 3626 6cbf3b49 3626->3623 3627 6cbf3b4f GetTempPathA 3626->3627 3628 6cbf3b57 GetTickCount GetTempFileNameA 3627->3628 3629 6cbf3b85 3627->3629 3628->3629 3630 6cbf3b70 PathFindExtensionA lstrcpyA 3628->3630 3634 6cbf11c7 RtlFreeHeap 3629->3634 3630->3623 3632->3608 3633->3626 3634->3623 3635->2862 3636->2862 3637->2864 3638->2866 3639 3f50000 3640 3f503e6 3639->3640 3641 3f504f0 NtProtectVirtualMemory 3640->3641 3642 3f50542 NtAllocateVirtualMemory 3641->3642 3647 3f5065b 3641->3647 3643 3f5057e 3642->3643 3642->3647 3643->3647 3648 3f50dd2 3643->3648 3646 3f50821 NtProtectVirtualMemory 3646->3647 3651 3f50df8 3648->3651 3649 3f5080d 3649->3646 3649->3647 3650 3f50e58 LdrLoadDll 3650->3651 3651->3649 3651->3650 3659 6cbf62a7 3660 6cbf62b6 3659->3660 3662 6cbf51f0 2 API calls 3660->3662 3663 6cbf6419 3660->3663 3661 6cbf6525 3664 6cbf6542 3661->3664 3667 6cbf6549 SetParent SetWindowLongW GetWindowLongW 3661->3667 3665 6cbf6308 3662->3665 3663->3661 3666 6cbf650f DestroyWindow 3663->3666 3668 6cbf51f0 2 API calls 3665->3668 3666->3663 3667->3664 3669 6cbf6598 SetWindowLongW 3667->3669 3676 6cbf6324 3668->3676 3670 6cbf65d3 EnterCriticalSection CreateThread CreateThread SetThreadAffinityMask 3669->3670 3670->3664 3671 6cbf664a SetThreadAffinityMask 3670->3671 3687 6cbf5500 9 API calls 3670->3687 3688 6cbf53f0 6 API calls 3670->3688 3671->3664 3672 6cbf667f SetThreadAffinityMask 3671->3672 3673 6cbf6698 7 API calls 3672->3673 3674 6cbf6706 7 API calls 3672->3674 3675 6cbf6772 ResumeThread ResumeThread Sleep 3673->3675 3674->3675 3680 6cbf679f 3675->3680 3676->3663 3681 6cbf51f0 2 API calls 3676->3681 3677 6cbf67c5 LeaveCriticalSection 3678 6cbf67f6 AddFontResourceExW EnterCriticalSection GetWindowLongW 3677->3678 3679 6cbf67e5 memset 3677->3679 3678->3680 3679->3678 3680->3664 3680->3677 3682 6cbf6854 SetMenu 3680->3682 3684 6cbf6886 3680->3684 3683 6cbf63fa 3681->3683 3682->3680 3686 6cbf51f0 2 API calls 3683->3686 3685 6cbf5bb0 10 API calls 3684->3685 3685->3664 3686->3663 3689 6cbf70a6 3690 6cbf7139 3689->3690 3691 6cbf714e CreateThread 3690->3691 3692 6cbf7147 3690->3692 3693 6cbf72a7 UnregisterClassW VirtualFree 3691->3693 3694 6cbf7182 WaitForSingleObject 3691->3694 3705 6cbf5e30 67 API calls 3691->3705 3693->3692 3695 6cbf71a8 3694->3695 3696 6cbf71b7 TerminateThread 3694->3696 3695->3696 3697 6cbf71da WaitForSingleObject TerminateThread 3696->3697 3698 6cbf7206 3696->3698 3697->3698 3699 6cbf7215 WaitForSingleObject TerminateThread 3698->3699 3700 6cbf7241 RemoveFontResourceExW 3698->3700 3699->3700 3701 6cbf725b 3700->3701 3702 6cbf7259 3700->3702 3703 6cbf5240 UnregisterClassW 3701->3703 3702->3700 3704 6cbf7260 UnregisterClassW UnregisterClassW UnregisterClassW 3703->3704 3704->3693 3794 6cbf6645 3795 6cbf6772 ResumeThread ResumeThread Sleep 3794->3795 3800 6cbf679f 3795->3800 3796 6cbf688b 3797 6cbf67c5 LeaveCriticalSection 3798 6cbf67f6 AddFontResourceExW EnterCriticalSection GetWindowLongW 3797->3798 3799 6cbf67e5 memset 3797->3799 3798->3800 3799->3798 3800->3796 3800->3797 3801 6cbf6854 SetMenu 3800->3801 3802 6cbf6886 3800->3802 3801->3800 3803 6cbf5bb0 10 API calls 3802->3803 3803->3796 3804 6cbf7344 3805 6cbf7362 3804->3805 3807 6cbf73f8 3804->3807 3806 6cbf755d NtQueryVirtualMemory 3805->3806 3809 6cbf737d 3806->3809 3808 6cbf7448 RtlUnwind 3808->3809 3809->3807 3809->3808 3652 6cbf1142 3653 6cbf114f 3652->3653 3654 6cbf1191 InterlockedDecrement 3652->3654 3655 6cbf1179 3653->3655 3657 6cbf1152 InterlockedIncrement 3653->3657 3654->3655 3656 6cbf11a0 HeapDestroy 3654->3656 3656->3655 3657->3655 3658 6cbf1161 HeapCreate 3657->3658 3658->3655 3752 6cbf5300 DefWindowProcW

                                                                                                                                                                                  Executed Functions

                                                                                                                                                                                  Function 6CBF2FCE Relevance: 47.5, APIs: 23, Strings: 4, Instructions: 209memoryfiletimeCOMMON
                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                  APIs
                                                                                                                                                                                  • HeapAlloc.KERNEL32(00000000,EE553B4E,00000000,6CBFAA50,00000001), ref: 6CBF2FF9
                                                                                                                                                                                  • HeapAlloc.KERNEL32(00000000,EE553B4E), ref: 6CBF301B
                                                                                                                                                                                  • memset.NTDLL ref: 6CBF3035
                                                                                                                                                                                    • Part of subcall function 6CBF3585: ExpandEnvironmentStringsA.KERNEL32(00000000,00000000,00000000,00000000,6CBF0000,EE553B43,6CBF3047,%systemroot%\system32\c_1252.nls), ref: 6CBF3596
                                                                                                                                                                                    • Part of subcall function 6CBF3585: ExpandEnvironmentStringsA.KERNEL32(?,00000000,00000000,00000000), ref: 6CBF35B0
                                                                                                                                                                                  • CreateFileA.KERNELBASE(00000000,80000000,00000001,00000000,00000003,00000080,00000000,%systemroot%\system32\c_1252.nls), ref: 6CBF306C
                                                                                                                                                                                  • GetFileTime.KERNEL32(00000000,?,00000000,00000000), ref: 6CBF3080
                                                                                                                                                                                  • CloseHandle.KERNEL32(?), ref: 6CBF3097
                                                                                                                                                                                  • StrRChrA.KERNELBASE(6CBF11FC,00000000,0000005C), ref: 6CBF30A3
                                                                                                                                                                                  • lstrcatA.KERNEL32(6CBF11FC,\*.dll), ref: 6CBF30DD
                                                                                                                                                                                  • FindFirstFileA.KERNELBASE(6CBF11FC,?), ref: 6CBF30F3
                                                                                                                                                                                  • CompareFileTime.KERNEL32(?,?), ref: 6CBF3111
                                                                                                                                                                                  • FindNextFileA.KERNEL32(?,?), ref: 6CBF3125
                                                                                                                                                                                  • FindClose.KERNEL32(?), ref: 6CBF3132
                                                                                                                                                                                  • FindFirstFileA.KERNEL32(6CBF11FC,?), ref: 6CBF313E
                                                                                                                                                                                  • CompareFileTime.KERNEL32(?,?), ref: 6CBF3160
                                                                                                                                                                                  • StrChrA.SHLWAPI(?,0000002E), ref: 6CBF3193
                                                                                                                                                                                  • memcpy.NTDLL(00000000,?,00000000), ref: 6CBF31CC
                                                                                                                                                                                  • FindNextFileA.KERNELBASE(?,?), ref: 6CBF31E1
                                                                                                                                                                                  • FindClose.KERNEL32(?), ref: 6CBF31EE
                                                                                                                                                                                  • FindFirstFileA.KERNEL32(6CBF11FC,?), ref: 6CBF31FA
                                                                                                                                                                                  • CompareFileTime.KERNEL32(?,?), ref: 6CBF320A
                                                                                                                                                                                  • FindClose.KERNELBASE(?), ref: 6CBF322E
                                                                                                                                                                                  • HeapFree.KERNEL32(00000000,00000000,%systemroot%\system32\c_1252.nls), ref: 6CBF3240
                                                                                                                                                                                  • HeapFree.KERNEL32(00000000,6CBF11FC), ref: 6CBF3250
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000004.00000002.1717839092.000000006CBF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 6CBF0000, based on PE: true
                                                                                                                                                                                  • Associated: 00000004.00000002.1717818088.000000006CBF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000004.00000002.1717839092.000000006CBFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_6cbf0000_rundll32.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: File$Find$CloseHeapTime$CompareFirst$AllocEnvironmentExpandFreeNextStrings$CreateHandlelstrcatmemcpymemset
                                                                                                                                                                                  • String ID: %systemroot%\system32\c_1252.nls$C;U$N;U$\*.dll
                                                                                                                                                                                  • API String ID: 65366329-1666359264
                                                                                                                                                                                  • Opcode ID: 8bfe85c686b859e32d663bfbdc38469e68eb924290b9e3af41769beda2d7145c
                                                                                                                                                                                  • Instruction ID: 05d5463d24ce46c45770ecb8a2ba2b729a7eeb245f1c4261e05fee7f870330c0
                                                                                                                                                                                  • Opcode Fuzzy Hash: 8bfe85c686b859e32d663bfbdc38469e68eb924290b9e3af41769beda2d7145c
                                                                                                                                                                                  • Instruction Fuzzy Hash: 55815AB1E00159AFDF119FA5DC88AEEBBB9FB4A300F10416AE525E3350D7319A49CF61
                                                                                                                                                                                  Function 6CBF1000 Relevance: 22.8, APIs: 9, Strings: 4, Instructions: 97COMMON
                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                  APIs
                                                                                                                                                                                  • SetupDiGetClassDevsA.SETUPAPI(?,00000000,00000000,00000002), ref: 6CBF1022
                                                                                                                                                                                  • SetupDiEnumDeviceInfo.SETUPAPI(00000000,00000000,?), ref: 6CBF1043
                                                                                                                                                                                  • SetupDiGetDeviceRegistryPropertyA.SETUPAPI(00000000,0000001C,0000000C,?,00000000,00000000,?), ref: 6CBF1068
                                                                                                                                                                                    • Part of subcall function 6CBF11B2: RtlAllocateHeap.NTDLL(00000000,6CBF0000,6CBF1B4C,6CBF0000), ref: 6CBF11BE
                                                                                                                                                                                  • SetupDiGetDeviceRegistryPropertyA.SETUPAPI(?,0000001C,0000000C,?,00000000,?,?), ref: 6CBF1092
                                                                                                                                                                                  • StrStrIA.SHLWAPI(00000000,vbox), ref: 6CBF10A4
                                                                                                                                                                                  • StrStrIA.SHLWAPI(00000000,qemu), ref: 6CBF10B0
                                                                                                                                                                                  • StrStrIA.SHLWAPI(00000000,vmware), ref: 6CBF10BC
                                                                                                                                                                                  • StrStrIA.SHLWAPI(00000000,virtual hd), ref: 6CBF10C8
                                                                                                                                                                                  • SetupDiDestroyDeviceInfoList.SETUPAPI(?), ref: 6CBF10DA
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000004.00000002.1717839092.000000006CBF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 6CBF0000, based on PE: true
                                                                                                                                                                                  • Associated: 00000004.00000002.1717818088.000000006CBF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000004.00000002.1717839092.000000006CBFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_6cbf0000_rundll32.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: Setup$Device$InfoPropertyRegistry$AllocateClassDestroyDevsEnumHeapList
                                                                                                                                                                                  • String ID: qemu$vbox$virtual hd$vmware
                                                                                                                                                                                  • API String ID: 2901969455-1017834832
                                                                                                                                                                                  • Opcode ID: 8f012ec0d5601a490ebe33426e5b0493e48f26cd71df1a1425a387c5d675511a
                                                                                                                                                                                  • Instruction ID: fd22ef24022785b512a174992cb252a9fd1467c273b143b92da56823b82780ef
                                                                                                                                                                                  • Opcode Fuzzy Hash: 8f012ec0d5601a490ebe33426e5b0493e48f26cd71df1a1425a387c5d675511a
                                                                                                                                                                                  • Instruction Fuzzy Hash: 5B21697190115DBAEF01DAA5CD80DFFBBBCEB06758F140526F920E3640D7719E0A9B61
                                                                                                                                                                                  Function 6CBF3ED3 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 166nativeCOMMON
                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                  • Executed
                                                                                                                                                                                  • Not Executed
                                                                                                                                                                                  control_flow_graph 296 6cbf3ed3-6cbf3ef6 297 6cbf3ef8-6cbf3eff 296->297 298 6cbf3f10-6cbf3f15 296->298 297->298 300 6cbf3f01-6cbf3f0e 297->300 299 6cbf3f17-6cbf3f19 298->299 301 6cbf3f1b-6cbf3f22 299->301 302 6cbf3f27-6cbf3f62 call 6cbf4943 299->302 300->299 303 6cbf40c4-6cbf40ca 301->303 306 6cbf409d-6cbf40a1 302->306 307 6cbf3f68-6cbf3f92 call 6cbf4904 302->307 308 6cbf40b5-6cbf40b9 306->308 309 6cbf40a3-6cbf40af NtUnmapViewOfSection RtlNtStatusToDosError 306->309 307->306 313 6cbf3f98-6cbf3fab call 6cbf4a02 307->313 308->303 311 6cbf40bb-6cbf40be CloseHandle 308->311 309->308 311->303 313->306 316 6cbf3fb1-6cbf3fb6 313->316 317 6cbf3fb8-6cbf3fc1 memcpy 316->317 318 6cbf3fc4-6cbf3fc9 316->318 317->318 319 6cbf3fcb-6cbf3fd3 318->319 320 6cbf3ff6-6cbf4019 memcpy 318->320 319->320 321 6cbf3fd5 319->321 322 6cbf402c-6cbf4030 320->322 323 6cbf401b-6cbf4029 320->323 324 6cbf3fda-6cbf3ff4 321->324 325 6cbf4048-6cbf404c 322->325 326 6cbf4032-6cbf4045 322->326 323->322 324->320 327 6cbf3fd7 324->327 328 6cbf404e-6cbf4055 325->328 329 6cbf4064-6cbf4065 call 6cbf3d87 325->329 326->325 327->324 328->329 330 6cbf4057-6cbf405d call 6cbf3e34 328->330 333 6cbf406a-6cbf406f 329->333 334 6cbf4062 330->334 333->306 335 6cbf4071-6cbf4095 memcpy call 6cbf29aa 333->335 334->333 337 6cbf409a 335->337 337->306
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • memcpy.NTDLL(?,CCCCFEEB,?,?,?,6CBF45C5,?,6CBF45C5,6CBF45C5,?,?,?,?,00000000), ref: 6CBF3FBC
                                                                                                                                                                                  • memcpy.NTDLL(?,CCCCFEEB,00000018,?,?,6CBF45C5,?,6CBF45C5,6CBF45C5,?,?,?,?,00000000), ref: 6CBF400D
                                                                                                                                                                                    • Part of subcall function 6CBF3E34: memcpy.NTDLL(CCCCFEEB,6CBFA9DC,00000018,CCCCFEEB,ZwProtectVirtualMemory,CCCCFEEB,LdrGetProcedureAddress,CCCCFEEB,LdrLoadDll,CCCCFEEB,6CBF4062,?,6CBF45C5,?,?,00000000), ref: 6CBF3EC5
                                                                                                                                                                                  • memcpy.NTDLL(?,6CBF46C5,00000800,?,?,?,00000000), ref: 6CBF407D
                                                                                                                                                                                    • Part of subcall function 6CBF29AA: memset.NTDLL ref: 6CBF29C9
                                                                                                                                                                                  • NtUnmapViewOfSection.NTDLL ref: 6CBF40A8
                                                                                                                                                                                  • RtlNtStatusToDosError.NTDLL ref: 6CBF40AF
                                                                                                                                                                                  • CloseHandle.KERNELBASE(00000000,?,?,?,?,00000000), ref: 6CBF40BE
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000004.00000002.1717839092.000000006CBF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 6CBF0000, based on PE: true
                                                                                                                                                                                  • Associated: 00000004.00000002.1717818088.000000006CBF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000004.00000002.1717839092.000000006CBFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_6cbf0000_rundll32.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: memcpy$CloseErrorHandleSectionStatusUnmapViewmemset
                                                                                                                                                                                  • String ID: N;U
                                                                                                                                                                                  • API String ID: 742001727-3665909347
                                                                                                                                                                                  • Opcode ID: 6a2aff8036133dcb8dda18dd985905ccb66f3271b6975419e560affa78638d94
                                                                                                                                                                                  • Instruction ID: 77e417ceb0d9adca1ac51cfcdb02af875be58890c25355191e9974a46a12a127
                                                                                                                                                                                  • Opcode Fuzzy Hash: 6a2aff8036133dcb8dda18dd985905ccb66f3271b6975419e560affa78638d94
                                                                                                                                                                                  • Instruction Fuzzy Hash: 6D613AB1A0124AEFDF10CFA8C984A9EBBB9FF04308F104569E925A7751D731A64ACF51
                                                                                                                                                                                  Function 6CBF1ACC Relevance: 10.6, APIs: 7, Instructions: 81nativeCOMMON
                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                  APIs
                                                                                                                                                                                  • ZwOpenProcess.NTDLL(6CBF0000,00000400,?,?,?,00000000,00000000), ref: 6CBF1B14
                                                                                                                                                                                  • ZwOpenProcessToken.NTDLL(6CBF0000,00000008,00000000), ref: 6CBF1B27
                                                                                                                                                                                  • ZwQueryInformationToken.NTDLL(00000000,00000001,00000000,00000000,6CBF0000), ref: 6CBF1B42
                                                                                                                                                                                    • Part of subcall function 6CBF11B2: RtlAllocateHeap.NTDLL(00000000,6CBF0000,6CBF1B4C,6CBF0000), ref: 6CBF11BE
                                                                                                                                                                                  • ZwQueryInformationToken.NTDLL(00000000,00000001,00000000,6CBF0000,6CBF0000,6CBF0000), ref: 6CBF1B5F
                                                                                                                                                                                  • memcpy.NTDLL(00000000,00000000,0000001C), ref: 6CBF1B6C
                                                                                                                                                                                  • ZwClose.NTDLL(00000000,6CBF0000), ref: 6CBF1B7E
                                                                                                                                                                                  • ZwClose.NTDLL(6CBF0000), ref: 6CBF1B87
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000004.00000002.1717839092.000000006CBF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 6CBF0000, based on PE: true
                                                                                                                                                                                  • Associated: 00000004.00000002.1717818088.000000006CBF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000004.00000002.1717839092.000000006CBFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_6cbf0000_rundll32.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: Token$CloseInformationOpenProcessQuery$AllocateHeapmemcpy
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 2575439697-0
                                                                                                                                                                                  • Opcode ID: c48102cee9c17cd9f4ffe5241106520557f460b3a1b033464a67b59e6be0c962
                                                                                                                                                                                  • Instruction ID: 835a9d551e7a3b4cbb89d56226c5fc3c20b14dc4dff64b5f9f73d6a45fe889c3
                                                                                                                                                                                  • Opcode Fuzzy Hash: c48102cee9c17cd9f4ffe5241106520557f460b3a1b033464a67b59e6be0c962
                                                                                                                                                                                  • Instruction Fuzzy Hash: F22119B1A00118BBDF01DFA5CC449DEBFBDEF09750F104066F514E6221D7719A4A9BA0
                                                                                                                                                                                  Function 6CBF2492 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 166librarynativeloaderCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • GetProcAddress.KERNEL32(ZwWow64QueryInformationProcess64,00000318), ref: 6CBF24B0
                                                                                                                                                                                  • NtWow64QueryInformationProcess64.NTDLL(00000000,00000000,?,00000030,00000000), ref: 6CBF24CC
                                                                                                                                                                                    • Part of subcall function 6CBF11B2: RtlAllocateHeap.NTDLL(00000000,6CBF0000,6CBF1B4C,6CBF0000), ref: 6CBF11BE
                                                                                                                                                                                    • Part of subcall function 6CBF241D: GetProcAddress.KERNEL32(ZwWow64ReadVirtualMemory64,00000000), ref: 6CBF243F
                                                                                                                                                                                    • Part of subcall function 6CBF241D: NtWow64ReadVirtualMemory64.NTDLL(00000100,?,?,00000028,00000000,00000000,00000100,00000000,?,?,?,6CBF250D,00000000,00000000,00000028,00000100), ref: 6CBF2461
                                                                                                                                                                                  • StrRChrA.SHLWAPI(00000018,00000000,0000005C,00000000,00000318,?,00000000,00000068,00000098,00000000,00000028,00000040,00000000,00000000,00000028,00000100), ref: 6CBF2636
                                                                                                                                                                                  Strings
                                                                                                                                                                                  • ZwWow64QueryInformationProcess64, xrefs: 6CBF24A3
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000004.00000002.1717839092.000000006CBF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 6CBF0000, based on PE: true
                                                                                                                                                                                  • Associated: 00000004.00000002.1717818088.000000006CBF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000004.00000002.1717839092.000000006CBFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_6cbf0000_rundll32.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: AddressProcWow64$AllocateHeapInformationMemory64Process64QueryReadVirtual
                                                                                                                                                                                  • String ID: ZwWow64QueryInformationProcess64
                                                                                                                                                                                  • API String ID: 3547194813-1903490642
                                                                                                                                                                                  • Opcode ID: 05f1efe74f99b7656b22f72659955ac0f70f50a459cbac4813125ac03fea6f88
                                                                                                                                                                                  • Instruction ID: bf70ba9ce6e551137f06e5f2f295773d0e82bfd0e0e834d7786fb84ced7a2c54
                                                                                                                                                                                  • Opcode Fuzzy Hash: 05f1efe74f99b7656b22f72659955ac0f70f50a459cbac4813125ac03fea6f88
                                                                                                                                                                                  • Instruction Fuzzy Hash: 62616270A01286EBDF05CFA5D894BEEBBB4FF08304F104529E964A7741D770E959CBA2
                                                                                                                                                                                  Function 6CBF4943 Relevance: 6.1, APIs: 4, Instructions: 79nativeCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • NtCreateSection.NTDLL(?,000F001F,?,?,00000040,08000000,00000000), ref: 6CBF499E
                                                                                                                                                                                  • memset.NTDLL ref: 6CBF49C3
                                                                                                                                                                                  • RtlNtStatusToDosError.NTDLL ref: 6CBF49DF
                                                                                                                                                                                  • ZwClose.NTDLL(?), ref: 6CBF49F3
                                                                                                                                                                                    • Part of subcall function 6CBF4904: NtMapViewOfSection.NTDLL ref: 6CBF4931
                                                                                                                                                                                    • Part of subcall function 6CBF4904: RtlNtStatusToDosError.NTDLL ref: 6CBF4938
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000004.00000002.1717839092.000000006CBF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 6CBF0000, based on PE: true
                                                                                                                                                                                  • Associated: 00000004.00000002.1717818088.000000006CBF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000004.00000002.1717839092.000000006CBFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_6cbf0000_rundll32.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: ErrorSectionStatus$CloseCreateViewmemset
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 783833395-0
                                                                                                                                                                                  • Opcode ID: 261faad25c5984be6ea00c71347fb2d77715250537ddec8c28c4c14ea1fb5024
                                                                                                                                                                                  • Instruction ID: 73a2bb660cde6f3345ac6d6d02d1d5e594ad71e821b93691309b4e7821b780b6
                                                                                                                                                                                  • Opcode Fuzzy Hash: 261faad25c5984be6ea00c71347fb2d77715250537ddec8c28c4c14ea1fb5024
                                                                                                                                                                                  • Instruction Fuzzy Hash: 55215975A00269AFCF01CFA8CD449EEBBB8EB09720F104516F920E7240D7719A598FA5
                                                                                                                                                                                  Function 6CBF241D Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 33librarynativeloaderCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • GetProcAddress.KERNEL32(ZwWow64ReadVirtualMemory64,00000000), ref: 6CBF243F
                                                                                                                                                                                  • NtWow64ReadVirtualMemory64.NTDLL(00000100,?,?,00000028,00000000,00000000,00000100,00000000,?,?,?,6CBF250D,00000000,00000000,00000028,00000100), ref: 6CBF2461
                                                                                                                                                                                  Strings
                                                                                                                                                                                  • ZwWow64ReadVirtualMemory64, xrefs: 6CBF2434
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000004.00000002.1717839092.000000006CBF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 6CBF0000, based on PE: true
                                                                                                                                                                                  • Associated: 00000004.00000002.1717818088.000000006CBF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000004.00000002.1717839092.000000006CBFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_6cbf0000_rundll32.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: AddressMemory64ProcReadVirtualWow64
                                                                                                                                                                                  • String ID: ZwWow64ReadVirtualMemory64
                                                                                                                                                                                  • API String ID: 752694512-2880279267
                                                                                                                                                                                  • Opcode ID: 8b80fd60fe25bdc1351b822f87e780fb6ca7762dad24d9f9044d44fe3caa4518
                                                                                                                                                                                  • Instruction ID: 31dffb25bcd454abb4ef14d41b2bda261722909730cd7705e27962e654375083
                                                                                                                                                                                  • Opcode Fuzzy Hash: 8b80fd60fe25bdc1351b822f87e780fb6ca7762dad24d9f9044d44fe3caa4518
                                                                                                                                                                                  • Instruction Fuzzy Hash: EFF03A76600644BFCF068F96DC04C4EFFBAEB89350B108429F96093320D271D956DF21
                                                                                                                                                                                  Function 6CBF2286 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 21librarynativeloaderCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • GetProcAddress.KERNEL32(ZwWow64QueryInformationProcess64,00000000), ref: 6CBF22A0
                                                                                                                                                                                  • NtWow64QueryInformationProcess64.NTDLL(6CBF4211,00000000,00000000,00000030,6CBF4211,00000000,6CBF4211,?,?,C000009A,?,00000000,00000000), ref: 6CBF22BF
                                                                                                                                                                                  Strings
                                                                                                                                                                                  • ZwWow64QueryInformationProcess64, xrefs: 6CBF2295
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000004.00000002.1717839092.000000006CBF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 6CBF0000, based on PE: true
                                                                                                                                                                                  • Associated: 00000004.00000002.1717818088.000000006CBF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000004.00000002.1717839092.000000006CBFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_6cbf0000_rundll32.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: AddressInformationProcProcess64QueryWow64
                                                                                                                                                                                  • String ID: ZwWow64QueryInformationProcess64
                                                                                                                                                                                  • API String ID: 1650446693-1903490642
                                                                                                                                                                                  • Opcode ID: 03dbfdff6cd75c8ea48697c67881109ea3a60b4359ae4a5203fb201d46f21fe0
                                                                                                                                                                                  • Instruction ID: 70f10d12b7686bd382422908f4539a7a2e55624809dfc16690092b60b051b051
                                                                                                                                                                                  • Opcode Fuzzy Hash: 03dbfdff6cd75c8ea48697c67881109ea3a60b4359ae4a5203fb201d46f21fe0
                                                                                                                                                                                  • Instruction Fuzzy Hash: 64E04F31305351AFEB028A54EC05F057BB4AB5A754F054425B534E3350D321CD15DF52
                                                                                                                                                                                  Function 03F50000 Relevance: 4.9, APIs: 3, Instructions: 387nativememoryCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • NtProtectVirtualMemory.NTDLL(000000FF,?,?,00000040,?,?,00000000,DF18C02A), ref: 03F50532
                                                                                                                                                                                  • NtAllocateVirtualMemory.NTDLL(000000FF,00000000,00000000,?,00003000,00000040), ref: 03F50569
                                                                                                                                                                                  • NtProtectVirtualMemory.NTDLL(000000FF,?,00001000,00000002,?,?,?,DF18C02A,?,?,?,00000000,?,00000000), ref: 03F5084C
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000004.00000002.1717343938.0000000003F50000.00000040.00001000.00020000.00000000.sdmp, Offset: 03F50000, based on PE: false
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_3f50000_rundll32.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: MemoryVirtual$Protect$Allocate
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 955180148-0
                                                                                                                                                                                  • Opcode ID: 0276ce237686d955ecd96cb5b1eef00a4676b752b1876b5eb49befe3360d61fd
                                                                                                                                                                                  • Instruction ID: e477c566c4eacaad22e8796ee155bd16bcc40619a1c31f90b3092083f98085d0
                                                                                                                                                                                  • Opcode Fuzzy Hash: 0276ce237686d955ecd96cb5b1eef00a4676b752b1876b5eb49befe3360d61fd
                                                                                                                                                                                  • Instruction Fuzzy Hash: 8DF15772E012199FDF04CFA5C980ADDBBB2FF88310F258169E919BB255DB34A942CF50
                                                                                                                                                                                  Function 6CBF2E32 Relevance: 4.5, APIs: 3, Instructions: 29memorynativeCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • NtAllocateVirtualMemory.NTDLL(6CBF28CF,00000000,00000000,6CBF28CF,00003000,00000040), ref: 6CBF2E63
                                                                                                                                                                                  • RtlNtStatusToDosError.NTDLL ref: 6CBF2E6A
                                                                                                                                                                                  • SetLastError.KERNEL32(00000000), ref: 6CBF2E71
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000004.00000002.1717839092.000000006CBF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 6CBF0000, based on PE: true
                                                                                                                                                                                  • Associated: 00000004.00000002.1717818088.000000006CBF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000004.00000002.1717839092.000000006CBFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_6cbf0000_rundll32.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: Error$AllocateLastMemoryStatusVirtual
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 722216270-0
                                                                                                                                                                                  • Opcode ID: 75bb827979cdcd05515bbc0a4a26ac162cff3245928404c257da9dd8c04c69e4
                                                                                                                                                                                  • Instruction ID: e1696c6e52f82c8b35b8127d70b07aa4c4083810d5045a848bfb14f64b6b2c96
                                                                                                                                                                                  • Opcode Fuzzy Hash: 75bb827979cdcd05515bbc0a4a26ac162cff3245928404c257da9dd8c04c69e4
                                                                                                                                                                                  • Instruction Fuzzy Hash: A4F05E71A11309FBEB04CB95D819B9EB7BCAB05305F104048A210A6280EBB4EB04CB65
                                                                                                                                                                                  Function 6CBF2DF1 Relevance: 4.5, APIs: 3, Instructions: 26nativeCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • NtWriteVirtualMemory.NTDLL(?,00000004,6CBF468D,6CBF468D,00000000,74E05030,?,6CBF3C80,?,00000004,6CBF468D,00000004,?), ref: 6CBF2E0F
                                                                                                                                                                                  • RtlNtStatusToDosError.NTDLL ref: 6CBF2E1E
                                                                                                                                                                                  • SetLastError.KERNEL32(00000000,?,6CBF3C80,?,00000004,6CBF468D,00000004,?,?,?,?,6CBF453C,00000000,6CBF468D,CCCCFEEB,00000000), ref: 6CBF2E25
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000004.00000002.1717839092.000000006CBF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 6CBF0000, based on PE: true
                                                                                                                                                                                  • Associated: 00000004.00000002.1717818088.000000006CBF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000004.00000002.1717839092.000000006CBFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_6cbf0000_rundll32.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: Error$LastMemoryStatusVirtualWrite
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 1089604434-0
                                                                                                                                                                                  • Opcode ID: 1816e23932a08f6edab7dbc4c08106460807a28bf86feace411f7ace092c444e
                                                                                                                                                                                  • Instruction ID: b68facb3353404949bade2746c938b6a2a580ca39d6f051695f5ef0a5dfee969
                                                                                                                                                                                  • Opcode Fuzzy Hash: 1816e23932a08f6edab7dbc4c08106460807a28bf86feace411f7ace092c444e
                                                                                                                                                                                  • Instruction Fuzzy Hash: 08E01232241299ABDF015FE9AC08D8B7B69EB0D751B104425BA21C6711C731D5219BA1
                                                                                                                                                                                  Function 03F50DD2 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 185libraryloaderCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • LdrLoadDll.NTDLL(00000000,00000000,?,?,?,03F5080D,?,DF18C02A,?,?,?,00000000,?,00000000), ref: 03F50E7A
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000004.00000002.1717343938.0000000003F50000.00000040.00001000.00020000.00000000.sdmp, Offset: 03F50000, based on PE: false
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_3f50000_rundll32.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: Load
                                                                                                                                                                                  • String ID: U/
                                                                                                                                                                                  • API String ID: 2234796835-28647567
                                                                                                                                                                                  • Opcode ID: 95ad536bfe3863d19e965b884b539d5f883aa0a128a14424d074b338dc3537cf
                                                                                                                                                                                  • Instruction ID: 9df7e62a2cb192f52cded3adb49ad734e80058a9a7fdeab56869896470ff8cdd
                                                                                                                                                                                  • Opcode Fuzzy Hash: 95ad536bfe3863d19e965b884b539d5f883aa0a128a14424d074b338dc3537cf
                                                                                                                                                                                  • Instruction Fuzzy Hash: 0761FD75E1020AAFDF04CFA5D9819EEBBB2FF88310F14C569E915A7244DB34AA458F90
                                                                                                                                                                                  Function 6CBF2D19 Relevance: 3.0, APIs: 2, Instructions: 48nativeCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • NtQuerySystemInformation.NTDLL ref: 6CBF2D4A
                                                                                                                                                                                  • RtlNtStatusToDosError.NTDLL ref: 6CBF2D83
                                                                                                                                                                                    • Part of subcall function 6CBF11C7: RtlFreeHeap.NTDLL(00000000,00000000,6CBF1B7B,00000000), ref: 6CBF11D3
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000004.00000002.1717839092.000000006CBF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 6CBF0000, based on PE: true
                                                                                                                                                                                  • Associated: 00000004.00000002.1717818088.000000006CBF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000004.00000002.1717839092.000000006CBFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_6cbf0000_rundll32.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: ErrorFreeHeapInformationQueryStatusSystem
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 2533303245-0
                                                                                                                                                                                  • Opcode ID: 018a6a352cd8302c377f9c1458485a88046f2ded7464776cd8e5e7db952c1dcf
                                                                                                                                                                                  • Instruction ID: f03f2fbc581efe32e4f056fd35d422eeb25efae4bed09f61f2f51062f8b05a37
                                                                                                                                                                                  • Opcode Fuzzy Hash: 018a6a352cd8302c377f9c1458485a88046f2ded7464776cd8e5e7db952c1dcf
                                                                                                                                                                                  • Instruction Fuzzy Hash: D701F27A9039F4AAD7124655890CBDE7968CF46B58F110114ED30A7B00D770CE0A82F3
                                                                                                                                                                                  Function 6CBF4904 Relevance: 3.0, APIs: 2, Instructions: 28nativeCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000004.00000002.1717839092.000000006CBF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 6CBF0000, based on PE: true
                                                                                                                                                                                  • Associated: 00000004.00000002.1717818088.000000006CBF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000004.00000002.1717839092.000000006CBFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_6cbf0000_rundll32.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: ErrorSectionStatusView
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 1313840181-0
                                                                                                                                                                                  • Opcode ID: 19fc8330002138bc4df6f376718265aa4d97c29fc6e373bfe2bd4d1a22473c08
                                                                                                                                                                                  • Instruction ID: 83790d556e31726be7f376e3c44faf6c4d30b93a27a300a62e93d82d0fcede85
                                                                                                                                                                                  • Opcode Fuzzy Hash: 19fc8330002138bc4df6f376718265aa4d97c29fc6e373bfe2bd4d1a22473c08
                                                                                                                                                                                  • Instruction Fuzzy Hash: 31E0E5B6900208FFEF059F95DC0FDEF7B7DEB45300F00856AF615A6151E6B1AA149B60
                                                                                                                                                                                  Function 6CBF4B80 Relevance: 1.5, APIs: 1, Instructions: 37nativeCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • NtWriteVirtualMemory.NTDLL ref: 6CBF4BCB
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000004.00000002.1717839092.000000006CBF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 6CBF0000, based on PE: true
                                                                                                                                                                                  • Associated: 00000004.00000002.1717818088.000000006CBF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000004.00000002.1717839092.000000006CBFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_6cbf0000_rundll32.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: MemoryVirtualWrite
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 3527976591-0
                                                                                                                                                                                  • Opcode ID: af5b7e29ad1b2268868168bc09b01d4086c669db7eb639983e2640be428b1d8f
                                                                                                                                                                                  • Instruction ID: 28cc42cccdb4055abea283a3ea790c5e4a853cf746611ce8e43d63e46f8e3474
                                                                                                                                                                                  • Opcode Fuzzy Hash: af5b7e29ad1b2268868168bc09b01d4086c669db7eb639983e2640be428b1d8f
                                                                                                                                                                                  • Instruction Fuzzy Hash: 75F0243101860A5BD714EB58CC82EA6B3ECFF49310F04065CBCA5873D1E671B964CBC2
                                                                                                                                                                                  Function 6CBF1F0F Relevance: 72.0, APIs: 33, Strings: 8, Instructions: 278registrystringmemoryCOMMON
                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                  • Executed
                                                                                                                                                                                  • Not Executed
                                                                                                                                                                                  control_flow_graph 0 6cbf1f0f-6cbf1f2a 1 6cbf1f2c 0->1 2 6cbf1f33-6cbf1f39 0->2 1->2 3 6cbf1f3f-6cbf1f47 2->3 4 6cbf2277-6cbf2283 2->4 3->4 5 6cbf1f4d-6cbf1f5a StrChrA 3->5 5->4 6 6cbf1f60-6cbf1fa8 lstrcpyA lstrcatA * 2 RegOpenKeyA 5->6 6->4 7 6cbf1fae-6cbf1fcb RegQueryValueExW 6->7 8 6cbf2267 7->8 9 6cbf1fd1-6cbf1ff9 lstrlenW HeapAlloc 7->9 10 6cbf226e-6cbf2271 RegCloseKey 8->10 9->8 11 6cbf1fff-6cbf2015 RegQueryValueExW 9->11 10->4 12 6cbf201b-6cbf2068 PathCombineW CreateDirectoryW PathCombineW CreateDirectoryW PathCombineW lstrcmpiW 11->12 13 6cbf2257-6cbf2265 HeapFree 11->13 14 6cbf206e-6cbf2076 12->14 15 6cbf2250 12->15 13->10 16 6cbf2078-6cbf207f call 6cbf32ee 14->16 17 6cbf2081-6cbf2082 call 6cbf35c6 14->17 15->13 21 6cbf2087-6cbf208c 16->21 17->21 22 6cbf2247-6cbf224e 21->22 23 6cbf2092-6cbf20cb lstrcpyA RegOpenKeyExA 21->23 22->13 24 6cbf20cd-6cbf20ff lstrlenW RegSetValueExW RegCloseKey 23->24 25 6cbf2105-6cbf210a 23->25 24->25 26 6cbf2235-6cbf2245 HeapFree 24->26 27 6cbf210c-6cbf2111 call 6cbf1be5 25->27 28 6cbf2121-6cbf2129 call 6cbf1c30 25->28 26->13 31 6cbf2116-6cbf211b 27->31 32 6cbf212e-6cbf2133 28->32 31->28 33 6cbf2232 31->33 34 6cbf21de-6cbf21e1 32->34 35 6cbf2139-6cbf213b 32->35 33->26 38 6cbf222f 34->38 39 6cbf21e3-6cbf21fd RegOpenKeyExA 34->39 36 6cbf213d-6cbf2145 call 6cbf35c6 35->36 37 6cbf2147-6cbf2174 lstrcpyA RegCreateKeyA 35->37 36->37 37->33 41 6cbf217a-6cbf219d RegQueryValueExA 37->41 38->33 39->33 42 6cbf21ff-6cbf2218 RegOpenKeyW 39->42 44 6cbf219f-6cbf21a3 41->44 45 6cbf21bb-6cbf21c0 41->45 46 6cbf221a-6cbf222d RegDeleteValueW RegCloseKey 42->46 47 6cbf21d3-6cbf21dc RegCloseKey 42->47 44->45 48 6cbf21a5-6cbf21b9 RegSetValueExA 44->48 45->47 49 6cbf21c2-6cbf21d1 RegSetValueExA 45->49 46->47 47->33 48->45 49->47
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • StrChrA.SHLWAPI(?,0000005F,00000000,00000000,00000104), ref: 6CBF1F52
                                                                                                                                                                                  • lstrcpyA.KERNEL32(?,?), ref: 6CBF1F6A
                                                                                                                                                                                  • lstrcatA.KERNEL32(?,\Software\Microsoft\Windows\CurrentVersion), ref: 6CBF1F82
                                                                                                                                                                                  • lstrcatA.KERNEL32(?,\Explorer\Shell Folders), ref: 6CBF1F90
                                                                                                                                                                                  • RegOpenKeyA.ADVAPI32(?,?,?), ref: 6CBF1FA0
                                                                                                                                                                                  • RegQueryValueExW.KERNELBASE(?,AppData,00000000,?,00000000,?), ref: 6CBF1FC6
                                                                                                                                                                                  • lstrlenW.KERNEL32 ref: 6CBF1FD7
                                                                                                                                                                                  • HeapAlloc.KERNEL32(00000000,?), ref: 6CBF1FEC
                                                                                                                                                                                  • RegQueryValueExW.KERNELBASE(?,AppData,00000000,?,00000000,?), ref: 6CBF2011
                                                                                                                                                                                  • PathCombineW.SHLWAPI(00000000,00000000,Microsoft), ref: 6CBF2033
                                                                                                                                                                                  • CreateDirectoryW.KERNELBASE(00000000,00000000), ref: 6CBF2037
                                                                                                                                                                                  • PathCombineW.SHLWAPI(00000000,00000000), ref: 6CBF2045
                                                                                                                                                                                  • CreateDirectoryW.KERNELBASE(00000000,00000000), ref: 6CBF2049
                                                                                                                                                                                  • PathCombineW.SHLWAPI(00000000,00000000), ref: 6CBF2057
                                                                                                                                                                                  • lstrcmpiW.KERNEL32(00000000), ref: 6CBF2060
                                                                                                                                                                                    • Part of subcall function 6CBF32EE: lstrlenW.KERNEL32(00000000,00000000,?,6CBF207F,00000000,FF571A75), ref: 6CBF3301
                                                                                                                                                                                    • Part of subcall function 6CBF32EE: lstrlenA.KERNEL32(6CBF207F,?,6CBF207F,00000000,FF571A75), ref: 6CBF330C
                                                                                                                                                                                    • Part of subcall function 6CBF32EE: HeapAlloc.KERNEL32(00000000,00000022,?,6CBF207F,00000000,FF571A75), ref: 6CBF3321
                                                                                                                                                                                    • Part of subcall function 6CBF32EE: wsprintfW.USER32 ref: 6CBF3339
                                                                                                                                                                                  • lstrcpyA.KERNEL32(?,\Run,00000000), ref: 6CBF20A2
                                                                                                                                                                                  • RegOpenKeyExA.KERNELBASE(?,?,00000000,6CBF3417,?), ref: 6CBF20C3
                                                                                                                                                                                  • lstrlenW.KERNEL32(?), ref: 6CBF20D0
                                                                                                                                                                                  • RegSetValueExW.KERNELBASE(?,00000000,00000001,?,?), ref: 6CBF20EA
                                                                                                                                                                                  • RegCloseKey.KERNELBASE(?), ref: 6CBF20F6
                                                                                                                                                                                  • lstrcpyA.KERNEL32(?,?,6CBF342F,0AEBFFFF), ref: 6CBF2158
                                                                                                                                                                                  • RegCreateKeyA.ADVAPI32(?,?,?), ref: 6CBF216C
                                                                                                                                                                                  • RegQueryValueExA.ADVAPI32(?,Client,00000000,?,?,?), ref: 6CBF218F
                                                                                                                                                                                  • RegSetValueExA.ADVAPI32(?,Client,00000000,00000003,?,00000028), ref: 6CBF21B9
                                                                                                                                                                                  • RegSetValueExA.ADVAPI32(?,Client32,00000000,00000003,BFA98035,3D6CBF80), ref: 6CBF21D1
                                                                                                                                                                                  • RegCloseKey.ADVAPI32(?), ref: 6CBF21D6
                                                                                                                                                                                  • RegOpenKeyExA.ADVAPI32(?,?,00000000,6CBF3417,?,?,6CBF342F,0AEBFFFF), ref: 6CBF21F5
                                                                                                                                                                                  • RegOpenKeyW.ADVAPI32(?,00000000,?), ref: 6CBF2210
                                                                                                                                                                                  • RegDeleteValueW.ADVAPI32(?,047C86E0), ref: 6CBF221E
                                                                                                                                                                                  • RegCloseKey.ADVAPI32(?), ref: 6CBF2227
                                                                                                                                                                                  • HeapFree.KERNEL32(00000000,?,?,6CBF342F,0AEBFFFF), ref: 6CBF223F
                                                                                                                                                                                  • HeapFree.KERNEL32(00000000,00000000), ref: 6CBF225F
                                                                                                                                                                                  • RegCloseKey.ADVAPI32(?), ref: 6CBF2271
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000004.00000002.1717839092.000000006CBF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 6CBF0000, based on PE: true
                                                                                                                                                                                  • Associated: 00000004.00000002.1717818088.000000006CBF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000004.00000002.1717839092.000000006CBFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_6cbf0000_rundll32.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: Value$CloseHeapOpenlstrlen$CombineCreatePathQuerylstrcpy$AllocDirectoryFreelstrcat$Deletelstrcmpiwsprintf
                                                                                                                                                                                  • String ID: ($AppData$Client$Client32$Microsoft$\Explorer\Shell Folders$\Run$\Software\Microsoft\Windows\CurrentVersion
                                                                                                                                                                                  • API String ID: 4063272932-2954684206
                                                                                                                                                                                  • Opcode ID: d6ba58318e9012b8fabbc5c54a49635f953442c0bf75067a8ade2a0ff9c3dac8
                                                                                                                                                                                  • Instruction ID: d5b5995981af87601f0265e63448b9721a9a69c03413a0e9ad7d1cc960552da6
                                                                                                                                                                                  • Opcode Fuzzy Hash: d6ba58318e9012b8fabbc5c54a49635f953442c0bf75067a8ade2a0ff9c3dac8
                                                                                                                                                                                  • Instruction Fuzzy Hash: 23A12671A00189FFDF119FA2DC88DAEBB7DFB0A344F104422F925A6610D7319A5ADF52
                                                                                                                                                                                  Function 6CBF16B2 Relevance: 42.3, APIs: 20, Strings: 4, Instructions: 286filetimesleepCOMMON
                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                  • Executed
                                                                                                                                                                                  • Not Executed
                                                                                                                                                                                  control_flow_graph 84 6cbf16b2-6cbf16dc call 6cbf1a53 87 6cbf1a48-6cbf1a50 84->87 88 6cbf16e2-6cbf16ed 84->88 89 6cbf16f1-6cbf1729 GetCursorInfo call 6cbf345b 88->89 92 6cbf172b-6cbf172d 89->92 92->87 93 6cbf1733-6cbf1740 call 6cbf22c9 92->93 96 6cbf1754-6cbf1757 93->96 97 6cbf1742-6cbf174c 93->97 98 6cbf1759-6cbf176d call 6cbf2c92 96->98 99 6cbf17b2-6cbf17d8 CreateFileA 96->99 97->96 98->99 109 6cbf176f-6cbf1781 GetLongPathNameW 98->109 100 6cbf17fd-6cbf1801 99->100 101 6cbf17da-6cbf17f0 ReadFile 99->101 105 6cbf1818-6cbf1830 call 6cbf389c 100->105 106 6cbf1803 call 6cbf1000 100->106 103 6cbf17f6-6cbf17f7 CloseHandle 101->103 104 6cbf17f2 101->104 103->100 104->103 117 6cbf1843-6cbf186b call 6cbf150f call 6cbf1b96 105->117 118 6cbf1832-6cbf1837 105->118 111 6cbf1808-6cbf180e 106->111 112 6cbf17a9-6cbf17ad 109->112 113 6cbf1783-6cbf1794 call 6cbf11b2 109->113 111->105 115 6cbf1810 111->115 112->99 113->112 125 6cbf1796-6cbf17a2 GetLongPathNameW call 6cbf11c7 113->125 120 6cbf1812-6cbf1813 115->120 130 6cbf186d-6cbf187f call 6cbf1b96 117->130 131 6cbf1885-6cbf1898 call 6cbf2e82 117->131 118->117 122 6cbf1839-6cbf183e call 6cbf1638 118->122 120->87 122->117 129 6cbf17a7 125->129 129->99 130->131 136 6cbf1a40-6cbf1a46 GetLastError 130->136 137 6cbf189e-6cbf18a5 call 6cbf11dc 131->137 138 6cbf1a3b-6cbf1a3e 131->138 136->87 137->87 141 6cbf18ab-6cbf18b1 137->141 138->87 138->136 142 6cbf18bc-6cbf18c1 call 6cbf2f05 141->142 143 6cbf18b3 call 6cbf128f 141->143 147 6cbf18c6-6cbf18c8 142->147 146 6cbf18b8-6cbf18ba 143->146 146->142 148 6cbf190b-6cbf1916 call 6cbf137f 146->148 147->148 149 6cbf18ca-6cbf18d2 147->149 154 6cbf191f-6cbf193a 148->154 155 6cbf1918 148->155 149->148 151 6cbf18d4-6cbf18db call 6cbf14c3 149->151 151->148 159 6cbf18dd-6cbf18e3 151->159 157 6cbf193c-6cbf1941 154->157 158 6cbf1943 154->158 155->154 160 6cbf1948-6cbf196a ConvertStringSecurityDescriptorToSecurityDescriptorA CreateEventA 157->160 158->160 161 6cbf18fb-6cbf1906 call 6cbf1ddb 159->161 162 6cbf18e5-6cbf18f9 call 6cbf1d2e 159->162 163 6cbf196c-6cbf1974 GetLastError 160->163 164 6cbf1996-6cbf19b9 call 6cbf3349 160->164 161->120 162->148 162->161 168 6cbf198f-6cbf1990 CloseHandle 163->168 169 6cbf1976-6cbf1989 SetEvent Sleep ResetEvent 163->169 173 6cbf19bb-6cbf19bd 164->173 174 6cbf19e2-6cbf19f0 call 6cbf2d19 164->174 168->164 169->168 175 6cbf1a2f-6cbf1a39 LocalFree 173->175 176 6cbf19bf-6cbf19c6 173->176 174->138 181 6cbf19f2-6cbf1a09 CreateWaitableTimerA 174->181 175->138 176->174 178 6cbf19c8-6cbf19d1 DeleteFileW 176->178 178->174 180 6cbf19d3-6cbf19dc MoveFileExW 178->180 180->174 181->175 182 6cbf1a0b-6cbf1a29 SetWaitableTimer CloseHandle 181->182 182->175
                                                                                                                                                                                  APIs
                                                                                                                                                                                    • Part of subcall function 6CBF1A53: CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,?,6CBF16D8), ref: 6CBF1A62
                                                                                                                                                                                    • Part of subcall function 6CBF1A53: GetVersion.KERNEL32(?,6CBF16D8), ref: 6CBF1A71
                                                                                                                                                                                    • Part of subcall function 6CBF1A53: GetCurrentProcessId.KERNEL32(?,6CBF16D8), ref: 6CBF1A8D
                                                                                                                                                                                    • Part of subcall function 6CBF1A53: OpenProcess.KERNEL32(0000047A,00000000,00000000,?,6CBF16D8), ref: 6CBF1AA6
                                                                                                                                                                                  • GetCursorInfo.USER32 ref: 6CBF16FE
                                                                                                                                                                                    • Part of subcall function 6CBF345B: lstrcpynA.KERNEL32(?,.bss,00000008,?,00000000,00000000,?,?,?,?,?,?,?), ref: 6CBF3489
                                                                                                                                                                                  • GetLongPathNameW.KERNELBASE(?,00000000,00000000), ref: 6CBF177B
                                                                                                                                                                                  • GetLongPathNameW.KERNELBASE(?,00000000,00000000), ref: 6CBF179C
                                                                                                                                                                                  • CreateFileA.KERNELBASE(c:\321.txt,80000000,00000001,00000000,00000003,00000080,00000000,00000000,?), ref: 6CBF17CD
                                                                                                                                                                                  • ReadFile.KERNEL32(00000000,?,00000004,?,00000000), ref: 6CBF17E8
                                                                                                                                                                                  • CloseHandle.KERNEL32(00000000), ref: 6CBF17F7
                                                                                                                                                                                    • Part of subcall function 6CBF389C: lstrcmpA.KERNEL32(?,?,00000000,00000000), ref: 6CBF3950
                                                                                                                                                                                  • ConvertStringSecurityDescriptorToSecurityDescriptorA.ADVAPI32(S:(ML;;NW;;;LW)D:(A;;0x1fffff;;;WD)(A;;0x1fffff;;;S-1-15-2-1),00000001,?,00000000), ref: 6CBF1948
                                                                                                                                                                                  • CreateEventA.KERNEL32(?,00000001,00000000,?,EE553B4E,00000001,00000000,6CBFA95C), ref: 6CBF195B
                                                                                                                                                                                  • GetLastError.KERNEL32 ref: 6CBF196C
                                                                                                                                                                                  • SetEvent.KERNEL32(00000000), ref: 6CBF1977
                                                                                                                                                                                  • Sleep.KERNEL32(00000BB8), ref: 6CBF1982
                                                                                                                                                                                  • ResetEvent.KERNEL32(00000000), ref: 6CBF1989
                                                                                                                                                                                  • CloseHandle.KERNELBASE(00000000), ref: 6CBF1990
                                                                                                                                                                                  • DeleteFileW.KERNELBASE(047C87C8,?), ref: 6CBF19C9
                                                                                                                                                                                  • MoveFileExW.KERNELBASE(00000000,00000004), ref: 6CBF19DC
                                                                                                                                                                                  • CreateWaitableTimerA.KERNEL32(?,00000001,?), ref: 6CBF19FF
                                                                                                                                                                                  • SetWaitableTimer.KERNELBASE(00000000,0000000C,00000000,00000000,00000000,00000000), ref: 6CBF1A22
                                                                                                                                                                                  • CloseHandle.KERNEL32(00000000), ref: 6CBF1A29
                                                                                                                                                                                  • LocalFree.KERNEL32(?), ref: 6CBF1A33
                                                                                                                                                                                  • GetLastError.KERNEL32(EE553B4E,00000001,00000000,6CBFA95C), ref: 6CBF1A40
                                                                                                                                                                                  Strings
                                                                                                                                                                                  • c:\321.txt, xrefs: 6CBF17C4
                                                                                                                                                                                  • S:(ML;;NW;;;LW)D:(A;;0x1fffff;;;WD)(A;;0x1fffff;;;S-1-15-2-1), xrefs: 6CBF1943
                                                                                                                                                                                  • D:(D;OICI;GA;;;BG)(D;OICI;GA;;;AN)(A;OICI;GA;;;AU)(A;OICI;GA;;;BA), xrefs: 6CBF193C
                                                                                                                                                                                  • N;U, xrefs: 6CBF1851
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000004.00000002.1717839092.000000006CBF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 6CBF0000, based on PE: true
                                                                                                                                                                                  • Associated: 00000004.00000002.1717818088.000000006CBF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000004.00000002.1717839092.000000006CBFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_6cbf0000_rundll32.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: CreateEventFile$CloseHandle$DescriptorErrorLastLongNamePathProcessSecurityTimerWaitable$ConvertCurrentCursorDeleteFreeInfoLocalMoveOpenReadResetSleepStringVersionlstrcmplstrcpyn
                                                                                                                                                                                  • String ID: D:(D;OICI;GA;;;BG)(D;OICI;GA;;;AN)(A;OICI;GA;;;AU)(A;OICI;GA;;;BA)$N;U$S:(ML;;NW;;;LW)D:(A;;0x1fffff;;;WD)(A;;0x1fffff;;;S-1-15-2-1)$c:\321.txt
                                                                                                                                                                                  • API String ID: 400546999-400329992
                                                                                                                                                                                  • Opcode ID: 8a067fc74be49b56aa86a033110dc9262dd7eb954261ea7a8f4fcad245bd981d
                                                                                                                                                                                  • Instruction ID: 0bfabbcd689d29662f5e76863d64d4601979bad7f637ba32e1b45e975acdee41
                                                                                                                                                                                  • Opcode Fuzzy Hash: 8a067fc74be49b56aa86a033110dc9262dd7eb954261ea7a8f4fcad245bd981d
                                                                                                                                                                                  • Instruction Fuzzy Hash: 31A1B4B26052859FDB009F75D884A9E77F8EB45308F498E2AF571D3750D730D84E8B92
                                                                                                                                                                                  Function 6CBF150F Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 45libraryloaderCOMMON
                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                  • Executed
                                                                                                                                                                                  • Not Executed
                                                                                                                                                                                  control_flow_graph 199 6cbf150f-6cbf1526 LoadLibraryA 200 6cbf1528-6cbf153c GetProcAddress 199->200 201 6cbf1574-6cbf1579 199->201 202 6cbf153e-6cbf1551 GetModuleHandleA GetProcAddress 200->202 203 6cbf1572-6cbf1573 200->203 202->203 204 6cbf1553-6cbf155e FindWindowA 202->204 203->201 204->203 205 6cbf1560-6cbf1569 204->205 205->203 207 6cbf156b 205->207 207->203
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • LoadLibraryA.KERNEL32(USER32.DLL,6CBF0000,?,?,6CBF1851,00000001,00000000,6CBFA95C), ref: 6CBF151E
                                                                                                                                                                                  • GetProcAddress.KERNEL32(00000000,FindWindowA), ref: 6CBF1536
                                                                                                                                                                                  • GetModuleHandleA.KERNEL32(USER32.DLL,GetWindowThreadProcessId,?,?,6CBF1851,00000001,00000000,6CBFA95C), ref: 6CBF1544
                                                                                                                                                                                  • GetProcAddress.KERNEL32(00000000), ref: 6CBF154B
                                                                                                                                                                                  • FindWindowA.USER32(ProgMan,00000000,?,?,6CBF1851,00000001,00000000,6CBFA95C), ref: 6CBF155A
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000004.00000002.1717839092.000000006CBF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 6CBF0000, based on PE: true
                                                                                                                                                                                  • Associated: 00000004.00000002.1717818088.000000006CBF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000004.00000002.1717839092.000000006CBFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_6cbf0000_rundll32.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: AddressProc$FindHandleLibraryLoadModuleWindow
                                                                                                                                                                                  • String ID: FindWindowA$GetWindowThreadProcessId$N;U$N;U$ProgMan$USER32.DLL
                                                                                                                                                                                  • API String ID: 2344282417-784344377
                                                                                                                                                                                  • Opcode ID: 422b2af1b541a86876b29d354e38b63c40898ec4c5ad9808d6f57bba39ac3f5d
                                                                                                                                                                                  • Instruction ID: 90303c8af2e5426ee61dd3f30d4da4a227fc22531a4cb19a3f2950c7a1b0db72
                                                                                                                                                                                  • Opcode Fuzzy Hash: 422b2af1b541a86876b29d354e38b63c40898ec4c5ad9808d6f57bba39ac3f5d
                                                                                                                                                                                  • Instruction Fuzzy Hash: 8EF0F6B2E01259B7EF0196B99C46FAF7AECDB06654F60041AA533E3700DA74DD0A86B1
                                                                                                                                                                                  Function 6CBF1C30 Relevance: 18.1, APIs: 12, Instructions: 98fileCOMMON
                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                  APIs
                                                                                                                                                                                  • CreateFileW.KERNELBASE(6CBF342F,C0000000,00000001,00000000,00000004,00000080,00000000,6CBF3417,00000000,6CBF342F,?,6CBF212E,?,6CBF342F,0AEBFFFF), ref: 6CBF1C6C
                                                                                                                                                                                  • WriteFile.KERNEL32(6CBF342F,?,?,6CBF212E,00000000,?,6CBF212E,?,6CBF342F,0AEBFFFF), ref: 6CBF1C92
                                                                                                                                                                                  • WriteFile.KERNEL32(6CBF342F,?,?,6CBF212E,00000000,?,6CBF212E,?,6CBF342F,0AEBFFFF), ref: 6CBF1CAB
                                                                                                                                                                                  • GetLastError.KERNEL32(?,6CBF212E,?,6CBF342F,0AEBFFFF), ref: 6CBF1CB1
                                                                                                                                                                                  • SetEndOfFile.KERNEL32(6CBF342F,?,6CBF212E,?,6CBF342F,0AEBFFFF), ref: 6CBF1CBD
                                                                                                                                                                                  • CloseHandle.KERNEL32(6CBF342F,?,6CBF212E,?,6CBF342F,0AEBFFFF), ref: 6CBF1CC6
                                                                                                                                                                                  • GetLastError.KERNEL32(?,6CBF212E,?,6CBF342F,0AEBFFFF), ref: 6CBF1CCE
                                                                                                                                                                                  • CreateFileW.KERNEL32(6CBF342F,C0000000,00000001,00000000,00000003,00000080,00000000,?,6CBF212E,?,6CBF342F,0AEBFFFF), ref: 6CBF1CED
                                                                                                                                                                                  • WriteFile.KERNEL32(00000000,?,?,6CBF212E,00000000,?,6CBF212E,?,6CBF342F,0AEBFFFF), ref: 6CBF1D03
                                                                                                                                                                                  • GetLastError.KERNEL32(?,6CBF212E,?,6CBF342F,0AEBFFFF), ref: 6CBF1D09
                                                                                                                                                                                  • FlushFileBuffers.KERNEL32(00000000,?,6CBF212E,?,6CBF342F,0AEBFFFF), ref: 6CBF1D13
                                                                                                                                                                                  • GetLastError.KERNEL32(?,6CBF212E,?,6CBF342F,0AEBFFFF), ref: 6CBF1D1B
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000004.00000002.1717839092.000000006CBF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 6CBF0000, based on PE: true
                                                                                                                                                                                  • Associated: 00000004.00000002.1717818088.000000006CBF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000004.00000002.1717839092.000000006CBFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_6cbf0000_rundll32.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: File$ErrorLast$Write$Create$BuffersCloseFlushHandle
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 2625730619-0
                                                                                                                                                                                  • Opcode ID: 8c9d14119bf1386cb7670a2b000947b6485c6d57e9bee74cb1d5ba9eb7cc7bcf
                                                                                                                                                                                  • Instruction ID: 71b52acd720305bbb8fdd735e3808596cbd223411343c519a1023ed0fa8217e4
                                                                                                                                                                                  • Opcode Fuzzy Hash: 8c9d14119bf1386cb7670a2b000947b6485c6d57e9bee74cb1d5ba9eb7cc7bcf
                                                                                                                                                                                  • Instruction Fuzzy Hash: E83162B1A00208FFEF00DFA5CD44BAEBBB9EB4A754F148515F920E7290D7719A019B21
                                                                                                                                                                                  Function 6CBF13E7 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 81processmemorysynchronizationCOMMON
                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                  APIs
                                                                                                                                                                                  • memset.NTDLL ref: 6CBF1407
                                                                                                                                                                                    • Part of subcall function 6CBF3585: ExpandEnvironmentStringsA.KERNEL32(00000000,00000000,00000000,00000000,6CBF0000,EE553B43,6CBF3047,%systemroot%\system32\c_1252.nls), ref: 6CBF3596
                                                                                                                                                                                    • Part of subcall function 6CBF3585: ExpandEnvironmentStringsA.KERNEL32(?,00000000,00000000,00000000), ref: 6CBF35B0
                                                                                                                                                                                    • Part of subcall function 6CBF2344: GetProcAddress.KERNEL32(Wow64EnableWow64FsRedirection,6CBF3278), ref: 6CBF2358
                                                                                                                                                                                  • CreateProcessA.KERNELBASE(00000000,00000000,00000000,00000000,00000000,04000004,00000000,00000000,00000044,?,00000000,%systemroot%\system32\svchost.exe,C000009A,?,00000000), ref: 6CBF1444
                                                                                                                                                                                  • WaitForSingleObject.KERNEL32(?,000000FF,?,00000000,00000001), ref: 6CBF1470
                                                                                                                                                                                  • GetExitCodeProcess.KERNEL32(?,00000000), ref: 6CBF1481
                                                                                                                                                                                  • CloseHandle.KERNELBASE(00000000,?,00000000,00000001), ref: 6CBF1490
                                                                                                                                                                                  • CloseHandle.KERNEL32(?), ref: 6CBF1495
                                                                                                                                                                                  • GetLastError.KERNEL32(00000001), ref: 6CBF1499
                                                                                                                                                                                  • HeapFree.KERNEL32(00000000,00000000), ref: 6CBF14AA
                                                                                                                                                                                    • Part of subcall function 6CBF449E: memset.NTDLL ref: 6CBF44C1
                                                                                                                                                                                    • Part of subcall function 6CBF449E: ResumeThread.KERNEL32(?,00000000,6CBF468D,CCCCFEEB,00000000,6CBF468D,6CBF468D,00000004,?,00000000,00000000,74DEF550,00000000), ref: 6CBF454C
                                                                                                                                                                                    • Part of subcall function 6CBF449E: WaitForSingleObject.KERNEL32(00000064), ref: 6CBF455A
                                                                                                                                                                                    • Part of subcall function 6CBF449E: SuspendThread.KERNEL32(?), ref: 6CBF456D
                                                                                                                                                                                    • Part of subcall function 6CBF449E: GetLastError.KERNEL32(00000000,6CBF468D,6CBF468D,00000004,?,00000000,00000000,74DEF550,00000000), ref: 6CBF45D9
                                                                                                                                                                                    • Part of subcall function 6CBF449E: ResumeThread.KERNELBASE(?), ref: 6CBF45E4
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000004.00000002.1717839092.000000006CBF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 6CBF0000, based on PE: true
                                                                                                                                                                                  • Associated: 00000004.00000002.1717818088.000000006CBF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000004.00000002.1717839092.000000006CBFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_6cbf0000_rundll32.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: Thread$CloseEnvironmentErrorExpandHandleLastObjectProcessResumeSingleStringsWaitmemset$AddressCodeCreateExitFreeHeapProcSuspend
                                                                                                                                                                                  • String ID: %systemroot%\system32\svchost.exe$D
                                                                                                                                                                                  • API String ID: 3646439427-390745801
                                                                                                                                                                                  • Opcode ID: 3226b7cf6666db76aabcd5813f02de8ff0de0ed93508c22fe017790b0f40e487
                                                                                                                                                                                  • Instruction ID: dff90efabb4aff0f65664f43ecb5f690705236365ede14db7bfd50482c3267fd
                                                                                                                                                                                  • Opcode Fuzzy Hash: 3226b7cf6666db76aabcd5813f02de8ff0de0ed93508c22fe017790b0f40e487
                                                                                                                                                                                  • Instruction Fuzzy Hash: 012169B1901168BFCB019FA6DC489EF7F7DEF46365F108426F625A6250C7318A098FA2
                                                                                                                                                                                  Function 6CBF128F Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 78memoryregistrystringCOMMON
                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                  • Executed
                                                                                                                                                                                  • Not Executed
                                                                                                                                                                                  control_flow_graph 241 6cbf128f-6cbf12ac 242 6cbf12ae 241->242 243 6cbf12b3-6cbf12c9 call 6cbf32ee 241->243 242->243 246 6cbf12cf-6cbf12f4 RegOpenKeyExA 243->246 247 6cbf1378-6cbf137e 243->247 248 6cbf136b-6cbf1377 RtlFreeHeap 246->248 249 6cbf12f6-6cbf1318 lstrlenW HeapAlloc 246->249 248->247 250 6cbf131a-6cbf1335 RegQueryValueExW 249->250 251 6cbf1362-6cbf1365 RegCloseKey 249->251 252 6cbf1358-6cbf1360 HeapFree 250->252 253 6cbf1337-6cbf134f lstrcmpiW 250->253 251->248 252->251 253->252 254 6cbf1351 253->254 254->252
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • RegOpenKeyExA.KERNELBASE(80000001,Software\Microsoft\Windows\CurrentVersion\Run,00000000,00000000,?,6CBF0000,00000000,00000000), ref: 6CBF12E6
                                                                                                                                                                                  • lstrlenW.KERNEL32(?), ref: 6CBF12F9
                                                                                                                                                                                  • HeapAlloc.KERNEL32(00000000,?), ref: 6CBF130E
                                                                                                                                                                                  • RegQueryValueExW.KERNELBASE(?,00000000,00000001,00000000,?), ref: 6CBF132D
                                                                                                                                                                                  • lstrcmpiW.KERNEL32(00000000,?), ref: 6CBF1347
                                                                                                                                                                                  • HeapFree.KERNEL32(00000000,00000000), ref: 6CBF1360
                                                                                                                                                                                  • RegCloseKey.KERNELBASE(?), ref: 6CBF1365
                                                                                                                                                                                  • RtlFreeHeap.NTDLL(00000000,?), ref: 6CBF1375
                                                                                                                                                                                  Strings
                                                                                                                                                                                  • Software\Microsoft\Windows\CurrentVersion\Run, xrefs: 6CBF12DC
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000004.00000002.1717839092.000000006CBF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 6CBF0000, based on PE: true
                                                                                                                                                                                  • Associated: 00000004.00000002.1717818088.000000006CBF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000004.00000002.1717839092.000000006CBFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_6cbf0000_rundll32.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: Heap$Free$AllocCloseOpenQueryValuelstrcmpilstrlen
                                                                                                                                                                                  • String ID: Software\Microsoft\Windows\CurrentVersion\Run
                                                                                                                                                                                  • API String ID: 464076213-1428018034
                                                                                                                                                                                  • Opcode ID: 2eb2d9785ab97c7024d2949fd165d2bec1b261a6866681cc40e673d1e9812e36
                                                                                                                                                                                  • Instruction ID: fe687682966ef18a9cadcd1d6bf5c1e12d65ed12d7db68d216dd488f7ad79e6e
                                                                                                                                                                                  • Opcode Fuzzy Hash: 2eb2d9785ab97c7024d2949fd165d2bec1b261a6866681cc40e673d1e9812e36
                                                                                                                                                                                  • Instruction Fuzzy Hash: BF217C72A01119BFDF119FA2DC48EAFBBBCFB06348B554565E921E3310D3729915CBA0
                                                                                                                                                                                  Function 6CBF45F3 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 78libraryloaderCOMMON
                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                  • Executed
                                                                                                                                                                                  • Not Executed
                                                                                                                                                                                  control_flow_graph 255 6cbf45f3-6cbf4629 call 6cbf22c9 OpenProcess 258 6cbf462f-6cbf4631 255->258 259 6cbf46b4-6cbf46ba GetLastError 255->259 261 6cbf4633-6cbf463a 258->261 262 6cbf4641-6cbf4665 GetProcAddress * 2 258->262 260 6cbf46bc-6cbf46c2 259->260 261->262 265 6cbf463c-6cbf463f 261->265 263 6cbf4667-6cbf4669 262->263 264 6cbf46a4 262->264 263->264 266 6cbf466b-6cbf467f 263->266 267 6cbf46a9-6cbf46b2 CloseHandle 264->267 265->267 269 6cbf469a-6cbf46a2 GetLastError 266->269 270 6cbf4681-6cbf4698 call 6cbf449e CloseHandle 266->270 267->260 269->267 270->267
                                                                                                                                                                                  APIs
                                                                                                                                                                                    • Part of subcall function 6CBF22C9: GetModuleHandleA.KERNEL32(KERNEL32.DLL,?,00000000,?,?,6CBF173E,00000000,?), ref: 6CBF22E3
                                                                                                                                                                                    • Part of subcall function 6CBF22C9: GetProcAddress.KERNEL32(00000000,IsWow64Process), ref: 6CBF22F4
                                                                                                                                                                                    • Part of subcall function 6CBF22C9: OpenProcess.KERNEL32(00000400,00000000,?,?,00000000,?,?,6CBF173E,00000000,?), ref: 6CBF2311
                                                                                                                                                                                    • Part of subcall function 6CBF22C9: IsWow64Process.KERNEL32(00000274,?,?,00000000,?,?,6CBF173E,00000000,?), ref: 6CBF2322
                                                                                                                                                                                    • Part of subcall function 6CBF22C9: CloseHandle.KERNELBASE(00000274,?,?,6CBF173E,00000000,?), ref: 6CBF2335
                                                                                                                                                                                  • OpenProcess.KERNEL32(001F0FFF,00000000,6CBF1623,6CBF1623,C000009A,?,00000000,?,?,6CBF1623,?,?), ref: 6CBF461E
                                                                                                                                                                                  • GetProcAddress.KERNEL32(RtlExitUserThread), ref: 6CBF4652
                                                                                                                                                                                  • GetProcAddress.KERNEL32(CreateRemoteThread), ref: 6CBF4661
                                                                                                                                                                                  • CloseHandle.KERNEL32(6CBF1623,?,00000000,?,?,6CBF1623,?,?), ref: 6CBF4692
                                                                                                                                                                                  • GetLastError.KERNEL32(?,?,6CBF1623,?,?), ref: 6CBF469A
                                                                                                                                                                                  • CloseHandle.KERNEL32(?,?,?,6CBF1623,?,?), ref: 6CBF46AC
                                                                                                                                                                                  • GetLastError.KERNEL32(?,?,6CBF1623,?,?), ref: 6CBF46B4
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000004.00000002.1717839092.000000006CBF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 6CBF0000, based on PE: true
                                                                                                                                                                                  • Associated: 00000004.00000002.1717818088.000000006CBF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000004.00000002.1717839092.000000006CBFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_6cbf0000_rundll32.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: Handle$AddressCloseProcProcess$ErrorLastOpen$ModuleWow64
                                                                                                                                                                                  • String ID: CreateRemoteThread$RtlExitUserThread
                                                                                                                                                                                  • API String ID: 1303122091-3466022969
                                                                                                                                                                                  • Opcode ID: d2ad6cd9443b06fecb3b4a5cdf75bfdd9f2c83ac8ba909801f1b076520ecd619
                                                                                                                                                                                  • Instruction ID: 82551c7240de48624df413532e57212cef16f453a4b6d6d5af3e551ea2f3c787
                                                                                                                                                                                  • Opcode Fuzzy Hash: d2ad6cd9443b06fecb3b4a5cdf75bfdd9f2c83ac8ba909801f1b076520ecd619
                                                                                                                                                                                  • Instruction Fuzzy Hash: 7B219272A00198BFDF015FF5DD4889EBBB9EB0A354B114876E931E3710D6714D0E8E91
                                                                                                                                                                                  Function 6CBF2A18 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 108memorystringCOMMON
                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                  • Executed
                                                                                                                                                                                  • Not Executed
                                                                                                                                                                                  control_flow_graph 273 6cbf2a18-6cbf2a57 call 6cbf2492 VirtualAlloc 276 6cbf2a5d-6cbf2a68 call 6cbf2492 273->276 277 6cbf2b23 273->277 280 6cbf2a6d-6cbf2a73 276->280 279 6cbf2b2b-6cbf2b2d 277->279 281 6cbf2b2f-6cbf2b37 VirtualFree 279->281 282 6cbf2b3d-6cbf2b48 279->282 283 6cbf2a9b-6cbf2a9d 280->283 284 6cbf2a75-6cbf2a79 280->284 281->282 283->277 286 6cbf2aa3-6cbf2aa7 283->286 284->283 285 6cbf2a7b-6cbf2a99 VirtualFree VirtualAlloc 284->285 285->276 285->283 286->277 287 6cbf2aa9-6cbf2ab4 286->287 287->279 288 6cbf2ab6 287->288 289 6cbf2abc-6cbf2ace lstrcmpiA 288->289 290 6cbf2b00-6cbf2b1a 289->290 291 6cbf2ad0-6cbf2adb StrChrA 289->291 290->279 294 6cbf2b1c-6cbf2b21 290->294 292 6cbf2add-6cbf2aea lstrcmpiA 291->292 293 6cbf2aec-6cbf2afc 291->293 292->290 292->293 293->289 295 6cbf2afe 293->295 294->279 295->279
                                                                                                                                                                                  APIs
                                                                                                                                                                                    • Part of subcall function 6CBF2492: GetProcAddress.KERNEL32(ZwWow64QueryInformationProcess64,00000318), ref: 6CBF24B0
                                                                                                                                                                                    • Part of subcall function 6CBF2492: NtWow64QueryInformationProcess64.NTDLL(00000000,00000000,?,00000030,00000000), ref: 6CBF24CC
                                                                                                                                                                                  • VirtualAlloc.KERNELBASE(00000000,00000000,00003000,00000004), ref: 6CBF2A51
                                                                                                                                                                                  • VirtualFree.KERNELBASE(00000000,00000000,00008000), ref: 6CBF2B37
                                                                                                                                                                                    • Part of subcall function 6CBF2492: StrRChrA.SHLWAPI(00000018,00000000,0000005C,00000000,00000318,?,00000000,00000068,00000098,00000000,00000028,00000040,00000000,00000000,00000028,00000100), ref: 6CBF2636
                                                                                                                                                                                  • VirtualFree.KERNEL32(00000000,00000000,00008000,?,00000000,00000000,00000000), ref: 6CBF2A87
                                                                                                                                                                                  • VirtualAlloc.KERNEL32(00000000,00000000,00003000,00000004), ref: 6CBF2A93
                                                                                                                                                                                  • lstrcmpiA.KERNEL32(?,NTDLL.DLL), ref: 6CBF2ACA
                                                                                                                                                                                  • StrChrA.SHLWAPI(?,0000002E), ref: 6CBF2AD3
                                                                                                                                                                                  • lstrcmpiA.KERNEL32(?,NTDLL.DLL), ref: 6CBF2AE6
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000004.00000002.1717839092.000000006CBF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 6CBF0000, based on PE: true
                                                                                                                                                                                  • Associated: 00000004.00000002.1717818088.000000006CBF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000004.00000002.1717839092.000000006CBFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_6cbf0000_rundll32.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: Virtual$AllocFreelstrcmpi$AddressInformationProcProcess64QueryWow64
                                                                                                                                                                                  • String ID: NTDLL.DLL
                                                                                                                                                                                  • API String ID: 3901270786-1613819793
                                                                                                                                                                                  • Opcode ID: a828508e122c45feefb8b31460300ed9a2abf809ba81c706b52b66a93b1e3de2
                                                                                                                                                                                  • Instruction ID: 6feb7925d7ff07bc43edbcc22aa82d619937076948661425e6b66be1e10d63d6
                                                                                                                                                                                  • Opcode Fuzzy Hash: a828508e122c45feefb8b31460300ed9a2abf809ba81c706b52b66a93b1e3de2
                                                                                                                                                                                  • Instruction Fuzzy Hash: 2A31C371205792ABD321CF56C888F1BBBE8EF85754F110909F9A457781C730D90ACBA3
                                                                                                                                                                                  Function 6CBF22C9 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 44libraryloaderCOMMON
                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                  • Executed
                                                                                                                                                                                  • Not Executed
                                                                                                                                                                                  control_flow_graph 338 6cbf22c9-6cbf22dc 339 6cbf22de-6cbf2301 GetModuleHandleA GetProcAddress 338->339 340 6cbf2303-6cbf2306 338->340 339->340 341 6cbf233b-6cbf2341 339->341 342 6cbf2319-6cbf231b 340->342 343 6cbf2308-6cbf2317 OpenProcess 340->343 342->341 344 6cbf231d-6cbf232a IsWow64Process 342->344 343->342 345 6cbf232f-6cbf2332 344->345 346 6cbf232c 344->346 345->341 347 6cbf2334-6cbf2335 CloseHandle 345->347 346->345 347->341
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • GetModuleHandleA.KERNEL32(KERNEL32.DLL,?,00000000,?,?,6CBF173E,00000000,?), ref: 6CBF22E3
                                                                                                                                                                                  • GetProcAddress.KERNEL32(00000000,IsWow64Process), ref: 6CBF22F4
                                                                                                                                                                                  • OpenProcess.KERNEL32(00000400,00000000,?,?,00000000,?,?,6CBF173E,00000000,?), ref: 6CBF2311
                                                                                                                                                                                  • IsWow64Process.KERNEL32(00000274,?,?,00000000,?,?,6CBF173E,00000000,?), ref: 6CBF2322
                                                                                                                                                                                  • CloseHandle.KERNELBASE(00000274,?,?,6CBF173E,00000000,?), ref: 6CBF2335
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000004.00000002.1717839092.000000006CBF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 6CBF0000, based on PE: true
                                                                                                                                                                                  • Associated: 00000004.00000002.1717818088.000000006CBF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000004.00000002.1717839092.000000006CBFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_6cbf0000_rundll32.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: HandleProcess$AddressCloseModuleOpenProcWow64
                                                                                                                                                                                  • String ID: IsWow64Process$KERNEL32.DLL
                                                                                                                                                                                  • API String ID: 4157061983-1193389583
                                                                                                                                                                                  • Opcode ID: abfbc6cb4203a526b09b802b7cb11e2d9689af0901e908783d2001414961af3e
                                                                                                                                                                                  • Instruction ID: c0ab2c1abe1b4340081c7cdf9fe61c6d41a4c2e604a853c51e3d6d59090e8d96
                                                                                                                                                                                  • Opcode Fuzzy Hash: abfbc6cb4203a526b09b802b7cb11e2d9689af0901e908783d2001414961af3e
                                                                                                                                                                                  • Instruction Fuzzy Hash: 1601A7B5A02584FFDB069F66D90C89E7BBDEBCA7557204126E534D3300D2718B45CB63
                                                                                                                                                                                  Function 6CBF2F05 Relevance: 10.6, APIs: 7, Instructions: 75COMMON
                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                  APIs
                                                                                                                                                                                  • OpenProcessToken.ADVAPI32(000000FF,00020008,?,00000000), ref: 6CBF2F37
                                                                                                                                                                                  • GetTokenInformation.KERNELBASE(?,00000014(TokenIntegrityLevel),00000001,00000004,?,00000000), ref: 6CBF2F57
                                                                                                                                                                                  • GetTokenInformation.KERNELBASE(?,00000019(TokenIntegrityLevel),00000000,00000000,?), ref: 6CBF2F67
                                                                                                                                                                                  • CloseHandle.KERNELBASE(?), ref: 6CBF2FB7
                                                                                                                                                                                    • Part of subcall function 6CBF11B2: RtlAllocateHeap.NTDLL(00000000,6CBF0000,6CBF1B4C,6CBF0000), ref: 6CBF11BE
                                                                                                                                                                                  • GetTokenInformation.KERNELBASE(?,00000019(TokenIntegrityLevel),00000000,?,?,?,6CBF0000), ref: 6CBF2F8A
                                                                                                                                                                                  • GetSidSubAuthorityCount.ADVAPI32(00000000), ref: 6CBF2F92
                                                                                                                                                                                  • GetSidSubAuthority.ADVAPI32(00000000,?), ref: 6CBF2FA2
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000004.00000002.1717839092.000000006CBF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 6CBF0000, based on PE: true
                                                                                                                                                                                  • Associated: 00000004.00000002.1717818088.000000006CBF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000004.00000002.1717839092.000000006CBFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_6cbf0000_rundll32.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: Token$Information$Authority$AllocateCloseCountHandleHeapOpenProcess
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 1295030180-0
                                                                                                                                                                                  • Opcode ID: 313d0a405886b0580eabe38f40e1753d7e03a7272633623284ae07fee2ae8ef2
                                                                                                                                                                                  • Instruction ID: 9fc0a7b9fc51d0eebef006e9924587aee81be6ddab7e764d3136aa0c5d05aec2
                                                                                                                                                                                  • Opcode Fuzzy Hash: 313d0a405886b0580eabe38f40e1753d7e03a7272633623284ae07fee2ae8ef2
                                                                                                                                                                                  • Instruction Fuzzy Hash: 94212A75900249BFEF019FA5DD44DEEBBBDEB09304F104066E920A6350C7719A09EF61
                                                                                                                                                                                  Function 6CBF449E Relevance: 9.1, APIs: 6, Instructions: 105threadsynchronizationinjectionCOMMON
                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                  APIs
                                                                                                                                                                                  • memset.NTDLL ref: 6CBF44C1
                                                                                                                                                                                    • Part of subcall function 6CBF22C9: GetModuleHandleA.KERNEL32(KERNEL32.DLL,?,00000000,?,?,6CBF173E,00000000,?), ref: 6CBF22E3
                                                                                                                                                                                    • Part of subcall function 6CBF22C9: GetProcAddress.KERNEL32(00000000,IsWow64Process), ref: 6CBF22F4
                                                                                                                                                                                    • Part of subcall function 6CBF22C9: OpenProcess.KERNEL32(00000400,00000000,?,?,00000000,?,?,6CBF173E,00000000,?), ref: 6CBF2311
                                                                                                                                                                                    • Part of subcall function 6CBF22C9: IsWow64Process.KERNEL32(00000274,?,?,00000000,?,?,6CBF173E,00000000,?), ref: 6CBF2322
                                                                                                                                                                                    • Part of subcall function 6CBF22C9: CloseHandle.KERNELBASE(00000274,?,?,6CBF173E,00000000,?), ref: 6CBF2335
                                                                                                                                                                                  • ResumeThread.KERNEL32(?,00000000,6CBF468D,CCCCFEEB,00000000,6CBF468D,6CBF468D,00000004,?,00000000,00000000,74DEF550,00000000), ref: 6CBF454C
                                                                                                                                                                                  • WaitForSingleObject.KERNEL32(00000064), ref: 6CBF455A
                                                                                                                                                                                  • SuspendThread.KERNEL32(?), ref: 6CBF456D
                                                                                                                                                                                  • GetLastError.KERNEL32(00000000,6CBF468D,6CBF468D,00000004,?,00000000,00000000,74DEF550,00000000), ref: 6CBF45D9
                                                                                                                                                                                  • ResumeThread.KERNELBASE(?), ref: 6CBF45E4
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000004.00000002.1717839092.000000006CBF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 6CBF0000, based on PE: true
                                                                                                                                                                                  • Associated: 00000004.00000002.1717818088.000000006CBF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000004.00000002.1717839092.000000006CBFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_6cbf0000_rundll32.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: Thread$HandleProcessResume$AddressCloseErrorLastModuleObjectOpenProcSingleSuspendWaitWow64memset
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 3158980537-0
                                                                                                                                                                                  • Opcode ID: 3734b34cf50187578fea0984291a79839d0a1556893063e23c8320d4cbbb88c1
                                                                                                                                                                                  • Instruction ID: b7bf53af608e10ce6e97ce3a8b46c8b9165ff845f5aff955d537bd41850555bf
                                                                                                                                                                                  • Opcode Fuzzy Hash: 3734b34cf50187578fea0984291a79839d0a1556893063e23c8320d4cbbb88c1
                                                                                                                                                                                  • Instruction Fuzzy Hash: A231DD71900258BBDF02AFA5C944ADEBB78EF01368F008162F934A7750D7319E5ACF91
                                                                                                                                                                                  Function 6CBF11DC Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 59memorystringCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • lstrcatW.KERNEL32(.dll,?,6CBF0000,00000000,?), ref: 6CBF120F
                                                                                                                                                                                    • Part of subcall function 6CBF3723: lstrlenA.KERNEL32(6CBF1224,00000000,?,00000027,6CBF0000,00000000,00000000,?,?,?,6CBF1224,Software\AppDataLow\Software\Microsoft\,00000000), ref: 6CBF3759
                                                                                                                                                                                    • Part of subcall function 6CBF3723: lstrcpyA.KERNEL32(00000000,00000000,00000027,00000000,?,00000027,6CBF0000,00000000,00000000), ref: 6CBF377D
                                                                                                                                                                                    • Part of subcall function 6CBF3723: lstrcatA.KERNEL32(00000000,00000000,00000027,00000000,?,00000027,6CBF0000,00000000,00000000), ref: 6CBF3785
                                                                                                                                                                                  • HeapFree.KERNEL32(00000000,?,Local\,00000001,00000000,00000001,Local\,00000001,Software\AppDataLow\Software\Microsoft\,00000000), ref: 6CBF1282
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000004.00000002.1717839092.000000006CBF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 6CBF0000, based on PE: true
                                                                                                                                                                                  • Associated: 00000004.00000002.1717818088.000000006CBF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000004.00000002.1717839092.000000006CBFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_6cbf0000_rundll32.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: lstrcat$FreeHeaplstrcpylstrlen
                                                                                                                                                                                  • String ID: .dll$Local\$Software\AppDataLow\Software\Microsoft\
                                                                                                                                                                                  • API String ID: 2335496509-1273941773
                                                                                                                                                                                  • Opcode ID: 99acfeb630928c054cac7ebc5f14a659af525726996e787b8d8c49110735b278
                                                                                                                                                                                  • Instruction ID: f9ee55973e922b6819aef8c67e07787b0fef87324c2b223b26c882a5c12a0ba0
                                                                                                                                                                                  • Opcode Fuzzy Hash: 99acfeb630928c054cac7ebc5f14a659af525726996e787b8d8c49110735b278
                                                                                                                                                                                  • Instruction Fuzzy Hash: 3D115BB5A01289ABEF00CBA6ED45F9E7BB8EB91204F1050A6A431E7B40E730D609CF51
                                                                                                                                                                                  Function 6CBF3A18 Relevance: 7.6, APIs: 5, Instructions: 72fileCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • CreateFileW.KERNELBASE(6CBF342F,80000000,00000001,00000000,00000003,00000080,00000000,6CBF3417,047C87C8,6CBF342F,?,?,6CBF1BFB,047C87C8,00000000,00000000), ref: 6CBF3A36
                                                                                                                                                                                  • GetFileSize.KERNEL32(00000000,00000000,?,?,6CBF1BFB,047C87C8,00000000,00000000,6CBF3417,00000000,6CBF2116,6CBF342F,6CBF3433), ref: 6CBF3A46
                                                                                                                                                                                  • ReadFile.KERNELBASE(6CBF342F,00000000,00000000,6CBF3433,00000000,00000001,?,?,6CBF1BFB,047C87C8,00000000,00000000,6CBF3417,00000000,6CBF2116,6CBF342F), ref: 6CBF3A72
                                                                                                                                                                                  • GetLastError.KERNEL32(?,?,6CBF1BFB,047C87C8,00000000,00000000,6CBF3417,00000000,6CBF2116,6CBF342F,6CBF3433), ref: 6CBF3A97
                                                                                                                                                                                  • CloseHandle.KERNEL32(000000FF,?,?,6CBF1BFB,047C87C8,00000000,00000000,6CBF3417,00000000,6CBF2116), ref: 6CBF3AA8
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000004.00000002.1717839092.000000006CBF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 6CBF0000, based on PE: true
                                                                                                                                                                                  • Associated: 00000004.00000002.1717818088.000000006CBF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000004.00000002.1717839092.000000006CBFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_6cbf0000_rundll32.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: File$CloseCreateErrorHandleLastReadSize
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 3577853679-0
                                                                                                                                                                                  • Opcode ID: fda3ee3730789d3e6899d9ef718ab1b151eb642e4fda446a0e8122473d36ff17
                                                                                                                                                                                  • Instruction ID: 41644cd9c9b9f97e9c6811693926bc9ec7671719c589b5331f1cc4fe94abf577
                                                                                                                                                                                  • Opcode Fuzzy Hash: fda3ee3730789d3e6899d9ef718ab1b151eb642e4fda446a0e8122473d36ff17
                                                                                                                                                                                  • Instruction Fuzzy Hash: 14115972201295FFDB105F76CC88E9E7B6DDB063A4F10422AF934A7350D3319D4A86A2
                                                                                                                                                                                  Function 6CBF4341 Relevance: 6.1, APIs: 4, Instructions: 107threadsynchronizationCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • memset.NTDLL ref: 6CBF436F
                                                                                                                                                                                    • Part of subcall function 6CBF41BA: memset.NTDLL ref: 6CBF41F6
                                                                                                                                                                                  • ResumeThread.KERNELBASE(?,?,00000004,00000004,?,?,?,?,?,00000004,?), ref: 6CBF43F9
                                                                                                                                                                                  • WaitForSingleObject.KERNEL32(00000064), ref: 6CBF4407
                                                                                                                                                                                  • Wow64SuspendThread.KERNEL32(?), ref: 6CBF441A
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000004.00000002.1717839092.000000006CBF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 6CBF0000, based on PE: true
                                                                                                                                                                                  • Associated: 00000004.00000002.1717818088.000000006CBF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000004.00000002.1717839092.000000006CBFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_6cbf0000_rundll32.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: Threadmemset$ObjectResumeSingleSuspendWaitWow64
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 390528492-0
                                                                                                                                                                                  • Opcode ID: 5e0f3dc5824f10c5baaac7896e2811806b5f7e2b07f16bee91de0bc62893f99c
                                                                                                                                                                                  • Instruction ID: c5d6127d432ecac6846b5fedc38fa2e465c2ed4b195dba71b5713391a7266aa7
                                                                                                                                                                                  • Opcode Fuzzy Hash: 5e0f3dc5824f10c5baaac7896e2811806b5f7e2b07f16bee91de0bc62893f99c
                                                                                                                                                                                  • Instruction Fuzzy Hash: 8E317E71108381AFE711DF50C980AABBBA9FF88318F004929F6A492761DB71D95DDF93
                                                                                                                                                                                  Function 6CBF3349 Relevance: 6.1, APIs: 4, Instructions: 99registrysynchronizationCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • RegOpenKeyExA.KERNELBASE(80000003,00000000,00000000,?,?,00000000,000000B7,?,?,?,?), ref: 6CBF3370
                                                                                                                                                                                    • Part of subcall function 6CBF11B2: RtlAllocateHeap.NTDLL(00000000,6CBF0000,6CBF1B4C,6CBF0000), ref: 6CBF11BE
                                                                                                                                                                                  • RegEnumKeyExA.KERNELBASE(?,?,?,?,00000000,00000000,00000000,00000000,00000104,00000000,?,?,?,?), ref: 6CBF33B7
                                                                                                                                                                                  • WaitForSingleObject.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?), ref: 6CBF3424
                                                                                                                                                                                  • RegCloseKey.ADVAPI32(?,00000104,00000000,?,?,?,?), ref: 6CBF344C
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000004.00000002.1717839092.000000006CBF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 6CBF0000, based on PE: true
                                                                                                                                                                                  • Associated: 00000004.00000002.1717818088.000000006CBF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000004.00000002.1717839092.000000006CBFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_6cbf0000_rundll32.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: AllocateCloseEnumHeapObjectOpenSingleWait
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 3664505660-0
                                                                                                                                                                                  • Opcode ID: 40b6ca95bbdaf3820844f406a47fd0e91415fbb473234a72c875cc56133f205b
                                                                                                                                                                                  • Instruction ID: c01a025978880df60076113d02ef46dac7817f8015366d424635c291b44ed363
                                                                                                                                                                                  • Opcode Fuzzy Hash: 40b6ca95bbdaf3820844f406a47fd0e91415fbb473234a72c875cc56133f205b
                                                                                                                                                                                  • Instruction Fuzzy Hash: 1B317A71D00169EBCF129BAACC448EFFFB9EB85754F104526E9A1B3310C2714A49DB92
                                                                                                                                                                                  Function 6CBF3E34 Relevance: 6.0, APIs: 1, Strings: 3, Instructions: 43COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • memcpy.NTDLL(CCCCFEEB,6CBFA9DC,00000018,CCCCFEEB,ZwProtectVirtualMemory,CCCCFEEB,LdrGetProcedureAddress,CCCCFEEB,LdrLoadDll,CCCCFEEB,6CBF4062,?,6CBF45C5,?,?,00000000), ref: 6CBF3EC5
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000004.00000002.1717839092.000000006CBF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 6CBF0000, based on PE: true
                                                                                                                                                                                  • Associated: 00000004.00000002.1717818088.000000006CBF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000004.00000002.1717839092.000000006CBFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_6cbf0000_rundll32.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: memcpy
                                                                                                                                                                                  • String ID: LdrGetProcedureAddress$LdrLoadDll$ZwProtectVirtualMemory
                                                                                                                                                                                  • API String ID: 3510742995-2710412950
                                                                                                                                                                                  • Opcode ID: be35b3dbf3e632f08729bae97c3743b41f8eb14ba6ec141eeabd77bf1bb4688c
                                                                                                                                                                                  • Instruction ID: b26b4d089e5465923a51dcfe1ec991e96474259b2b81f3a0a30ba33eb298a4ef
                                                                                                                                                                                  • Opcode Fuzzy Hash: be35b3dbf3e632f08729bae97c3743b41f8eb14ba6ec141eeabd77bf1bb4688c
                                                                                                                                                                                  • Instruction Fuzzy Hash: AF0121707122819BCF48DF55E8C1896B7B1FB92354B12C836E2B497B21D331544E8FB2
                                                                                                                                                                                  Function 6CBF1142 Relevance: 6.0, APIs: 4, Instructions: 35memoryCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • InterlockedIncrement.KERNEL32(6CBFA948), ref: 6CBF1157
                                                                                                                                                                                  • HeapCreate.KERNELBASE(00000000,00400000,00000000), ref: 6CBF116A
                                                                                                                                                                                  • InterlockedDecrement.KERNEL32(6CBFA948), ref: 6CBF1196
                                                                                                                                                                                  • HeapDestroy.KERNELBASE ref: 6CBF11A6
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000004.00000002.1717839092.000000006CBF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 6CBF0000, based on PE: true
                                                                                                                                                                                  • Associated: 00000004.00000002.1717818088.000000006CBF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000004.00000002.1717839092.000000006CBFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_6cbf0000_rundll32.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: HeapInterlocked$CreateDecrementDestroyIncrement
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 4057829272-0
                                                                                                                                                                                  • Opcode ID: 552f1dafefe9ba85d1af7ce82a349d281e3d4f78fa30776a43028946b294a158
                                                                                                                                                                                  • Instruction ID: bb848c8a35e7dee50c46aa7aba71969739e237411599ff4d1c02f77b26540bbe
                                                                                                                                                                                  • Opcode Fuzzy Hash: 552f1dafefe9ba85d1af7ce82a349d281e3d4f78fa30776a43028946b294a158
                                                                                                                                                                                  • Instruction Fuzzy Hash: 92F0F978786282AFEB049F2ADC09B06BEB4EB87764F598925E474D2740D730D54A8B12
                                                                                                                                                                                  Function 6CBF157A Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 63COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • RtlUpcaseUnicodeString.NTDLL ref: 6CBF15A6
                                                                                                                                                                                  • RtlFreeUnicodeString.NTDLL(?,?,?), ref: 6CBF1628
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000004.00000002.1717839092.000000006CBF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 6CBF0000, based on PE: true
                                                                                                                                                                                  • Associated: 00000004.00000002.1717818088.000000006CBF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000004.00000002.1717839092.000000006CBFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_6cbf0000_rundll32.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: StringUnicode$FreeUpcase
                                                                                                                                                                                  • String ID: N;U
                                                                                                                                                                                  • API String ID: 941810394-3665909347
                                                                                                                                                                                  • Opcode ID: 695164c84c50c73660de2ab6641bf5705345b23967e03a015f90dae7595d5a1a
                                                                                                                                                                                  • Instruction ID: 04db9d4d0059404eb37b95737045e883904a8c4d1c567b8457c62cb36d00d5ec
                                                                                                                                                                                  • Opcode Fuzzy Hash: 695164c84c50c73660de2ab6641bf5705345b23967e03a015f90dae7595d5a1a
                                                                                                                                                                                  • Instruction Fuzzy Hash: A111D071A01385BADF109A21D84079E73A9EB09714F288D25E871D7FA0DB31E94ECB92
                                                                                                                                                                                  Function 6CBF272F Relevance: 5.1, APIs: 4, Instructions: 110COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • memset.NTDLL ref: 6CBF2755
                                                                                                                                                                                  • memcpy.NTDLL ref: 6CBF277D
                                                                                                                                                                                    • Part of subcall function 6CBF2E32: NtAllocateVirtualMemory.NTDLL(6CBF28CF,00000000,00000000,6CBF28CF,00003000,00000040), ref: 6CBF2E63
                                                                                                                                                                                    • Part of subcall function 6CBF2E32: RtlNtStatusToDosError.NTDLL ref: 6CBF2E6A
                                                                                                                                                                                    • Part of subcall function 6CBF2E32: SetLastError.KERNEL32(00000000), ref: 6CBF2E71
                                                                                                                                                                                  • GetLastError.KERNEL32(00000010,00000218,6CBF4BEC,00000100,?,00000318,00000008), ref: 6CBF2794
                                                                                                                                                                                  • GetLastError.KERNEL32(00000010,?,00000000,00000318,?,?,?,?,?,?,?,?,00000010,00000218,6CBF4BEC,00000100), ref: 6CBF2877
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000004.00000002.1717839092.000000006CBF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 6CBF0000, based on PE: true
                                                                                                                                                                                  • Associated: 00000004.00000002.1717818088.000000006CBF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000004.00000002.1717839092.000000006CBFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_6cbf0000_rundll32.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: Error$Last$AllocateMemoryStatusVirtualmemcpymemset
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 685050087-0
                                                                                                                                                                                  • Opcode ID: 914ff4eeb014556cb12cd194d23102ba3f1fe404812df7a10e0d1ccb786377b5
                                                                                                                                                                                  • Instruction ID: 79cf99de8b29e72afb6cc3e27418fca29fd778fab988e2b27339a1c4fcd54735
                                                                                                                                                                                  • Opcode Fuzzy Hash: 914ff4eeb014556cb12cd194d23102ba3f1fe404812df7a10e0d1ccb786377b5
                                                                                                                                                                                  • Instruction Fuzzy Hash: 2E419FB1504381AFD720CF65C945B9BBBF8EB48314F004A29F5A8C6751E730D91A8B63
                                                                                                                                                                                  Function 6CBF137F Relevance: 4.5, APIs: 2, Strings: 1, Instructions: 40memoryCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • memset.NTDLL ref: 6CBF1386
                                                                                                                                                                                    • Part of subcall function 6CBF379A: memcpy.NTDLL(00000000,?,?,?,00000000,00000000,?,?,?,?,6CBF13A4,?,?), ref: 6CBF384F
                                                                                                                                                                                  • HeapFree.KERNEL32(00000000,?,?,?,00000008,EE553B4E,?,?,00000000,EE553B4E), ref: 6CBF13D8
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000004.00000002.1717839092.000000006CBF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 6CBF0000, based on PE: true
                                                                                                                                                                                  • Associated: 00000004.00000002.1717818088.000000006CBF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000004.00000002.1717839092.000000006CBFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_6cbf0000_rundll32.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: FreeHeapmemcpymemset
                                                                                                                                                                                  • String ID: N;U
                                                                                                                                                                                  • API String ID: 2272576838-3665909347
                                                                                                                                                                                  • Opcode ID: e1b53ea86470dc1dc37a52fc579b615847ec6d0941bd605bcf93c11d8bbdd21a
                                                                                                                                                                                  • Instruction ID: f846aa8a4bedd2feff064d35cf0f8959c5c9789584d21487d1336933b26f5269
                                                                                                                                                                                  • Opcode Fuzzy Hash: e1b53ea86470dc1dc37a52fc579b615847ec6d0941bd605bcf93c11d8bbdd21a
                                                                                                                                                                                  • Instruction Fuzzy Hash: 51F06DB12022806ADB61CA76AC48E9736BCEBC2348F040925B861C3B40DB61D50E8B61
                                                                                                                                                                                  Function 6CBF112F Relevance: 3.0, APIs: 2, Instructions: 5COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                    • Part of subcall function 6CBF16B2: GetCursorInfo.USER32 ref: 6CBF16FE
                                                                                                                                                                                    • Part of subcall function 6CBF16B2: GetLongPathNameW.KERNELBASE(?,00000000,00000000), ref: 6CBF177B
                                                                                                                                                                                    • Part of subcall function 6CBF16B2: GetLongPathNameW.KERNELBASE(?,00000000,00000000), ref: 6CBF179C
                                                                                                                                                                                    • Part of subcall function 6CBF16B2: CreateFileA.KERNELBASE(c:\321.txt,80000000,00000001,00000000,00000003,00000080,00000000,00000000,?), ref: 6CBF17CD
                                                                                                                                                                                  • ExitProcess.KERNEL32 ref: 6CBF113B
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000004.00000002.1717839092.000000006CBF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 6CBF0000, based on PE: true
                                                                                                                                                                                  • Associated: 00000004.00000002.1717818088.000000006CBF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000004.00000002.1717839092.000000006CBFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_6cbf0000_rundll32.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: LongNamePath$CreateCursorExitFileInfoProcess
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 1773960417-0
                                                                                                                                                                                  • Opcode ID: e3b4764ad7365777045b98ff9f1e3b29a9cd6f7917c4f96b04e820c8539f6bad
                                                                                                                                                                                  • Instruction ID: d67f01e87a2cb07e2a617664e22e2f7a955f37f86d688e3fd11fc16db191311b
                                                                                                                                                                                  • Opcode Fuzzy Hash: e3b4764ad7365777045b98ff9f1e3b29a9cd6f7917c4f96b04e820c8539f6bad
                                                                                                                                                                                  • Instruction Fuzzy Hash: A8A002F09102C077CD20A7F2981C99E256EAB0320D78CCD097471E3B10CF39D44E5669
                                                                                                                                                                                  Function 6CBF2B4B Relevance: 2.6, APIs: 2, Instructions: 69memoryCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                    • Part of subcall function 6CBF2A18: VirtualAlloc.KERNELBASE(00000000,00000000,00003000,00000004), ref: 6CBF2A51
                                                                                                                                                                                    • Part of subcall function 6CBF2A18: VirtualFree.KERNEL32(00000000,00000000,00008000,?,00000000,00000000,00000000), ref: 6CBF2A87
                                                                                                                                                                                    • Part of subcall function 6CBF2A18: VirtualAlloc.KERNEL32(00000000,00000000,00003000,00000004), ref: 6CBF2A93
                                                                                                                                                                                    • Part of subcall function 6CBF2A18: lstrcmpiA.KERNEL32(?,NTDLL.DLL), ref: 6CBF2ACA
                                                                                                                                                                                    • Part of subcall function 6CBF2A18: StrChrA.SHLWAPI(?,0000002E), ref: 6CBF2AD3
                                                                                                                                                                                    • Part of subcall function 6CBF2A18: lstrcmpiA.KERNEL32(?,NTDLL.DLL), ref: 6CBF2AE6
                                                                                                                                                                                    • Part of subcall function 6CBF2A18: VirtualFree.KERNELBASE(00000000,00000000,00008000), ref: 6CBF2B37
                                                                                                                                                                                  • VirtualAlloc.KERNELBASE(00000000,?,00003000,00000004,00000010,?,?,6CBF8410,00000030,6CBF26CC,ZwGetContextThread,?,6CBF2762,?,00000318,00000008), ref: 6CBF2B87
                                                                                                                                                                                    • Part of subcall function 6CBF241D: GetProcAddress.KERNEL32(ZwWow64ReadVirtualMemory64,00000000), ref: 6CBF243F
                                                                                                                                                                                    • Part of subcall function 6CBF241D: NtWow64ReadVirtualMemory64.NTDLL(00000100,?,?,00000028,00000000,00000000,00000100,00000000,?,?,?,6CBF250D,00000000,00000000,00000028,00000100), ref: 6CBF2461
                                                                                                                                                                                  • VirtualFree.KERNELBASE(?,00000000,00008000,00000010,?,?,6CBF8410,00000030,6CBF26CC,ZwGetContextThread,?,6CBF2762,?,00000318,00000008), ref: 6CBF2C12
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000004.00000002.1717839092.000000006CBF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 6CBF0000, based on PE: true
                                                                                                                                                                                  • Associated: 00000004.00000002.1717818088.000000006CBF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000004.00000002.1717839092.000000006CBFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_6cbf0000_rundll32.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: Virtual$AllocFree$lstrcmpi$AddressMemory64ProcReadWow64
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 4138075514-0
                                                                                                                                                                                  • Opcode ID: 461a0d5f64f94fdcb38babb22293be19be242b49ce4518d4d1cbdd14bd51cd1e
                                                                                                                                                                                  • Instruction ID: 349b2e1dac7b352ec203c28e6d01593987971f3df7588759c45d7327db196996
                                                                                                                                                                                  • Opcode Fuzzy Hash: 461a0d5f64f94fdcb38babb22293be19be242b49ce4518d4d1cbdd14bd51cd1e
                                                                                                                                                                                  • Instruction Fuzzy Hash: EA21C471D01268ABCF11CFE5DC84ACEBBB4FF09714F20412AE924B2650C3749A0ACF91
                                                                                                                                                                                  Function 6CBF11B2 Relevance: 1.5, APIs: 1, Instructions: 5memoryCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • RtlAllocateHeap.NTDLL(00000000,6CBF0000,6CBF1B4C,6CBF0000), ref: 6CBF11BE
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000004.00000002.1717839092.000000006CBF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 6CBF0000, based on PE: true
                                                                                                                                                                                  • Associated: 00000004.00000002.1717818088.000000006CBF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000004.00000002.1717839092.000000006CBFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_6cbf0000_rundll32.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: AllocateHeap
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 1279760036-0
                                                                                                                                                                                  • Opcode ID: 23977dcb478b552ebb45a1d426bcfa155fb3a10993af1e104911ee3f834ff5dc
                                                                                                                                                                                  • Instruction ID: b8ce547b5503943abe1f2380b6df63760ba07a9de63245981ce5e6f619c5a836
                                                                                                                                                                                  • Opcode Fuzzy Hash: 23977dcb478b552ebb45a1d426bcfa155fb3a10993af1e104911ee3f834ff5dc
                                                                                                                                                                                  • Instruction Fuzzy Hash: BCB01231610100FFCF014B20DD09F057B71B752700F01C021B3140136082320420EF14
                                                                                                                                                                                  Function 6CBF11C7 Relevance: 1.5, APIs: 1, Instructions: 5memoryCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • RtlFreeHeap.NTDLL(00000000,00000000,6CBF1B7B,00000000), ref: 6CBF11D3
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000004.00000002.1717839092.000000006CBF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 6CBF0000, based on PE: true
                                                                                                                                                                                  • Associated: 00000004.00000002.1717818088.000000006CBF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000004.00000002.1717839092.000000006CBFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_6cbf0000_rundll32.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: FreeHeap
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 3298025750-0
                                                                                                                                                                                  • Opcode ID: 284e62c275f0e935d674ad9e9211603806e6477f363f4826ec41c9b06cb38cf8
                                                                                                                                                                                  • Instruction ID: 82c2d1d36811edfd1c03c23f412d2c1185ad7d48691b39041a0e41481a5e6262
                                                                                                                                                                                  • Opcode Fuzzy Hash: 284e62c275f0e935d674ad9e9211603806e6477f363f4826ec41c9b06cb38cf8
                                                                                                                                                                                  • Instruction Fuzzy Hash: B7B01231200100AFCE014B20DD09F057B71B752700F118021B3180226082324420EF08
                                                                                                                                                                                  Function 6CBF3260 Relevance: 1.3, APIs: 1, Instructions: 57memoryCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                    • Part of subcall function 6CBF2344: GetProcAddress.KERNEL32(Wow64EnableWow64FsRedirection,6CBF3278), ref: 6CBF2358
                                                                                                                                                                                    • Part of subcall function 6CBF2FCE: HeapAlloc.KERNEL32(00000000,EE553B4E,00000000,6CBFAA50,00000001), ref: 6CBF2FF9
                                                                                                                                                                                    • Part of subcall function 6CBF2FCE: HeapAlloc.KERNEL32(00000000,EE553B4E), ref: 6CBF301B
                                                                                                                                                                                    • Part of subcall function 6CBF2FCE: memset.NTDLL ref: 6CBF3035
                                                                                                                                                                                    • Part of subcall function 6CBF2FCE: CreateFileA.KERNELBASE(00000000,80000000,00000001,00000000,00000003,00000080,00000000,%systemroot%\system32\c_1252.nls), ref: 6CBF306C
                                                                                                                                                                                    • Part of subcall function 6CBF2FCE: GetFileTime.KERNEL32(00000000,?,00000000,00000000), ref: 6CBF3080
                                                                                                                                                                                    • Part of subcall function 6CBF2FCE: CloseHandle.KERNEL32(?), ref: 6CBF3097
                                                                                                                                                                                    • Part of subcall function 6CBF2FCE: StrRChrA.KERNELBASE(6CBF11FC,00000000,0000005C), ref: 6CBF30A3
                                                                                                                                                                                    • Part of subcall function 6CBF2FCE: lstrcatA.KERNEL32(6CBF11FC,\*.dll), ref: 6CBF30DD
                                                                                                                                                                                    • Part of subcall function 6CBF2FCE: FindFirstFileA.KERNELBASE(6CBF11FC,?), ref: 6CBF30F3
                                                                                                                                                                                    • Part of subcall function 6CBF2FCE: CompareFileTime.KERNEL32(?,?), ref: 6CBF3111
                                                                                                                                                                                    • Part of subcall function 6CBF361F: lstrlenA.KERNEL32(6CBF11FC,00000000,6CBFAA50,00000001,6CBF3293,00000000,00000000,00000000,6CBF0000,00000000,00000000,?,?,?,6CBF11FC,?), ref: 6CBF3628
                                                                                                                                                                                    • Part of subcall function 6CBF361F: mbstowcs.NTDLL ref: 6CBF364F
                                                                                                                                                                                    • Part of subcall function 6CBF361F: memset.NTDLL ref: 6CBF3661
                                                                                                                                                                                  • HeapFree.KERNEL32(00000000,00000000,00000000,00000000,00000000,6CBF0000,00000000,00000000,?,?,?,6CBF11FC,?,6CBF0000,00000000,?), ref: 6CBF32AF
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000004.00000002.1717839092.000000006CBF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 6CBF0000, based on PE: true
                                                                                                                                                                                  • Associated: 00000004.00000002.1717818088.000000006CBF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000004.00000002.1717839092.000000006CBFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_6cbf0000_rundll32.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: File$Heap$AllocTimememset$AddressCloseCompareCreateFindFirstFreeHandleProclstrcatlstrlenmbstowcs
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 1861520213-0
                                                                                                                                                                                  • Opcode ID: 632c0a7c1917480f9722b3c4b5c66ef441b6baff53464fb0fa8255fc2ce78c89
                                                                                                                                                                                  • Instruction ID: ebcfe3817d436e011c8e8b27472f73346dde29b45614a4c710ced3c922e8d06a
                                                                                                                                                                                  • Opcode Fuzzy Hash: 632c0a7c1917480f9722b3c4b5c66ef441b6baff53464fb0fa8255fc2ce78c89
                                                                                                                                                                                  • Instruction Fuzzy Hash: 3401F5313002C47EEF005EE6CC85BAA76A8FB46218F600035E974D7750D661CD8F9767
                                                                                                                                                                                  Function 6CBF29AA Relevance: 1.3, APIs: 1, Instructions: 46COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                    • Part of subcall function 6CBF11B2: RtlAllocateHeap.NTDLL(00000000,6CBF0000,6CBF1B4C,6CBF0000), ref: 6CBF11BE
                                                                                                                                                                                  • memset.NTDLL ref: 6CBF29C9
                                                                                                                                                                                    • Part of subcall function 6CBF272F: memset.NTDLL ref: 6CBF2755
                                                                                                                                                                                    • Part of subcall function 6CBF272F: memcpy.NTDLL ref: 6CBF277D
                                                                                                                                                                                    • Part of subcall function 6CBF272F: GetLastError.KERNEL32(00000010,00000218,6CBF4BEC,00000100,?,00000318,00000008), ref: 6CBF2794
                                                                                                                                                                                    • Part of subcall function 6CBF272F: GetLastError.KERNEL32(00000010,?,00000000,00000318,?,?,?,?,?,?,?,?,00000010,00000218,6CBF4BEC,00000100), ref: 6CBF2877
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000004.00000002.1717839092.000000006CBF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 6CBF0000, based on PE: true
                                                                                                                                                                                  • Associated: 00000004.00000002.1717818088.000000006CBF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000004.00000002.1717839092.000000006CBFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_6cbf0000_rundll32.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: ErrorLastmemset$AllocateHeapmemcpy
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 4290293647-0
                                                                                                                                                                                  • Opcode ID: 5ce2d39bcb20866ebbd57dce7cee95c78a89a614e1bba70ba642c17971872cf7
                                                                                                                                                                                  • Instruction ID: e20a20b4ffe397072f3337a5f6c6b14e1848c08153cef7b13dc2852d9c751d95
                                                                                                                                                                                  • Opcode Fuzzy Hash: 5ce2d39bcb20866ebbd57dce7cee95c78a89a614e1bba70ba642c17971872cf7
                                                                                                                                                                                  • Instruction Fuzzy Hash: E801D6715013C86BD321CF29DC44B8B3BE8EF45718F10862AF86497B41D774E90E87A2
                                                                                                                                                                                  Function 6CBF2BF8 Relevance: 1.3, APIs: 1, Instructions: 14COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • VirtualFree.KERNELBASE(?,00000000,00008000,00000010,?,?,6CBF8410,00000030,6CBF26CC,ZwGetContextThread,?,6CBF2762,?,00000318,00000008), ref: 6CBF2C12
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000004.00000002.1717839092.000000006CBF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 6CBF0000, based on PE: true
                                                                                                                                                                                  • Associated: 00000004.00000002.1717818088.000000006CBF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000004.00000002.1717839092.000000006CBFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_6cbf0000_rundll32.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: FreeVirtual
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 1263568516-0
                                                                                                                                                                                  • Opcode ID: 589042aa51d45c6921daadf7d904c4c7d04190ad83041130710503daa941447a
                                                                                                                                                                                  • Instruction ID: 543552ed40ee6eae6b20bfc3490eeef5b903297026812cac47cae92350035e03
                                                                                                                                                                                  • Opcode Fuzzy Hash: 589042aa51d45c6921daadf7d904c4c7d04190ad83041130710503daa941447a
                                                                                                                                                                                  • Instruction Fuzzy Hash: 11D01730E01659ABCF10DB95D84A99EFB71BF09720F608220E87077690C3301A5ACF91

                                                                                                                                                                                  Non-executed Functions

                                                                                                                                                                                  Function 6CBF2E82 Relevance: 10.5, APIs: 2, Strings: 4, Instructions: 46COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • GetModuleHandleA.KERNEL32(NTDLL.DLL,6CBF0000,00000000,?,00000000,?,6CBF1894,EE553B4E,00000001,00000000,6CBFA95C), ref: 6CBF2E98
                                                                                                                                                                                  • GetModuleHandleA.KERNEL32(KERNEL32.DLL,?,00000000,?,6CBF1894,EE553B4E,00000001,00000000,6CBFA95C), ref: 6CBF2EA8
                                                                                                                                                                                    • Part of subcall function 6CBF389C: lstrcmpA.KERNEL32(?,?,00000000,00000000), ref: 6CBF3950
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000004.00000002.1717839092.000000006CBF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 6CBF0000, based on PE: true
                                                                                                                                                                                  • Associated: 00000004.00000002.1717818088.000000006CBF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000004.00000002.1717839092.000000006CBFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_6cbf0000_rundll32.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: HandleModule$lstrcmp
                                                                                                                                                                                  • String ID: KERNEL32.DLL$N;U$NTDLL.DLL$~
                                                                                                                                                                                  • API String ID: 397996933-4041261047
                                                                                                                                                                                  • Opcode ID: c75f3fc916f4e1d08d367147cd98a7bead831588aa657aaf0338dd4b18985a79
                                                                                                                                                                                  • Instruction ID: 19f683aebdfabf4a7f57d7103aee2776fbd708fb934894f2d6cf2f36c3ea8b17
                                                                                                                                                                                  • Opcode Fuzzy Hash: c75f3fc916f4e1d08d367147cd98a7bead831588aa657aaf0338dd4b18985a79
                                                                                                                                                                                  • Instruction Fuzzy Hash: 5C01A772A073E59FE710CF59EC8451A7BE8EB4E294B22052AE83097740C771A90D4F93
                                                                                                                                                                                  Function 6CBF2885 Relevance: 6.1, APIs: 4, Instructions: 93COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • memset.NTDLL ref: 6CBF28A7
                                                                                                                                                                                  • GetLastError.KERNEL32(?,00000318,00000008), ref: 6CBF299A
                                                                                                                                                                                    • Part of subcall function 6CBF2E32: NtAllocateVirtualMemory.NTDLL(6CBF28CF,00000000,00000000,6CBF28CF,00003000,00000040), ref: 6CBF2E63
                                                                                                                                                                                    • Part of subcall function 6CBF2E32: RtlNtStatusToDosError.NTDLL ref: 6CBF2E6A
                                                                                                                                                                                    • Part of subcall function 6CBF2E32: SetLastError.KERNEL32(00000000), ref: 6CBF2E71
                                                                                                                                                                                    • Part of subcall function 6CBF2D8F: RtlNtStatusToDosError.NTDLL ref: 6CBF2DA7
                                                                                                                                                                                  • memcpy.NTDLL(00000218,6CBF4C11,00000100,?,00010003,?,?,00000318,00000008), ref: 6CBF2922
                                                                                                                                                                                  • RtlNtStatusToDosError.NTDLL ref: 6CBF297C
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000004.00000002.1717839092.000000006CBF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 6CBF0000, based on PE: true
                                                                                                                                                                                  • Associated: 00000004.00000002.1717818088.000000006CBF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000004.00000002.1717839092.000000006CBFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_6cbf0000_rundll32.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: Error$Status$Last$AllocateMemoryVirtualmemcpymemset
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 2966525677-0
                                                                                                                                                                                  • Opcode ID: 17528c22e1ccc223da11ebd04ec031f5d6751a80abf4e0853c70a829936daa3b
                                                                                                                                                                                  • Instruction ID: b074362c9688eb71973382dc2ea38a9388693c49841304976b1dd1f9fc47c78e
                                                                                                                                                                                  • Opcode Fuzzy Hash: 17528c22e1ccc223da11ebd04ec031f5d6751a80abf4e0853c70a829936daa3b
                                                                                                                                                                                  • Instruction Fuzzy Hash: F931C27190124AAFDB10CF64C998ADEB7B8EB04308F10857AE566D7B40D730EE4A8F52
                                                                                                                                                                                  Function 6CBF1DDB Relevance: 36.9, APIs: 13, Strings: 8, Instructions: 108stringCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • memset.NTDLL ref: 6CBF1DF9
                                                                                                                                                                                  • CoInitializeEx.OLE32(00000000,00000002,6CBF0000,00000000,00000000), ref: 6CBF1E04
                                                                                                                                                                                  • PathFindExtensionW.SHLWAPI(00000000,00000750), ref: 6CBF1E1F
                                                                                                                                                                                  • lstrcpyW.KERNEL32(00000000,.dll), ref: 6CBF1E34
                                                                                                                                                                                  • lstrlenW.KERNEL32(00000000), ref: 6CBF1E41
                                                                                                                                                                                  • lstrlenW.KERNEL32(?), ref: 6CBF1E4A
                                                                                                                                                                                  • lstrlenA.KERNEL32(?), ref: 6CBF1E51
                                                                                                                                                                                  • lstrcpyW.KERNEL32(00000000,.exe), ref: 6CBF1E82
                                                                                                                                                                                  • lstrlenW.KERNEL32(00000000), ref: 6CBF1E8F
                                                                                                                                                                                  • lstrlenW.KERNEL32(047C87C8), ref: 6CBF1E95
                                                                                                                                                                                  • wsprintfW.USER32 ref: 6CBF1EB9
                                                                                                                                                                                  • ShellExecuteExW.SHELL32(0000003C), ref: 6CBF1EEE
                                                                                                                                                                                  • CoUninitialize.OLE32(00000000), ref: 6CBF1F02
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000004.00000002.1717839092.000000006CBF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 6CBF0000, based on PE: true
                                                                                                                                                                                  • Associated: 00000004.00000002.1717818088.000000006CBF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000004.00000002.1717839092.000000006CBFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_6cbf0000_rundll32.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: lstrlen$lstrcpy$ExecuteExtensionFindInitializePathShellUninitializememsetwsprintf
                                                                                                                                                                                  • String ID: .dll$.exe$/C "copy "%s" "%s" /y && "%s" "%s""$/C "copy "%s" "%s" /y && rundll32 "%s",%S"$<$PDu$cmd.exe$runas
                                                                                                                                                                                  • API String ID: 1734841466-4037923481
                                                                                                                                                                                  • Opcode ID: 9e9647a51e4acdab2d58de727921fac9f03d9bb0f85fee244261edb201bdbe23
                                                                                                                                                                                  • Instruction ID: 92d29e734af3ffaaaf88026adfeb7d1a2061a2e86b4f72d9d148a6fcf97133ee
                                                                                                                                                                                  • Opcode Fuzzy Hash: 9e9647a51e4acdab2d58de727921fac9f03d9bb0f85fee244261edb201bdbe23
                                                                                                                                                                                  • Instruction Fuzzy Hash: 6131E6B2D01258ABCF119BA69C44D9F7ABCEF06748B084916F920A7701D734CE0ACBA1
                                                                                                                                                                                  Function 6CBF5810 Relevance: 19.4, APIs: 6, Strings: 5, Instructions: 128registryCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • RegisterClassExW.USER32(00000030), ref: 6CBF589A
                                                                                                                                                                                  • CreateWindowExW.USER32(00000000,WndClass1_56,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000), ref: 6CBF58D4
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000004.00000002.1717839092.000000006CBF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 6CBF0000, based on PE: true
                                                                                                                                                                                  • Associated: 00000004.00000002.1717818088.000000006CBF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000004.00000002.1717839092.000000006CBFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_6cbf0000_rundll32.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: ClassCreateRegisterWindow
                                                                                                                                                                                  • String ID: 0$WndClass1_56$WndClass1_56$WndClass2_56$WndClass2_56
                                                                                                                                                                                  • API String ID: 3469048531-2885991380
                                                                                                                                                                                  • Opcode ID: 3fc918456768c9c925a8391f982a81897f6227de3abe050279e10ff85aabba21
                                                                                                                                                                                  • Instruction ID: 1da1817ac81876e7fe78940ce27b6f698a9a8a0e4fe90b04bb89c4cb50f8de6e
                                                                                                                                                                                  • Opcode Fuzzy Hash: 3fc918456768c9c925a8391f982a81897f6227de3abe050279e10ff85aabba21
                                                                                                                                                                                  • Instruction Fuzzy Hash: 0B513AB0E40248EFDB08CF95C858B9EBBB4FB0A318F14C51AE5256B780D7755A4ACF94
                                                                                                                                                                                  Function 6CBF5500 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 137threadregistryinjectionCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • memcpy.NTDLL(?,0123456789ABCDEF,00000022), ref: 6CBF553B
                                                                                                                                                                                  • EnterCriticalSection.KERNEL32(-0000044C), ref: 6CBF5668
                                                                                                                                                                                  • SuspendThread.KERNEL32(?), ref: 6CBF567B
                                                                                                                                                                                  • RemoveFontResourceExW.GDI32(-0000000C,00000010,00000000), ref: 6CBF56B9
                                                                                                                                                                                  • RegisterClassExW.USER32(00000030), ref: 6CBF56C3
                                                                                                                                                                                  • ResumeThread.KERNEL32(?), ref: 6CBF572E
                                                                                                                                                                                  • LeaveCriticalSection.KERNEL32(-0000044C), ref: 6CBF5741
                                                                                                                                                                                  • SwitchToThread.KERNEL32 ref: 6CBF5747
                                                                                                                                                                                    • Part of subcall function 6CBF5240: UnregisterClassW.USER32(?,?), ref: 6CBF528B
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000004.00000002.1717839092.000000006CBF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 6CBF0000, based on PE: true
                                                                                                                                                                                  • Associated: 00000004.00000002.1717818088.000000006CBF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000004.00000002.1717839092.000000006CBFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_6cbf0000_rundll32.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: Thread$ClassCriticalSection$EnterFontLeaveRegisterRemoveResourceResumeSuspendSwitchUnregistermemcpy
                                                                                                                                                                                  • String ID: 0$0123456789ABCDEF
                                                                                                                                                                                  • API String ID: 196111645-1037189808
                                                                                                                                                                                  • Opcode ID: e3e7ff359721d26cf74c09781693cf8e9494aaee3b637eb2a86ea3c6dd347adb
                                                                                                                                                                                  • Instruction ID: ec8ae05ca656cbd865962590630f0c9e5ad1a008833ab2aeeebbd841a51fc812
                                                                                                                                                                                  • Opcode Fuzzy Hash: e3e7ff359721d26cf74c09781693cf8e9494aaee3b637eb2a86ea3c6dd347adb
                                                                                                                                                                                  • Instruction Fuzzy Hash: 5C6149B4A00248CFCB08CF94E594B9DBBB5FB49318F14C16AE9286BB51C735694ECF58
                                                                                                                                                                                  Function 6CBF667A Relevance: 13.6, APIs: 9, Instructions: 72threadsleepwindowCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • ResumeThread.KERNEL32(?), ref: 6CBF677E
                                                                                                                                                                                  • ResumeThread.KERNEL32(?), ref: 6CBF6791
                                                                                                                                                                                  • Sleep.KERNEL32(00000000), ref: 6CBF6799
                                                                                                                                                                                  • LeaveCriticalSection.KERNEL32(-0000044C), ref: 6CBF67D0
                                                                                                                                                                                  • memset.NTDLL ref: 6CBF67EE
                                                                                                                                                                                  • AddFontResourceExW.GDI32(-0000000C,00000010,00000000), ref: 6CBF6804
                                                                                                                                                                                  • EnterCriticalSection.KERNEL32(-0000044C), ref: 6CBF6815
                                                                                                                                                                                  • GetWindowLongW.USER32(?,000000F0), ref: 6CBF682A
                                                                                                                                                                                  • SetMenu.USER32(?,00000000), ref: 6CBF6863
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000004.00000002.1717839092.000000006CBF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 6CBF0000, based on PE: true
                                                                                                                                                                                  • Associated: 00000004.00000002.1717818088.000000006CBF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000004.00000002.1717839092.000000006CBFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_6cbf0000_rundll32.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: CriticalResumeSectionThread$EnterFontLeaveLongMenuResourceSleepWindowmemset
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 1405369809-0
                                                                                                                                                                                  • Opcode ID: 7f94438b8bd17f9050a9dea7b246f9eb85ee1498fe1288e9b50cf8e19cf6b4ae
                                                                                                                                                                                  • Instruction ID: 08df507158272cc273856123b5602cc3088f27b00d71314dcbc0f5dee1ae3187
                                                                                                                                                                                  • Opcode Fuzzy Hash: 7f94438b8bd17f9050a9dea7b246f9eb85ee1498fe1288e9b50cf8e19cf6b4ae
                                                                                                                                                                                  • Instruction Fuzzy Hash: 1E312A757402009FDB08DF14E998B527379E746319F14826AFE298BB92C732A88ACF55
                                                                                                                                                                                  Function 6CBF6645 Relevance: 13.6, APIs: 9, Instructions: 72threadsleepwindowCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • ResumeThread.KERNEL32(?), ref: 6CBF677E
                                                                                                                                                                                  • ResumeThread.KERNEL32(?), ref: 6CBF6791
                                                                                                                                                                                  • Sleep.KERNEL32(00000000), ref: 6CBF6799
                                                                                                                                                                                  • LeaveCriticalSection.KERNEL32(-0000044C), ref: 6CBF67D0
                                                                                                                                                                                  • memset.NTDLL ref: 6CBF67EE
                                                                                                                                                                                  • AddFontResourceExW.GDI32(-0000000C,00000010,00000000), ref: 6CBF6804
                                                                                                                                                                                  • EnterCriticalSection.KERNEL32(-0000044C), ref: 6CBF6815
                                                                                                                                                                                  • GetWindowLongW.USER32(?,000000F0), ref: 6CBF682A
                                                                                                                                                                                  • SetMenu.USER32(?,00000000), ref: 6CBF6863
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000004.00000002.1717839092.000000006CBF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 6CBF0000, based on PE: true
                                                                                                                                                                                  • Associated: 00000004.00000002.1717818088.000000006CBF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000004.00000002.1717839092.000000006CBFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_6cbf0000_rundll32.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: CriticalResumeSectionThread$EnterFontLeaveLongMenuResourceSleepWindowmemset
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 1405369809-0
                                                                                                                                                                                  • Opcode ID: 00dd64ca0e21d73653d67ea303f3724bdefa5fcafd8374b4fd996931f36af477
                                                                                                                                                                                  • Instruction ID: 08df507158272cc273856123b5602cc3088f27b00d71314dcbc0f5dee1ae3187
                                                                                                                                                                                  • Opcode Fuzzy Hash: 00dd64ca0e21d73653d67ea303f3724bdefa5fcafd8374b4fd996931f36af477
                                                                                                                                                                                  • Instruction Fuzzy Hash: 1E312A757402009FDB08DF14E998B527379E746319F14826AFE298BB92C732A88ACF55
                                                                                                                                                                                  Function 6CBF3B2B Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 45stringCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • GetTempPathA.KERNEL32(00000000,00000000,00000000,00000000,00000000,6CBF3BA2,?,047C87C8,00000000,6CBF1E14,00000750), ref: 6CBF3B38
                                                                                                                                                                                    • Part of subcall function 6CBF11B2: RtlAllocateHeap.NTDLL(00000000,6CBF0000,6CBF1B4C,6CBF0000), ref: 6CBF11BE
                                                                                                                                                                                  • GetTempPathA.KERNEL32(00000000,00000000,0000001D), ref: 6CBF3B51
                                                                                                                                                                                  • GetTickCount.KERNEL32 ref: 6CBF3B58
                                                                                                                                                                                  • GetTempFileNameA.KERNEL32(00000000,00000000,?), ref: 6CBF3B66
                                                                                                                                                                                  • PathFindExtensionA.SHLWAPI(00000000,.bin), ref: 6CBF3B76
                                                                                                                                                                                  • lstrcpyA.KERNEL32(00000000), ref: 6CBF3B7D
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000004.00000002.1717839092.000000006CBF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 6CBF0000, based on PE: true
                                                                                                                                                                                  • Associated: 00000004.00000002.1717818088.000000006CBF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000004.00000002.1717839092.000000006CBFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_6cbf0000_rundll32.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: PathTemp$AllocateCountExtensionFileFindHeapNameTicklstrcpy
                                                                                                                                                                                  • String ID: .bin
                                                                                                                                                                                  • API String ID: 1954728293-886015214
                                                                                                                                                                                  • Opcode ID: b47c474c7be8c3763d66592e43e6b9d4e67011f2490b85173f382be863f10d08
                                                                                                                                                                                  • Instruction ID: 3905d135d33b871c7896516b736e2a5dbd637fd96508635cecfa37c238bceb92
                                                                                                                                                                                  • Opcode Fuzzy Hash: b47c474c7be8c3763d66592e43e6b9d4e67011f2490b85173f382be863f10d08
                                                                                                                                                                                  • Instruction Fuzzy Hash: AAF0F6323429616786115AFB5C48D9F6A7CEF4B565B00021AF534D3700CB20C50F86F6
                                                                                                                                                                                  Function 6CBF1D2E Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 66stringCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                    • Part of subcall function 6CBF3AC5: CreateFileW.KERNEL32(?,C0000000,00000000,00000000,00000004,00000080,00000000,6CBF0000,00000000,?,6CBF1D64,00000000,?,?,00001FD1,00000000), ref: 6CBF3ADE
                                                                                                                                                                                    • Part of subcall function 6CBF3AC5: GetLastError.KERNEL32(?,6CBF1D64,00000000,?,?,00001FD1,00000000,00000000,?,?,6CBF18F2,?,?,?,EE553B4E,00000001), ref: 6CBF3AEB
                                                                                                                                                                                  • lstrlenW.KERNEL32(00000000,00000000,?,?,00001FD1,00000000,00000000,?,?,6CBF18F2,?,?,?,EE553B4E,00000001,00000000), ref: 6CBF1D69
                                                                                                                                                                                    • Part of subcall function 6CBF11B2: RtlAllocateHeap.NTDLL(00000000,6CBF0000,6CBF1B4C,6CBF0000), ref: 6CBF11BE
                                                                                                                                                                                  • PathFindFileNameW.SHLWAPI(00000000,6CBF0000,?,?,?,6CBF18F2,?,?,?,EE553B4E,00000001,00000000,6CBFA95C), ref: 6CBF1D81
                                                                                                                                                                                  • lstrcpyW.KERNEL32(00000000,00000000,?,?,6CBF18F2,?,?,?,EE553B4E,00000001,00000000,6CBFA95C), ref: 6CBF1D92
                                                                                                                                                                                  • lstrcpyW.KERNEL32(?,Low\,?,?,6CBF18F2,?,?,?,EE553B4E,00000001,00000000,6CBFA95C), ref: 6CBF1DA4
                                                                                                                                                                                  • lstrcatW.KERNEL32(00000000,?,?,?,6CBF18F2,?,?,?,EE553B4E,00000001,00000000,6CBFA95C), ref: 6CBF1DAA
                                                                                                                                                                                    • Part of subcall function 6CBF3AC5: WriteFile.KERNEL32(00000000,?,00001000,?,00000000,?,6CBF1D64,00000000,?,?,00001FD1,00000000,00000000,?,?,6CBF18F2), ref: 6CBF3B01
                                                                                                                                                                                    • Part of subcall function 6CBF3AC5: SetEndOfFile.KERNEL32(00000000,?,6CBF1D64,00000000,?,?,00001FD1,00000000,00000000,?,?,6CBF18F2,?,?,?,EE553B4E), ref: 6CBF3B0C
                                                                                                                                                                                    • Part of subcall function 6CBF3AC5: CloseHandle.KERNEL32(00000000,?,6CBF1D64,00000000,?,?,00001FD1,00000000,00000000,?,?,6CBF18F2,?,?,?,EE553B4E), ref: 6CBF3B1D
                                                                                                                                                                                    • Part of subcall function 6CBF11C7: RtlFreeHeap.NTDLL(00000000,00000000,6CBF1B7B,00000000), ref: 6CBF11D3
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000004.00000002.1717839092.000000006CBF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 6CBF0000, based on PE: true
                                                                                                                                                                                  • Associated: 00000004.00000002.1717818088.000000006CBF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000004.00000002.1717839092.000000006CBFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_6cbf0000_rundll32.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: File$Heaplstrcpy$AllocateCloseCreateErrorFindFreeHandleLastNamePathWritelstrcatlstrlen
                                                                                                                                                                                  • String ID: Low\
                                                                                                                                                                                  • API String ID: 3723596976-2980988522
                                                                                                                                                                                  • Opcode ID: 3b92a28ca632eda3a4e2fb5cfbaba16a0c9f7dee6ad5ab181ed83807a4a05414
                                                                                                                                                                                  • Instruction ID: 5e8701f11d77c39a025a0949a0e6b88ad5f1dc7e94c412a8fb6a500fcdbcd2cb
                                                                                                                                                                                  • Opcode Fuzzy Hash: 3b92a28ca632eda3a4e2fb5cfbaba16a0c9f7dee6ad5ab181ed83807a4a05414
                                                                                                                                                                                  • Instruction Fuzzy Hash: 321191BA501669BBDF015BB68C44CDF76BCEF067587084915F92097B00CB75CA0A8BF1
                                                                                                                                                                                  Function 6CBF3D87 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 52COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • GetModuleHandleA.KERNEL32(NTDLL.DLL,?,CCCCFEEB,6CBF406A,?,?,?,00000000), ref: 6CBF3DBA
                                                                                                                                                                                  • memcpy.NTDLL(?,6CBFA9C4,00000018,ZwProtectVirtualMemory,LdrGetProcedureAddress,LdrLoadDll), ref: 6CBF3E25
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000004.00000002.1717839092.000000006CBF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 6CBF0000, based on PE: true
                                                                                                                                                                                  • Associated: 00000004.00000002.1717818088.000000006CBF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000004.00000002.1717839092.000000006CBFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_6cbf0000_rundll32.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: HandleModulememcpy
                                                                                                                                                                                  • String ID: LdrGetProcedureAddress$LdrLoadDll$NTDLL.DLL$ZwProtectVirtualMemory
                                                                                                                                                                                  • API String ID: 1801490239-3173696408
                                                                                                                                                                                  • Opcode ID: a5ba9e34f1fc7414ccfd969a7f33db6b7387a18b50ad045d4e90e168e51874a6
                                                                                                                                                                                  • Instruction ID: ffeb380d8d970bc5294ced276848d6be44e6e33cb8b0d0530b48e838d2b55140
                                                                                                                                                                                  • Opcode Fuzzy Hash: a5ba9e34f1fc7414ccfd969a7f33db6b7387a18b50ad045d4e90e168e51874a6
                                                                                                                                                                                  • Instruction Fuzzy Hash: 530140B9B039819B9B09DA1AE945C573AB1F7C9318712C836E274D7B10D334944E8E73
                                                                                                                                                                                  Function 6CBF59F0 Relevance: 9.1, APIs: 6, Instructions: 115memoryCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • VirtualAlloc.KERNEL32(00000000,-00001000,00003000,00000004), ref: 6CBF5A8B
                                                                                                                                                                                    • Part of subcall function 6CBF5320: SetWindowLongW.USER32(?,?,6CBF5C0B), ref: 6CBF5386
                                                                                                                                                                                    • Part of subcall function 6CBF5320: GetAncestor.USER32(?,00000001,?,?,6CBF5C0B), ref: 6CBF539B
                                                                                                                                                                                    • Part of subcall function 6CBF5320: SetWindowLongW.USER32(?,?,?), ref: 6CBF53D9
                                                                                                                                                                                  • memset.NTDLL ref: 6CBF5AB1
                                                                                                                                                                                  • SetWindowLongW.USER32(?,?,00000000), ref: 6CBF5B2D
                                                                                                                                                                                  • SetClassLongW.USER32(?,00000000,00000000), ref: 6CBF5B47
                                                                                                                                                                                  • SetWindowLongW.USER32(?,?,-00000018), ref: 6CBF5B81
                                                                                                                                                                                  • VirtualFree.KERNEL32(00000000,-00001000,00010000), ref: 6CBF5B99
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000004.00000002.1717839092.000000006CBF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 6CBF0000, based on PE: true
                                                                                                                                                                                  • Associated: 00000004.00000002.1717818088.000000006CBF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000004.00000002.1717839092.000000006CBFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_6cbf0000_rundll32.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: Long$Window$Virtual$AllocAncestorClassFreememset
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 210331842-0
                                                                                                                                                                                  • Opcode ID: 099376858564f34e83fcb847505bcc84499464a5c3dd242894f273dca5dc400a
                                                                                                                                                                                  • Instruction ID: 4b866780d81807b53a4af51d80212cabb928143c0fb43d53a00e6ddbf7fe0d85
                                                                                                                                                                                  • Opcode Fuzzy Hash: 099376858564f34e83fcb847505bcc84499464a5c3dd242894f273dca5dc400a
                                                                                                                                                                                  • Instruction Fuzzy Hash: 83513AB5700104EFCB08CF98D594FAAB7B5FB89304F1082AAED299B755C731AA49CF54
                                                                                                                                                                                  Function 6CBF345B Relevance: 9.1, APIs: 1, Strings: 5, Instructions: 103stringCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • lstrcpynA.KERNEL32(?,.bss,00000008,?,00000000,00000000,?,?,?,?,?,?,?), ref: 6CBF3489
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000004.00000002.1717839092.000000006CBF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 6CBF0000, based on PE: true
                                                                                                                                                                                  • Associated: 00000004.00000002.1717818088.000000006CBF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000004.00000002.1717839092.000000006CBFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_6cbf0000_rundll32.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: lstrcpyn
                                                                                                                                                                                  • String ID: .bss$Apr 11 2017$N;U$N;U$version=%u&soft=1&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s
                                                                                                                                                                                  • API String ID: 97706510-2121357827
                                                                                                                                                                                  • Opcode ID: b06b3e2116854ffa93fee49613f331b886caa7b5254e56c7cd7ebd406dd6e688
                                                                                                                                                                                  • Instruction ID: bb5a7339562cc7116cf36ba3f756b68a3f4c171f1f3ff192e00d3cceaef4690d
                                                                                                                                                                                  • Opcode Fuzzy Hash: b06b3e2116854ffa93fee49613f331b886caa7b5254e56c7cd7ebd406dd6e688
                                                                                                                                                                                  • Instruction Fuzzy Hash: 20419F71A002599BDB05CF89C4C0AAEB7B2FF89318F258159DD206B705C374E94ACF92
                                                                                                                                                                                  Function 6CBF53F0 Relevance: 9.1, APIs: 6, Instructions: 71threadCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • RemoveFontResourceExW.GDI32(-0000000C,00000010,00000000), ref: 6CBF543C
                                                                                                                                                                                  • SetThreadAffinityMask.KERNEL32(?,-00000001), ref: 6CBF545C
                                                                                                                                                                                  • SetThreadAffinityMask.KERNEL32(?,-00000001), ref: 6CBF548C
                                                                                                                                                                                  • SetThreadPriority.KERNEL32(?,?), ref: 6CBF54AE
                                                                                                                                                                                  • ResumeThread.KERNEL32(?), ref: 6CBF54DF
                                                                                                                                                                                  • SwitchToThread.KERNEL32 ref: 6CBF54E5
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000004.00000002.1717839092.000000006CBF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 6CBF0000, based on PE: true
                                                                                                                                                                                  • Associated: 00000004.00000002.1717818088.000000006CBF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000004.00000002.1717839092.000000006CBFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_6cbf0000_rundll32.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: Thread$AffinityMask$FontPriorityRemoveResourceResumeSwitch
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 3293583530-0
                                                                                                                                                                                  • Opcode ID: b1cbd5d15f2183d7deff43962c4bafc23a7e855a09c05997bd67676b716ae4d0
                                                                                                                                                                                  • Instruction ID: 9c0a5c3a3cfb1f3b8c9d6fc981a2cf4cc05864e3cf2f8c6865b2b463514c51b8
                                                                                                                                                                                  • Opcode Fuzzy Hash: b1cbd5d15f2183d7deff43962c4bafc23a7e855a09c05997bd67676b716ae4d0
                                                                                                                                                                                  • Instruction Fuzzy Hash: 10219F71704200DFCB08CF25D888B9A73BAFB86305F54C169E9298BB55CB75998DDF04
                                                                                                                                                                                  Function 6CBF3AC5 Relevance: 9.0, APIs: 6, Instructions: 40fileCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • CreateFileW.KERNEL32(?,C0000000,00000000,00000000,00000004,00000080,00000000,6CBF0000,00000000,?,6CBF1D64,00000000,?,?,00001FD1,00000000), ref: 6CBF3ADE
                                                                                                                                                                                  • GetLastError.KERNEL32(?,6CBF1D64,00000000,?,?,00001FD1,00000000,00000000,?,?,6CBF18F2,?,?,?,EE553B4E,00000001), ref: 6CBF3AEB
                                                                                                                                                                                  • WriteFile.KERNEL32(00000000,?,00001000,?,00000000,?,6CBF1D64,00000000,?,?,00001FD1,00000000,00000000,?,?,6CBF18F2), ref: 6CBF3B01
                                                                                                                                                                                  • SetEndOfFile.KERNEL32(00000000,?,6CBF1D64,00000000,?,?,00001FD1,00000000,00000000,?,?,6CBF18F2,?,?,?,EE553B4E), ref: 6CBF3B0C
                                                                                                                                                                                  • CloseHandle.KERNEL32(00000000,?,6CBF1D64,00000000,?,?,00001FD1,00000000,00000000,?,?,6CBF18F2,?,?,?,EE553B4E), ref: 6CBF3B1D
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000004.00000002.1717839092.000000006CBF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 6CBF0000, based on PE: true
                                                                                                                                                                                  • Associated: 00000004.00000002.1717818088.000000006CBF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000004.00000002.1717839092.000000006CBFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_6cbf0000_rundll32.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: File$CloseCreateErrorHandleLastWrite
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 1150274393-0
                                                                                                                                                                                  • Opcode ID: 1fa98072f8eaf05507fa63ce1bc88c1eaf4cf7b32bb04cdbff0d4c69fa08c6ad
                                                                                                                                                                                  • Instruction ID: dec0df28a768cc174fd2adc2b05bf1900ad554e936af1e7c54224dd283fe291c
                                                                                                                                                                                  • Opcode Fuzzy Hash: 1fa98072f8eaf05507fa63ce1bc88c1eaf4cf7b32bb04cdbff0d4c69fa08c6ad
                                                                                                                                                                                  • Instruction Fuzzy Hash: AFF01D32341124BBDB111BA7AC4CEAB7F7DEB4B7B1F004216FA25D3690C632891196A2
                                                                                                                                                                                  Function 6CBF5090 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 73libraryloaderCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • LoadLibraryW.KERNEL32(USER32.dll,IsMenu,6CBF70E8), ref: 6CBF50A0
                                                                                                                                                                                  • GetProcAddress.KERNEL32(00000000), ref: 6CBF50A7
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000004.00000002.1717839092.000000006CBF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 6CBF0000, based on PE: true
                                                                                                                                                                                  • Associated: 00000004.00000002.1717818088.000000006CBF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000004.00000002.1717839092.000000006CBFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_6cbf0000_rundll32.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: AddressLibraryLoadProc
                                                                                                                                                                                  • String ID: 0$IsMenu$USER32.dll
                                                                                                                                                                                  • API String ID: 2574300362-703140235
                                                                                                                                                                                  • Opcode ID: cc9a0f938fa14f8b072fec4081c3d8e5c63c78e31e07a8a098205318f7b74d17
                                                                                                                                                                                  • Instruction ID: 26210d2a029d98420bfd28eefd953acc5f0aa6ab2bbcbc41a9e975770cd4b0bf
                                                                                                                                                                                  • Opcode Fuzzy Hash: cc9a0f938fa14f8b072fec4081c3d8e5c63c78e31e07a8a098205318f7b74d17
                                                                                                                                                                                  • Instruction Fuzzy Hash: FB311430A45148EFCB04CFA8D594B9CBBB6FF42309F24C299C42567745C7306B9AEB49
                                                                                                                                                                                  Function 6CBF32EE Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 32memorystringCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • lstrlenW.KERNEL32(00000000,00000000,?,6CBF207F,00000000,FF571A75), ref: 6CBF3301
                                                                                                                                                                                  • lstrlenA.KERNEL32(6CBF207F,?,6CBF207F,00000000,FF571A75), ref: 6CBF330C
                                                                                                                                                                                  • HeapAlloc.KERNEL32(00000000,00000022,?,6CBF207F,00000000,FF571A75), ref: 6CBF3321
                                                                                                                                                                                  • wsprintfW.USER32 ref: 6CBF3339
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000004.00000002.1717839092.000000006CBF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 6CBF0000, based on PE: true
                                                                                                                                                                                  • Associated: 00000004.00000002.1717818088.000000006CBF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000004.00000002.1717839092.000000006CBFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_6cbf0000_rundll32.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: lstrlen$AllocHeapwsprintf
                                                                                                                                                                                  • String ID: rundll32 "%s",%S
                                                                                                                                                                                  • API String ID: 458455750-2508549009
                                                                                                                                                                                  • Opcode ID: 5af5c74a5b491cc25dd7be06e68711dc9dbaa5a98aa34cbbcfee8b58046cc697
                                                                                                                                                                                  • Instruction ID: 03e81d6da2243d981d6fd24f2f93a5315b66ed2a564a357d18a82a0696aadbd9
                                                                                                                                                                                  • Opcode Fuzzy Hash: 5af5c74a5b491cc25dd7be06e68711dc9dbaa5a98aa34cbbcfee8b58046cc697
                                                                                                                                                                                  • Instruction Fuzzy Hash: 51F05E32942528FBCF125F65DC0899A7B78EB0AB55B40C122FD39A7710D632CA258BD1
                                                                                                                                                                                  Function 6CBF5760 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 56COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • CreateWindowExW.USER32(00000000,00008002,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000), ref: 6CBF5792
                                                                                                                                                                                  • SetWindowLongW.USER32(00000000,00000000,31323334), ref: 6CBF57C5
                                                                                                                                                                                  • DestroyWindow.USER32(00000000,00000000), ref: 6CBF57FE
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000004.00000002.1717839092.000000006CBF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 6CBF0000, based on PE: true
                                                                                                                                                                                  • Associated: 00000004.00000002.1717818088.000000006CBF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000004.00000002.1717839092.000000006CBFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_6cbf0000_rundll32.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: Window$CreateDestroyLong
                                                                                                                                                                                  • String ID: 4321
                                                                                                                                                                                  • API String ID: 409825929-3297689448
                                                                                                                                                                                  • Opcode ID: f3e5668419dce49ce9031371069b3d43b96762121ee3f97bc444d27e37a12afa
                                                                                                                                                                                  • Instruction ID: 1fe00eda46727468619b96eb3d1efaf5705df8dbaf8bad668acc8303ba3c5ac7
                                                                                                                                                                                  • Opcode Fuzzy Hash: f3e5668419dce49ce9031371069b3d43b96762121ee3f97bc444d27e37a12afa
                                                                                                                                                                                  • Instruction Fuzzy Hash: 76112A74E40288EFDB00DFA8CC49BAEB7B5FB05309F108599E5216B780C7746A49CF89
                                                                                                                                                                                  Function 6CBF236C Relevance: 6.1, APIs: 4, Instructions: 72fileCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                    • Part of subcall function 6CBF2C92: GetModuleFileNameW.KERNEL32(0000007F,00000000,00000104,00000208,00000000,00000000,?,?,6CBF2386,00000000), ref: 6CBF2CB8
                                                                                                                                                                                    • Part of subcall function 6CBF389C: lstrcmpA.KERNEL32(?,?,00000000,00000000), ref: 6CBF3950
                                                                                                                                                                                  • CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000,00000000,?,?,00000000,00000000,00000000,?,00000000,0000007F), ref: 6CBF23C0
                                                                                                                                                                                  • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,?,?,6CBF3DD0,LdrLoadDll), ref: 6CBF23D2
                                                                                                                                                                                  • ReadFile.KERNEL32(?,?,00000004,?,00000000,?,?,?,?,?,6CBF3DD0,LdrLoadDll), ref: 6CBF23EA
                                                                                                                                                                                  • CloseHandle.KERNEL32(?,?,?,?,?,?,6CBF3DD0,LdrLoadDll), ref: 6CBF2405
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000004.00000002.1717839092.000000006CBF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 6CBF0000, based on PE: true
                                                                                                                                                                                  • Associated: 00000004.00000002.1717818088.000000006CBF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000004.00000002.1717839092.000000006CBFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_6cbf0000_rundll32.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: File$CloseCreateHandleModuleNamePointerReadlstrcmp
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 3110218675-0
                                                                                                                                                                                  • Opcode ID: 905bf694174791799d3bf9d739f0a8b9a0c00a4c0e4b26336a5cb7e89f5f89f7
                                                                                                                                                                                  • Instruction ID: 42d5959779e206ba71a5bb1d240cd1dbc444fba2413c5b7adac5cfad64f60da8
                                                                                                                                                                                  • Opcode Fuzzy Hash: 905bf694174791799d3bf9d739f0a8b9a0c00a4c0e4b26336a5cb7e89f5f89f7
                                                                                                                                                                                  • Instruction Fuzzy Hash: 161181B1601158BBDB11DA66CC49EEF7E7DEF42758F104021F625E3650D371CA4AC6A2
                                                                                                                                                                                  Function 6CBF1A53 Relevance: 6.0, APIs: 4, Instructions: 40COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,?,6CBF16D8), ref: 6CBF1A62
                                                                                                                                                                                  • GetVersion.KERNEL32(?,6CBF16D8), ref: 6CBF1A71
                                                                                                                                                                                  • GetCurrentProcessId.KERNEL32(?,6CBF16D8), ref: 6CBF1A8D
                                                                                                                                                                                  • OpenProcess.KERNEL32(0000047A,00000000,00000000,?,6CBF16D8), ref: 6CBF1AA6
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000004.00000002.1717839092.000000006CBF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 6CBF0000, based on PE: true
                                                                                                                                                                                  • Associated: 00000004.00000002.1717818088.000000006CBF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000004.00000002.1717839092.000000006CBFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_6cbf0000_rundll32.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: Process$CreateCurrentEventOpenVersion
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 845504543-0
                                                                                                                                                                                  • Opcode ID: ab5e7f3a4ed1d2a6a77747dbfbb83043efea3962590a7fb60e60a03e6a8c6304
                                                                                                                                                                                  • Instruction ID: 03ed0ff2bfeded511f8297972549a02d162fba300a47181b58eb7df4853f71a8
                                                                                                                                                                                  • Opcode Fuzzy Hash: ab5e7f3a4ed1d2a6a77747dbfbb83043efea3962590a7fb60e60a03e6a8c6304
                                                                                                                                                                                  • Instruction Fuzzy Hash: 62F0DCB13827008BEF044B69B9197503BB8EB87B11F158626E231DB3C0D361C002CF15
                                                                                                                                                                                  Function 6CBF5070 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 10libraryloaderCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • LoadLibraryW.KERNEL32(ntdll.dll,6CBF51A0,?,6CBF51A0,NtAllocateVirtualMemory), ref: 6CBF507C
                                                                                                                                                                                  • GetProcAddress.KERNEL32(00000000), ref: 6CBF5083
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000004.00000002.1717839092.000000006CBF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 6CBF0000, based on PE: true
                                                                                                                                                                                  • Associated: 00000004.00000002.1717818088.000000006CBF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000004.00000002.1717839092.000000006CBFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_4_2_6cbf0000_rundll32.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: AddressLibraryLoadProc
                                                                                                                                                                                  • String ID: ntdll.dll
                                                                                                                                                                                  • API String ID: 2574300362-2227199552
                                                                                                                                                                                  • Opcode ID: e5078b9ffba2687853459310ebf7c7746a89487c93fe6f6b41bbfde43f9fbaa9
                                                                                                                                                                                  • Instruction ID: 556942d24cc67699f56b70155a36ee8af9bc5f9ffd6a01f0db05e7033bb3bd89
                                                                                                                                                                                  • Opcode Fuzzy Hash: e5078b9ffba2687853459310ebf7c7746a89487c93fe6f6b41bbfde43f9fbaa9
                                                                                                                                                                                  • Instruction Fuzzy Hash: 28C04C76600208AB8A005AF9AC08C9677AC965A6117404412B61983600C635A4588A65

                                                                                                                                                                                  Execution Graph

                                                                                                                                                                                  Execution Coverage:28.5%
                                                                                                                                                                                  Dynamic/Decrypted Code Coverage:1.1%
                                                                                                                                                                                  Signature Coverage:0%
                                                                                                                                                                                  Total number of Nodes:958
                                                                                                                                                                                  Total number of Limit Nodes:87
                                                                                                                                                                                  execution_graph 3739 6cbf733c 3740 6cbf7344 3739->3740 3742 6cbf73f8 3740->3742 3745 6cbf755d 3740->3745 3744 6cbf737d 3744->3742 3749 6cbf7448 RtlUnwind 3744->3749 3747 6cbf7572 3745->3747 3748 6cbf758e 3745->3748 3746 6cbf75fd NtQueryVirtualMemory 3746->3748 3747->3746 3747->3748 3748->3744 3750 6cbf7460 3749->3750 3750->3744 3638 2a40000 3639 2a403e6 3638->3639 3640 2a404f0 NtProtectVirtualMemory 3639->3640 3641 2a40542 NtAllocateVirtualMemory 3640->3641 3646 2a4065b 3640->3646 3645 2a4057e 3641->3645 3641->3646 3644 2a40821 NtProtectVirtualMemory 3644->3646 3645->3646 3647 2a40dd2 3645->3647 3648 2a40df8 3647->3648 3649 2a4080d 3648->3649 3650 2a40e58 LdrLoadDll 3648->3650 3649->3644 3649->3646 3650->3648 3705 6cbf2bf8 3706 6cbf2c02 3705->3706 3707 6cbf2c09 VirtualFree 3706->3707 3708 6cbf2c18 3706->3708 3707->3708 3762 6cbf6c74 3767 6cbf6c7d 3762->3767 3763 6cbf5760 5 API calls 3764 6cbf6fd5 3763->3764 3765 6cbf5810 8 API calls 3764->3765 3769 6cbf6fe6 3765->3769 3766 6cbf700f 3767->3763 3768 6cbf7032 RegisterClassExW 3768->3766 3771 6cbf70ab CreateWindowExW 3768->3771 3769->3766 3769->3768 3770 6cbf5190 3 API calls 3769->3770 3772 6cbf7026 3770->3772 3773 6cbf70df 3771->3773 3776 6cbf70e8 3771->3776 3772->3768 3774 6cbf51f0 2 API calls 3773->3774 3774->3776 3775 6cbf714e CreateThread 3777 6cbf72a7 UnregisterClassW VirtualFree 3775->3777 3778 6cbf7182 WaitForSingleObject 3775->3778 3789 6cbf5e30 67 API calls 3775->3789 3776->3766 3776->3775 3777->3766 3779 6cbf71a8 3778->3779 3780 6cbf71b7 TerminateThread 3778->3780 3779->3780 3781 6cbf71da WaitForSingleObject TerminateThread 3780->3781 3782 6cbf7206 3780->3782 3781->3782 3783 6cbf7215 WaitForSingleObject TerminateThread 3782->3783 3784 6cbf7241 RemoveFontResourceExW 3782->3784 3783->3784 3785 6cbf725b 3784->3785 3786 6cbf7259 3784->3786 3787 6cbf5240 UnregisterClassW 3785->3787 3786->3784 3788 6cbf7260 UnregisterClassW UnregisterClassW UnregisterClassW 3787->3788 3788->3777 3790 6cbf5973 3791 6cbf59c6 DestroyWindow DestroyWindow 3790->3791 3792 6cbf59dd 3791->3792 2621 6cbf112f 2622 6cbf1134 2621->2622 2625 6cbf16b2 2622->2625 2692 6cbf1a53 CreateEventA 2625->2692 2627 6cbf113a ExitProcess 2628 6cbf16f1 GetCursorInfo 2699 6cbf345b lstrcpynA 2628->2699 2630 6cbf16d8 2630->2627 2630->2628 2631 6cbf172b 2630->2631 2631->2627 2701 6cbf22c9 2631->2701 2634 6cbf17b2 CreateFileA 2636 6cbf17fd 2634->2636 2637 6cbf17da ReadFile 2634->2637 2638 6cbf1808 2636->2638 2724 6cbf1000 SetupDiGetClassDevsA 2636->2724 2640 6cbf17f6 CloseHandle 2637->2640 2641 6cbf17f2 2637->2641 2638->2627 2739 6cbf389c 2638->2739 2640->2636 2641->2640 2643 6cbf176f GetLongPathNameW 2645 6cbf17a7 2643->2645 2646 6cbf1783 2643->2646 2645->2634 2722 6cbf11b2 RtlAllocateHeap 2646->2722 2647 6cbf182a 2744 6cbf150f LoadLibraryA 2647->2744 2649 6cbf178d 2649->2645 2651 6cbf1796 GetLongPathNameW 2649->2651 2723 6cbf11c7 RtlFreeHeap 2651->2723 2656 6cbf1878 2660 6cbf1a40 GetLastError 2656->2660 2752 6cbf2e82 GetModuleHandleA 2656->2752 2657 6cbf1b96 9 API calls 2657->2656 2660->2627 2661 6cbf1a3b 2661->2627 2661->2660 2664 6cbf18b8 2668 6cbf190b 2664->2668 2785 6cbf2f05 2664->2785 2798 6cbf137f memset 2668->2798 2674 6cbf18fb 2850 6cbf1ddb memset CoInitializeEx 2674->2850 2675 6cbf196c GetLastError 2679 6cbf198f CloseHandle 2675->2679 2680 6cbf1976 SetEvent Sleep ResetEvent 2675->2680 2676 6cbf1996 2805 6cbf3349 RegOpenKeyExA 2676->2805 2679->2676 2680->2679 2684 6cbf19e2 2818 6cbf2d19 2684->2818 2686 6cbf1a2f LocalFree 2686->2661 2687 6cbf19ec 2687->2661 2689 6cbf19f2 CreateWaitableTimerA 2687->2689 2688 6cbf19c8 DeleteFileW 2688->2684 2690 6cbf19d3 MoveFileExW 2688->2690 2689->2686 2691 6cbf1a0b SetWaitableTimer CloseHandle 2689->2691 2690->2684 2691->2686 2693 6cbf1ac5 GetLastError 2692->2693 2694 6cbf1a71 GetVersion 2692->2694 2695 6cbf1a7b 2694->2695 2696 6cbf1a88 GetCurrentProcessId OpenProcess 2695->2696 2697 6cbf1ac0 2695->2697 2698 6cbf1ab5 2696->2698 2697->2630 2698->2630 2700 6cbf34a0 2699->2700 2700->2630 2702 6cbf22de GetModuleHandleA GetProcAddress 2701->2702 2703 6cbf2303 2701->2703 2702->2703 2704 6cbf173e 2702->2704 2705 6cbf2319 2703->2705 2706 6cbf2308 OpenProcess 2703->2706 2704->2634 2710 6cbf2c92 2704->2710 2705->2704 2707 6cbf231d IsWow64Process 2705->2707 2706->2705 2708 6cbf232c 2707->2708 2708->2704 2709 6cbf2334 CloseHandle 2708->2709 2709->2704 2869 6cbf11b2 RtlAllocateHeap 2710->2869 2712 6cbf2cad 2713 6cbf2cb8 GetModuleFileNameW 2712->2713 2714 6cbf2cc0 GetModuleFileNameA 2712->2714 2715 6cbf2ca7 2713->2715 2714->2715 2715->2712 2716 6cbf2cec 2715->2716 2721 6cbf176b 2715->2721 2870 6cbf11c7 RtlFreeHeap 2715->2870 2871 6cbf11b2 RtlAllocateHeap 2715->2871 2718 6cbf2cfe GetLastError 2716->2718 2716->2721 2872 6cbf11c7 RtlFreeHeap 2718->2872 2721->2634 2721->2643 2722->2649 2723->2645 2725 6cbf1036 SetupDiEnumDeviceInfo 2724->2725 2726 6cbf10e0 2724->2726 2727 6cbf10d7 SetupDiDestroyDeviceInfoList 2725->2727 2728 6cbf1051 SetupDiGetDeviceRegistryPropertyA 2725->2728 2726->2638 2727->2726 2728->2727 2729 6cbf106f 2728->2729 2873 6cbf11b2 RtlAllocateHeap 2729->2873 2731 6cbf1077 2731->2727 2732 6cbf107d SetupDiGetDeviceRegistryPropertyA 2731->2732 2733 6cbf1098 StrStrIA 2732->2733 2734 6cbf10ce 2732->2734 2733->2734 2735 6cbf10aa StrStrIA 2733->2735 2874 6cbf11c7 RtlFreeHeap 2734->2874 2735->2734 2737 6cbf10b6 StrStrIA 2735->2737 2737->2734 2738 6cbf10c2 StrStrIA 2737->2738 2738->2734 2741 6cbf38b6 2739->2741 2740 6cbf398a 2740->2647 2741->2740 2742 6cbf394e lstrcmpA 2741->2742 2743 6cbf395a lstrlenA 2741->2743 2742->2741 2743->2741 2745 6cbf1528 GetProcAddress 2744->2745 2748 6cbf1560 2744->2748 2746 6cbf153e GetModuleHandleA GetProcAddress 2745->2746 2745->2748 2747 6cbf1553 FindWindowA 2746->2747 2746->2748 2747->2748 2749 6cbf1b96 2748->2749 2875 6cbf1acc ZwOpenProcess 2749->2875 2753 6cbf1894 2752->2753 2754 6cbf2ea3 GetModuleHandleA 2752->2754 2753->2661 2758 6cbf11dc 2753->2758 2756 6cbf2eaf 2754->2756 2755 6cbf389c 2 API calls 2755->2756 2756->2755 2757 6cbf2ee7 2756->2757 2757->2753 2889 6cbf3260 2758->2889 2761 6cbf1288 2761->2627 2761->2664 2772 6cbf128f 2761->2772 2762 6cbf1204 lstrcatW 2898 6cbf3723 2762->2898 2765 6cbf3723 6 API calls 2766 6cbf1246 2765->2766 2766->2761 2767 6cbf3723 6 API calls 2766->2767 2768 6cbf125a 2767->2768 2768->2761 2769 6cbf3723 6 API calls 2768->2769 2770 6cbf126b HeapFree 2769->2770 2770->2761 2773 6cbf12ae 2772->2773 2963 6cbf32ee 2773->2963 2776 6cbf12cf RegOpenKeyExA 2778 6cbf136b RtlFreeHeap 2776->2778 2779 6cbf12f6 lstrlenW HeapAlloc 2776->2779 2777 6cbf1378 2777->2664 2778->2777 2780 6cbf131a RegQueryValueExW 2779->2780 2781 6cbf1362 RegCloseKey 2779->2781 2782 6cbf1358 HeapFree 2780->2782 2783 6cbf1337 lstrcmpiW 2780->2783 2781->2778 2782->2781 2783->2782 2784 6cbf1351 2783->2784 2784->2782 2786 6cbf18c6 2785->2786 2787 6cbf2f26 OpenProcessToken 2785->2787 2786->2668 2826 6cbf14c3 2786->2826 2787->2786 2788 6cbf2f41 GetTokenInformation GetTokenInformation 2787->2788 2789 6cbf2f6e 2788->2789 2790 6cbf2fb4 CloseHandle 2788->2790 2968 6cbf11b2 RtlAllocateHeap 2789->2968 2790->2786 2792 6cbf2f77 2793 6cbf2f7d GetTokenInformation 2792->2793 2794 6cbf2fb3 2792->2794 2795 6cbf2fad 2793->2795 2796 6cbf2f90 GetSidSubAuthorityCount GetSidSubAuthority 2793->2796 2794->2790 2969 6cbf11c7 RtlFreeHeap 2795->2969 2796->2795 2970 6cbf379a 2798->2970 2801 6cbf13e0 ConvertStringSecurityDescriptorToSecurityDescriptorA CreateEventA 2801->2675 2801->2676 2802 6cbf379a 3 API calls 2803 6cbf13cb 2802->2803 2803->2801 2804 6cbf13cf HeapFree 2803->2804 2804->2801 2806 6cbf19b7 2805->2806 2807 6cbf3380 2805->2807 2806->2684 2806->2686 2806->2688 2978 6cbf11b2 RtlAllocateHeap 2807->2978 2809 6cbf3449 RegCloseKey 2809->2806 2810 6cbf339d RegEnumKeyExA 2812 6cbf338f 2810->2812 2811 6cbf33f6 3023 6cbf11c7 RtlFreeHeap 2811->3023 2812->2809 2812->2810 2812->2811 2815 6cbf341d WaitForSingleObject 2812->2815 2979 6cbf1f0f 2812->2979 3021 6cbf11c7 RtlFreeHeap 2812->3021 3022 6cbf11b2 RtlAllocateHeap 2812->3022 2815->2810 2815->2811 2819 6cbf2d28 2818->2819 2822 6cbf2d40 NtQuerySystemInformation 2819->2822 2825 6cbf2d5a 2819->2825 3068 6cbf11b2 RtlAllocateHeap 2819->3068 3082 6cbf11c7 RtlFreeHeap 2819->3082 2822->2819 2822->2825 2823 6cbf2d82 RtlNtStatusToDosError 2823->2687 2825->2823 3069 6cbf157a 2825->3069 2827 6cbf14fc 2826->2827 2828 6cbf14d6 2826->2828 3412 6cbf68c0 Sleep VirtualAlloc 2827->3412 2830 6cbf137f 5 API calls 2828->2830 2832 6cbf14de 2830->2832 2831 6cbf14f0 2831->2668 2831->2674 2834 6cbf1d2e 2831->2834 2832->2831 2833 6cbf13e7 94 API calls 2832->2833 2833->2831 2835 6cbf1d3e 2834->2835 2846 6cbf18f2 2834->2846 2835->2846 3604 6cbf3b95 2835->3604 2839 6cbf1d64 2840 6cbf1d68 lstrlenW 2839->2840 2839->2846 3618 6cbf11b2 RtlAllocateHeap 2840->3618 2842 6cbf1d79 2843 6cbf1d7f PathFindFileNameW lstrcpyW lstrcpyW lstrcatW 2842->2843 2849 6cbf1dc7 2842->2849 2845 6cbf3ac5 6 API calls 2843->2845 2847 6cbf1dbc 2845->2847 2846->2668 2846->2674 2847->2849 3619 6cbf11c7 RtlFreeHeap 2847->3619 3620 6cbf11c7 RtlFreeHeap 2849->3620 2851 6cbf3b95 11 API calls 2850->2851 2852 6cbf1e14 2851->2852 2853 6cbf1e1e PathFindExtensionW 2852->2853 2858 6cbf1ec8 2852->2858 2854 6cbf1e2a 2853->2854 2855 6cbf1e78 2853->2855 2856 6cbf1e2e lstrcpyW 2854->2856 2857 6cbf1e3a lstrlenW lstrlenW lstrlenA 2854->2857 2859 6cbf1e7c lstrcpyW 2855->2859 2860 6cbf1e88 lstrlenW lstrlenW 2855->2860 2856->2857 3634 6cbf11b2 RtlAllocateHeap 2857->3634 2867 6cbf1f02 CoUninitialize 2858->2867 3637 6cbf11c7 RtlFreeHeap 2858->3637 2859->2860 3635 6cbf11b2 RtlAllocateHeap 2860->3635 2863 6cbf1ec2 3636 6cbf11c7 RtlFreeHeap 2863->3636 2864 6cbf1e63 2864->2863 2866 6cbf1eb8 wsprintfW 2864->2866 2866->2863 2867->2627 2869->2715 2870->2715 2871->2715 2872->2721 2873->2731 2874->2727 2876 6cbf1b1e ZwOpenProcessToken 2875->2876 2877 6cbf1864 2875->2877 2878 6cbf1b84 ZwClose 2876->2878 2879 6cbf1b31 ZwQueryInformationToken 2876->2879 2877->2656 2877->2657 2878->2877 2887 6cbf11b2 RtlAllocateHeap 2879->2887 2881 6cbf1b4c 2882 6cbf1b7b ZwClose 2881->2882 2883 6cbf1b52 ZwQueryInformationToken 2881->2883 2882->2878 2884 6cbf1b75 2883->2884 2885 6cbf1b65 memcpy 2883->2885 2888 6cbf11c7 RtlFreeHeap 2884->2888 2885->2884 2887->2881 2888->2882 2913 6cbf2344 2889->2913 2892 6cbf3278 2893 6cbf32a2 2892->2893 2896 6cbf32a4 HeapFree 2892->2896 2916 6cbf2fce HeapAlloc 2892->2916 2940 6cbf361f lstrlenA 2892->2940 2895 6cbf2344 GetProcAddress 2893->2895 2897 6cbf11fc 2895->2897 2896->2893 2897->2761 2897->2762 2899 6cbf3739 2898->2899 2957 6cbf11b2 RtlAllocateHeap 2899->2957 2901 6cbf373f 2902 6cbf1224 2901->2902 2958 6cbf36c4 2901->2958 2902->2761 2902->2765 2904 6cbf3751 2905 6cbf3756 lstrlenA 2904->2905 2906 6cbf3764 2904->2906 2905->2906 2961 6cbf11b2 RtlAllocateHeap 2906->2961 2908 6cbf376a 2909 6cbf378b 2908->2909 2911 6cbf3779 lstrcpyA 2908->2911 2912 6cbf3783 lstrcatA 2908->2912 2962 6cbf11c7 RtlFreeHeap 2909->2962 2911->2912 2912->2909 2914 6cbf234d GetProcAddress 2913->2914 2915 6cbf2367 2913->2915 2914->2915 2915->2892 2917 6cbf3256 2916->2917 2918 6cbf3006 HeapAlloc 2916->2918 2917->2892 2919 6cbf302a memset 2918->2919 2920 6cbf3246 HeapFree 2918->2920 2946 6cbf3585 ExpandEnvironmentStringsA 2919->2946 2920->2917 2923 6cbf3236 HeapFree 2923->2920 2924 6cbf3052 CreateFileA 2925 6cbf309d StrRChrA lstrcatA FindFirstFileA 2924->2925 2926 6cbf3079 GetFileTime CloseHandle 2924->2926 2927 6cbf3234 2925->2927 2928 6cbf3100 CompareFileTime 2925->2928 2926->2925 2927->2923 2929 6cbf3162 2928->2929 2930 6cbf311b FindNextFileA 2929->2930 2936 6cbf3166 2929->2936 2931 6cbf312f FindClose FindFirstFileA 2930->2931 2932 6cbf3155 CompareFileTime 2930->2932 2931->2932 2932->2929 2933 6cbf321c FindClose 2933->2920 2934 6cbf318a StrChrA 2934->2936 2935 6cbf31d7 FindNextFileA 2938 6cbf31ff CompareFileTime 2935->2938 2939 6cbf31eb FindClose FindFirstFileA 2935->2939 2936->2933 2936->2934 2936->2935 2937 6cbf31bd memcpy 2936->2937 2937->2935 2938->2935 2938->2936 2939->2938 2941 6cbf3634 2940->2941 2956 6cbf11b2 RtlAllocateHeap 2941->2956 2943 6cbf3640 2944 6cbf3669 2943->2944 2945 6cbf3646 mbstowcs memset 2943->2945 2944->2892 2945->2944 2947 6cbf359e 2946->2947 2953 6cbf3047 2946->2953 2954 6cbf11b2 RtlAllocateHeap 2947->2954 2949 6cbf35a4 2950 6cbf35aa ExpandEnvironmentStringsA 2949->2950 2949->2953 2951 6cbf35b6 2950->2951 2950->2953 2955 6cbf11c7 RtlFreeHeap 2951->2955 2953->2923 2953->2924 2954->2949 2955->2953 2956->2943 2957->2901 2959 6cbf36d6 wsprintfA 2958->2959 2960 6cbf36d1 2958->2960 2959->2904 2960->2959 2961->2908 2962->2902 2964 6cbf32f9 2963->2964 2965 6cbf12c4 2963->2965 2964->2965 2966 6cbf32fe lstrlenW lstrlenA HeapAlloc 2964->2966 2965->2776 2965->2777 2966->2965 2967 6cbf332d wsprintfW 2966->2967 2967->2965 2968->2792 2969->2794 2975 6cbf37d5 2970->2975 2971 6cbf13a4 2971->2801 2971->2802 2973 6cbf3845 memcpy 2973->2971 2973->2975 2975->2971 2975->2973 2976 6cbf11b2 RtlAllocateHeap 2975->2976 2977 6cbf11c7 RtlFreeHeap 2975->2977 2976->2975 2977->2975 2978->2812 2980 6cbf1f2c 2979->2980 2981 6cbf2277 2980->2981 2982 6cbf1f4d StrChrA 2980->2982 2981->2812 2982->2981 2983 6cbf1f60 lstrcpyA lstrcatA lstrcatA RegOpenKeyA 2982->2983 2983->2981 2984 6cbf1fae RegQueryValueExW 2983->2984 2985 6cbf2267 2984->2985 2986 6cbf1fd1 lstrlenW HeapAlloc 2984->2986 2988 6cbf226e RegCloseKey 2985->2988 2986->2985 2987 6cbf1fff RegQueryValueExW 2986->2987 2989 6cbf201b 6 API calls 2987->2989 2990 6cbf2257 HeapFree 2987->2990 2988->2981 2991 6cbf206e 2989->2991 2992 6cbf2247 2989->2992 2990->2988 2993 6cbf2078 2991->2993 2994 6cbf2081 2991->2994 2992->2990 2995 6cbf32ee 4 API calls 2993->2995 3048 6cbf35c6 lstrlenW 2994->3048 2997 6cbf207f 2995->2997 2997->2992 2998 6cbf2092 lstrcpyA RegOpenKeyExA 2997->2998 2999 6cbf20cd lstrlenW RegSetValueExW RegCloseKey 2998->2999 3000 6cbf2105 2998->3000 2999->3000 3001 6cbf2235 HeapFree 2999->3001 3002 6cbf2116 3000->3002 3024 6cbf1be5 3000->3024 3001->2990 3006 6cbf222f 3002->3006 3033 6cbf1c30 3002->3033 3006->3001 3007 6cbf21de 3007->3006 3009 6cbf21e3 RegOpenKeyExA 3007->3009 3008 6cbf2139 3010 6cbf2147 lstrcpyA RegCreateKeyA 3008->3010 3012 6cbf35c6 4 API calls 3008->3012 3009->3006 3011 6cbf21ff RegOpenKeyW 3009->3011 3010->3006 3013 6cbf217a RegQueryValueExA 3010->3013 3014 6cbf221a RegDeleteValueW RegCloseKey 3011->3014 3015 6cbf21d3 RegCloseKey 3011->3015 3016 6cbf2145 3012->3016 3017 6cbf219f 3013->3017 3018 6cbf21bb 3013->3018 3014->3015 3015->3006 3016->3010 3017->3018 3019 6cbf21a5 RegSetValueExA 3017->3019 3018->3015 3020 6cbf21c2 RegSetValueExA 3018->3020 3019->3018 3020->3015 3021->2812 3022->2812 3023->2809 3053 6cbf3a18 CreateFileW 3024->3053 3027 6cbf1c29 3027->3002 3028 6cbf2344 GetProcAddress 3029 6cbf1c12 3028->3029 3030 6cbf3a18 7 API calls 3029->3030 3031 6cbf1c20 3030->3031 3032 6cbf2344 GetProcAddress 3031->3032 3032->3027 3034 6cbf1c4f CreateFileW 3033->3034 3035 6cbf1c4c 3033->3035 3036 6cbf1cce GetLastError 3034->3036 3037 6cbf1c7c WriteFile 3034->3037 3035->3034 3040 6cbf1cd7 3036->3040 3038 6cbf1c98 WriteFile 3037->3038 3039 6cbf1cb1 GetLastError 3037->3039 3038->3039 3041 6cbf1cba SetEndOfFile CloseHandle 3038->3041 3039->3041 3042 6cbf1cde CreateFileW 3040->3042 3043 6cbf1d24 3040->3043 3041->3040 3044 6cbf1d1b GetLastError 3042->3044 3045 6cbf1cf6 WriteFile 3042->3045 3043->3007 3043->3008 3044->3043 3046 6cbf1d09 GetLastError 3045->3046 3047 6cbf1d12 FlushFileBuffers 3045->3047 3046->3047 3047->3043 3067 6cbf11b2 RtlAllocateHeap 3048->3067 3050 6cbf35e9 3051 6cbf3616 3050->3051 3052 6cbf35f0 memcpy memset 3050->3052 3051->2997 3052->3051 3054 6cbf3a97 GetLastError 3053->3054 3055 6cbf3a44 GetFileSize 3053->3055 3064 6cbf3a52 3054->3064 3056 6cbf3a59 3055->3056 3055->3064 3065 6cbf11b2 RtlAllocateHeap 3056->3065 3058 6cbf3aae 3060 6cbf1bfb 3058->3060 3066 6cbf11c7 RtlFreeHeap 3058->3066 3059 6cbf3aa5 CloseHandle 3059->3058 3060->3027 3060->3028 3061 6cbf3a62 3061->3054 3062 6cbf3a68 ReadFile 3061->3062 3062->3054 3062->3064 3064->3058 3064->3059 3065->3061 3066->3060 3067->3050 3068->2819 3070 6cbf162e 3069->3070 3071 6cbf1591 3069->3071 3070->2825 3071->3070 3072 6cbf159e RtlUpcaseUnicodeString 3071->3072 3072->3070 3073 6cbf15b0 3072->3073 3074 6cbf1618 3073->3074 3077 6cbf15e2 3073->3077 3075 6cbf45f3 90 API calls 3074->3075 3076 6cbf1623 RtlFreeUnicodeString 3075->3076 3076->3070 3077->3076 3083 6cbf45f3 3077->3083 3082->2819 3084 6cbf22c9 5 API calls 3083->3084 3085 6cbf4613 OpenProcess 3084->3085 3086 6cbf462f 3085->3086 3087 6cbf46b4 GetLastError 3085->3087 3089 6cbf4633 3086->3089 3090 6cbf4641 GetProcAddress GetProcAddress 3086->3090 3088 6cbf1606 3087->3088 3088->3076 3098 6cbf13e7 memset 3088->3098 3089->3090 3091 6cbf463c 3089->3091 3090->3091 3092 6cbf4667 3090->3092 3093 6cbf46a9 CloseHandle 3091->3093 3092->3091 3094 6cbf469a GetLastError 3092->3094 3095 6cbf4681 3092->3095 3093->3088 3094->3093 3114 6cbf449e memset 3095->3114 3097 6cbf468d CloseHandle 3097->3093 3099 6cbf3585 4 API calls 3098->3099 3100 6cbf1419 3099->3100 3101 6cbf14b2 3100->3101 3102 6cbf2344 GetProcAddress 3100->3102 3101->3076 3103 6cbf1430 CreateProcessA 3102->3103 3104 6cbf2344 GetProcAddress 3103->3104 3105 6cbf1453 3104->3105 3106 6cbf1499 GetLastError 3105->3106 3107 6cbf1457 3105->3107 3109 6cbf14a2 HeapFree 3106->3109 3108 6cbf449e 83 API calls 3107->3108 3110 6cbf1463 3108->3110 3109->3101 3111 6cbf146b WaitForSingleObject 3110->3111 3112 6cbf1487 CloseHandle CloseHandle 3110->3112 3111->3112 3113 6cbf147b GetExitCodeProcess 3111->3113 3112->3109 3113->3112 3115 6cbf22c9 5 API calls 3114->3115 3116 6cbf44dd 3115->3116 3117 6cbf44e5 3116->3117 3118 6cbf45ad 3116->3118 3120 6cbf4507 3117->3120 3137 6cbf3ca4 3117->3137 3166 6cbf4341 memset 3118->3166 3152 6cbf2db0 3120->3152 3122 6cbf45b5 3125 6cbf45d9 GetLastError 3122->3125 3126 6cbf45e1 ResumeThread 3122->3126 3125->3126 3126->3097 3129 6cbf4549 ResumeThread WaitForSingleObject 3130 6cbf456a SuspendThread 3129->3130 3132 6cbf4544 3129->3132 3162 6cbf2d8f 3130->3162 3132->3129 3132->3130 3133 6cbf4594 3132->3133 3135 6cbf4599 3133->3135 3183 6cbf3ed3 3133->3183 3136 6cbf3c49 5 API calls 3135->3136 3136->3122 3207 6cbf11b2 RtlAllocateHeap 3137->3207 3139 6cbf3cbc 3140 6cbf3d7d 3139->3140 3208 6cbf2c25 memset ZwQueryInformationProcess 3139->3208 3140->3120 3143 6cbf2db0 2 API calls 3145 6cbf3ce7 3143->3145 3146 6cbf2db0 2 API calls 3145->3146 3151 6cbf3d6a 3145->3151 3147 6cbf3d03 3146->3147 3148 6cbf2db0 2 API calls 3147->3148 3147->3151 3149 6cbf3d4f 3148->3149 3150 6cbf2db0 2 API calls 3149->3150 3149->3151 3150->3151 3212 6cbf11c7 RtlFreeHeap 3151->3212 3153 6cbf2dbf 3152->3153 3154 6cbf2ddc RtlNtStatusToDosError SetLastError 3153->3154 3155 6cbf2dd4 3153->3155 3154->3155 3155->3125 3156 6cbf3c49 VirtualProtectEx 3155->3156 3157 6cbf3c9c 3156->3157 3158 6cbf3c6c 3156->3158 3157->3125 3157->3132 3213 6cbf2df1 3158->3213 3163 6cbf2dad 3162->3163 3164 6cbf2d9c RtlNtStatusToDosError 3162->3164 3163->3132 3164->3163 3218 6cbf26ae 3166->3218 3171 6cbf4494 3171->3122 3175 6cbf43dc 3175->3171 3176 6cbf43f6 ResumeThread WaitForSingleObject 3175->3176 3177 6cbf4417 Wow64SuspendThread 3175->3177 3180 6cbf4460 3175->3180 3176->3175 3176->3177 3258 6cbf4b80 3177->3258 3179 6cbf446c 3182 6cbf40cd 19 API calls 3179->3182 3180->3179 3181 6cbf3ed3 59 API calls 3180->3181 3181->3179 3182->3171 3185 6cbf3ef8 3183->3185 3184 6cbf3f1b 3184->3135 3185->3184 3314 6cbf4943 NtCreateSection 3185->3314 3188 6cbf40b5 3188->3184 3191 6cbf40bb CloseHandle 3188->3191 3189 6cbf40a3 NtUnmapViewOfSection RtlNtStatusToDosError 3189->3188 3191->3184 3192 6cbf3f8d 3206 6cbf409a 3192->3206 3324 6cbf4a02 memcpy 3192->3324 3195 6cbf3fb8 memcpy 3198 6cbf3fc4 memcpy 3195->3198 3197 6cbf401b 3199 6cbf4064 3197->3199 3201 6cbf4057 3197->3201 3198->3197 3338 6cbf3d87 3199->3338 3328 6cbf3e34 3201->3328 3203 6cbf4062 3204 6cbf4071 memcpy 3203->3204 3203->3206 3350 6cbf29aa 3204->3350 3206->3188 3206->3189 3207->3139 3209 6cbf2c81 3208->3209 3210 6cbf2c66 3208->3210 3209->3143 3209->3151 3211 6cbf2db0 2 API calls 3210->3211 3211->3209 3212->3140 3214 6cbf2e18 3213->3214 3215 6cbf2e00 NtWriteVirtualMemory 3213->3215 3216 6cbf2e1d RtlNtStatusToDosError SetLastError 3214->3216 3215->3216 3217 6cbf2e15 VirtualProtectEx 3215->3217 3216->3217 3217->3157 3219 6cbf26bc 3218->3219 3227 6cbf271d 3218->3227 3261 6cbf2b4b 3219->3261 3221 6cbf26cc 3222 6cbf2b4b 18 API calls 3221->3222 3223 6cbf26e7 3222->3223 3224 6cbf2b4b 18 API calls 3223->3224 3225 6cbf2702 3224->3225 3226 6cbf2b4b 18 API calls 3225->3226 3226->3227 3228 6cbf41ba 3227->3228 3308 6cbf11b2 RtlAllocateHeap 3228->3308 3230 6cbf41e0 3231 6cbf430a 3230->3231 3232 6cbf41ea memset 3230->3232 3233 6cbf4337 3231->3233 3313 6cbf11c7 RtlFreeHeap 3231->3313 3309 6cbf2286 3232->3309 3233->3171 3246 6cbf2471 3233->3246 3237 6cbf422c 3237->3231 3239 6cbf2471 2 API calls 3237->3239 3238 6cbf241d 2 API calls 3238->3237 3240 6cbf4267 3239->3240 3240->3231 3241 6cbf2471 2 API calls 3240->3241 3242 6cbf4289 3241->3242 3242->3231 3243 6cbf2471 2 API calls 3242->3243 3244 6cbf42ed 3243->3244 3244->3231 3245 6cbf2471 2 API calls 3244->3245 3245->3231 3247 6cbf241d 2 API calls 3246->3247 3248 6cbf2487 3247->3248 3248->3171 3249 6cbf40cd 3248->3249 3250 6cbf26ae 18 API calls 3249->3250 3251 6cbf40f6 3250->3251 3252 6cbf4b80 NtProtectVirtualMemory 3251->3252 3253 6cbf4145 3252->3253 3254 6cbf41ad 3253->3254 3255 6cbf4b80 NtProtectVirtualMemory 3253->3255 3254->3175 3256 6cbf4173 3255->3256 3257 6cbf4b80 NtProtectVirtualMemory 3256->3257 3257->3254 3259 6cbf4b98 3258->3259 3260 6cbf4bb8 NtProtectVirtualMemory 3259->3260 3260->3175 3262 6cbf2b57 3261->3262 3273 6cbf2a18 3262->3273 3265 6cbf2b7c VirtualAlloc 3268 6cbf2b94 3265->3268 3272 6cbf2bda 3265->3272 3266 6cbf2c09 VirtualFree 3267 6cbf2c18 3266->3267 3267->3221 3270 6cbf2bc8 3268->3270 3286 6cbf241d 3268->3286 3271 6cbf389c 2 API calls 3270->3271 3271->3272 3272->3266 3272->3267 3290 6cbf2492 GetProcAddress 3273->3290 3276 6cbf2a5d 3277 6cbf2492 7 API calls 3276->3277 3280 6cbf2a7b VirtualFree VirtualAlloc 3276->3280 3285 6cbf2a9b 3276->3285 3277->3276 3278 6cbf2b2f VirtualFree 3279 6cbf2b3d 3278->3279 3279->3265 3279->3272 3280->3276 3280->3285 3281 6cbf2abc lstrcmpiA 3282 6cbf2afe 3281->3282 3283 6cbf2ad0 StrChrA 3281->3283 3282->3278 3282->3279 3284 6cbf2add lstrcmpiA 3283->3284 3283->3285 3284->3282 3284->3285 3285->3281 3285->3282 3287 6cbf244e NtWow64ReadVirtualMemory64 3286->3287 3288 6cbf2434 GetProcAddress 3286->3288 3289 6cbf2467 3287->3289 3288->3287 3288->3289 3289->3268 3291 6cbf24be NtWow64QueryInformationProcess64 3290->3291 3295 6cbf268b VirtualAlloc 3290->3295 3292 6cbf24d6 3291->3292 3291->3295 3293 6cbf11b2 RtlAllocateHeap 3292->3293 3294 6cbf24e0 3293->3294 3294->3295 3296 6cbf11b2 RtlAllocateHeap 3294->3296 3295->3276 3295->3282 3297 6cbf24f5 3296->3297 3298 6cbf266a 3297->3298 3299 6cbf241d GetProcAddress NtWow64ReadVirtualMemory64 3297->3299 3300 6cbf11c7 RtlFreeHeap 3298->3300 3302 6cbf250d 3299->3302 3301 6cbf2681 3300->3301 3301->3295 3303 6cbf11c7 RtlFreeHeap 3301->3303 3302->3298 3304 6cbf241d GetProcAddress NtWow64ReadVirtualMemory64 3302->3304 3303->3295 3306 6cbf2529 3304->3306 3305 6cbf241d GetProcAddress NtWow64ReadVirtualMemory64 3305->3306 3306->3298 3306->3305 3307 6cbf2629 StrRChrA 3306->3307 3307->3306 3308->3230 3310 6cbf22af NtWow64QueryInformationProcess64 3309->3310 3311 6cbf2295 GetProcAddress 3309->3311 3312 6cbf22c3 3310->3312 3311->3310 3311->3312 3312->3237 3312->3238 3313->3233 3315 6cbf49de RtlNtStatusToDosError 3314->3315 3316 6cbf49a8 3314->3316 3322 6cbf49d7 3315->3322 3362 6cbf4904 NtMapViewOfSection RtlNtStatusToDosError 3316->3362 3318 6cbf49b6 3320 6cbf49bc memset 3318->3320 3318->3322 3319 6cbf3f5d 3319->3206 3323 6cbf4904 NtMapViewOfSection RtlNtStatusToDosError 3319->3323 3320->3322 3321 6cbf49f0 ZwClose 3321->3319 3322->3319 3322->3321 3323->3192 3325 6cbf4a4d 3324->3325 3327 6cbf3fa6 3324->3327 3326 6cbf4a67 memcpy 3325->3326 3325->3327 3326->3325 3327->3195 3327->3198 3327->3206 3329 6cbf3e44 3328->3329 3330 6cbf2b4b 18 API calls 3329->3330 3331 6cbf3eba memcpy 3329->3331 3332 6cbf3e6f 3330->3332 3333 6cbf3ecd 3331->3333 3332->3333 3334 6cbf2b4b 18 API calls 3332->3334 3333->3203 3335 6cbf3e8c 3334->3335 3335->3333 3336 6cbf2b4b 18 API calls 3335->3336 3337 6cbf3ea9 3336->3337 3337->3331 3337->3333 3339 6cbf3d98 3338->3339 3340 6cbf3db2 GetModuleHandleA 3338->3340 3339->3340 3343 6cbf3e1a memcpy 3339->3343 3341 6cbf3e2d 3340->3341 3342 6cbf3dc6 3340->3342 3341->3203 3363 6cbf236c 3342->3363 3343->3341 3346 6cbf236c 11 API calls 3347 6cbf3dec 3346->3347 3347->3341 3348 6cbf236c 11 API calls 3347->3348 3349 6cbf3e08 3348->3349 3349->3341 3349->3343 3377 6cbf11b2 RtlAllocateHeap 3350->3377 3352 6cbf29bf 3353 6cbf2a0e 3352->3353 3354 6cbf29c5 memset 3352->3354 3353->3206 3355 6cbf29fe 3354->3355 3356 6cbf29eb 3354->3356 3393 6cbf2885 memset 3355->3393 3356->3355 3357 6cbf29f4 3356->3357 3378 6cbf272f memset 3357->3378 3360 6cbf29fc 3407 6cbf11c7 RtlFreeHeap 3360->3407 3362->3318 3364 6cbf2c92 5 API calls 3363->3364 3365 6cbf2386 3364->3365 3366 6cbf2414 3365->3366 3367 6cbf389c 2 API calls 3365->3367 3366->3341 3366->3346 3368 6cbf2398 3367->3368 3370 6cbf23ad CreateFileA 3368->3370 3371 6cbf240b 3368->3371 3370->3371 3372 6cbf23ce SetFilePointer 3370->3372 3376 6cbf11c7 RtlFreeHeap 3371->3376 3373 6cbf23dc ReadFile 3372->3373 3374 6cbf2402 CloseHandle 3372->3374 3373->3374 3375 6cbf23f4 3373->3375 3374->3371 3375->3374 3376->3366 3377->3352 3379 6cbf26ae 18 API calls 3378->3379 3380 6cbf2762 memcpy 3379->3380 3408 6cbf2e32 3380->3408 3383 6cbf279f 3385 6cbf4b80 NtProtectVirtualMemory 3383->3385 3384 6cbf2794 GetLastError 3392 6cbf2865 3384->3392 3388 6cbf27c2 3385->3388 3386 6cbf27c9 3386->3360 3387 6cbf2877 GetLastError 3387->3386 3388->3386 3389 6cbf2df1 3 API calls 3388->3389 3390 6cbf281d 3389->3390 3390->3387 3391 6cbf4b80 NtProtectVirtualMemory 3390->3391 3391->3392 3392->3386 3392->3387 3394 6cbf28be 3393->3394 3395 6cbf2982 3393->3395 3396 6cbf2e32 3 API calls 3394->3396 3398 6cbf299a GetLastError 3395->3398 3400 6cbf29a3 3395->3400 3397 6cbf28cf 3396->3397 3397->3398 3399 6cbf2d8f RtlNtStatusToDosError 3397->3399 3398->3400 3401 6cbf28e8 3399->3401 3400->3360 3401->3395 3402 6cbf28f3 memcpy 3401->3402 3403 6cbf2935 3402->3403 3404 6cbf2df1 3 API calls 3403->3404 3405 6cbf295d 3404->3405 3405->3395 3405->3400 3406 6cbf297b RtlNtStatusToDosError 3405->3406 3406->3395 3407->3353 3409 6cbf278c 3408->3409 3410 6cbf2e44 NtAllocateVirtualMemory 3408->3410 3409->3383 3409->3384 3410->3409 3411 6cbf2e69 RtlNtStatusToDosError SetLastError 3410->3411 3411->3409 3413 6cbf692b memset GetModuleHandleA InitializeCriticalSection LoadLibraryW 3412->3413 3434 6cbf6924 3412->3434 3414 6cbf6976 LoadLibraryW 3413->3414 3413->3434 3415 6cbf698c 3414->3415 3414->3434 3453 6cbf4fc0 GetVersionExW 3415->3453 3418 6cbf7032 RegisterClassExW 3419 6cbf70ab CreateWindowExW 3418->3419 3418->3434 3421 6cbf70df 3419->3421 3424 6cbf70e8 3419->3424 3481 6cbf51f0 3421->3481 3423 6cbf714e CreateThread 3426 6cbf72a7 UnregisterClassW VirtualFree 3423->3426 3427 6cbf7182 WaitForSingleObject 3423->3427 3492 6cbf5e30 3423->3492 3424->3423 3424->3434 3425 6cbf6a81 IsWow64Process 3440 6cbf6a91 3425->3440 3426->3434 3428 6cbf71a8 3427->3428 3429 6cbf71b7 TerminateThread 3427->3429 3428->3429 3430 6cbf71da WaitForSingleObject TerminateThread 3429->3430 3431 6cbf7206 3429->3431 3430->3431 3432 6cbf7215 WaitForSingleObject TerminateThread 3431->3432 3433 6cbf7241 RemoveFontResourceExW 3431->3433 3432->3433 3436 6cbf725b 3433->3436 3437 6cbf7259 3433->3437 3434->2831 3435 6cbf69bf 3435->3425 3435->3434 3485 6cbf5240 3436->3485 3437->3433 3440->3434 3441 6cbf6bfe LoadLibraryExW 3440->3441 3442 6cbf6c12 3440->3442 3443 6cbf6c2e 3441->3443 3442->3443 3444 6cbf6c1c LoadLibraryExW 3442->3444 3445 6cbf6c38 GetProcAddress 3443->3445 3452 6cbf6c54 3443->3452 3444->3443 3445->3452 3457 6cbf5760 CreateWindowExW 3452->3457 3454 6cbf4fe4 3453->3454 3454->3418 3454->3435 3455 6cbf5020 GetModuleHandleW 3454->3455 3456 6cbf503a 3455->3456 3456->3435 3458 6cbf5804 3457->3458 3459 6cbf57a1 3457->3459 3465 6cbf5810 RegisterClassExW 3458->3465 3460 6cbf51f0 2 API calls 3459->3460 3461 6cbf57aa 3460->3461 3462 6cbf57fa DestroyWindow 3461->3462 3463 6cbf57b3 SetWindowLongW 3461->3463 3462->3458 3464 6cbf57cd 3463->3464 3464->3462 3466 6cbf58ae CreateWindowExW 3465->3466 3467 6cbf58a7 3465->3467 3466->3467 3468 6cbf58ea RegisterClassExW 3466->3468 3467->3418 3467->3434 3476 6cbf5190 3467->3476 3468->3467 3469 6cbf5910 CreateWindowExW 3468->3469 3469->3467 3470 6cbf594b 3469->3470 3471 6cbf51f0 2 API calls 3470->3471 3472 6cbf5954 3471->3472 3473 6cbf51f0 2 API calls 3472->3473 3475 6cbf5960 3473->3475 3474 6cbf59c6 DestroyWindow DestroyWindow 3474->3467 3475->3467 3475->3474 3489 6cbf5070 LoadLibraryW GetProcAddress 3476->3489 3478 6cbf51a0 3479 6cbf51d2 3478->3479 3480 6cbf51a9 GetCurrentProcess 3478->3480 3479->3418 3480->3479 3482 6cbf5204 3481->3482 3484 6cbf5209 3481->3484 3490 6cbf5090 LoadLibraryW GetProcAddress 3482->3490 3484->3424 3486 6cbf5254 3485->3486 3487 6cbf526e UnregisterClassW 3486->3487 3488 6cbf52a6 UnregisterClassW UnregisterClassW UnregisterClassW 3486->3488 3487->3486 3488->3426 3489->3478 3491 6cbf50b9 3490->3491 3491->3484 3493 6cbf5e9f 3492->3493 3494 6cbf5eae 3492->3494 3493->3494 3495 6cbf5eb5 VirtualAlloc 3493->3495 3496 6cbf5edc SHGetFolderPathW 3495->3496 3497 6cbf6162 3495->3497 3496->3497 3499 6cbf5f0b wcslen 3496->3499 3497->3494 3498 6cbf6174 RegisterClassExW 3497->3498 3498->3494 3500 6cbf6211 memset 3498->3500 3501 6cbf5f6d memset memcpy memcpy AddFontResourceExW 3499->3501 3502 6cbf5f36 3499->3502 3503 6cbf6233 3500->3503 3504 6cbf5fdf RemoveFontResourceExW 3501->3504 3505 6cbf5ff9 3501->3505 3502->3501 3506 6cbf624e CreateWindowExW 3503->3506 3513 6cbf6297 3503->3513 3504->3505 3505->3497 3507 6cbf6003 memset memcpy FindFirstFileW 3505->3507 3506->3503 3506->3513 3508 6cbf6127 3507->3508 3509 6cbf6073 FindNextFileW 3507->3509 3508->3497 3511 6cbf6130 AddFontResourceExW 3508->3511 3509->3508 3510 6cbf608f 3509->3510 3510->3509 3515 6cbf60aa memset memcpy wcslen memcpy 3510->3515 3511->3497 3512 6cbf6148 RemoveFontResourceExW 3511->3512 3512->3497 3516 6cbf6419 3513->3516 3517 6cbf51f0 2 API calls 3513->3517 3514 6cbf6525 3514->3494 3518 6cbf6549 SetParent SetWindowLongW GetWindowLongW 3514->3518 3515->3510 3516->3514 3519 6cbf650f DestroyWindow 3516->3519 3520 6cbf6308 3517->3520 3518->3494 3521 6cbf6598 SetWindowLongW 3518->3521 3519->3516 3522 6cbf51f0 2 API calls 3520->3522 3523 6cbf65d3 EnterCriticalSection CreateThread CreateThread SetThreadAffinityMask 3521->3523 3529 6cbf6324 3522->3529 3523->3494 3524 6cbf664a SetThreadAffinityMask 3523->3524 3585 6cbf5500 memcpy 3523->3585 3596 6cbf53f0 3523->3596 3524->3494 3525 6cbf667f SetThreadAffinityMask 3524->3525 3526 6cbf6698 7 API calls 3525->3526 3527 6cbf6706 7 API calls 3525->3527 3528 6cbf6772 ResumeThread ResumeThread Sleep 3526->3528 3527->3528 3533 6cbf679f 3528->3533 3529->3516 3534 6cbf51f0 2 API calls 3529->3534 3530 6cbf67c5 LeaveCriticalSection 3531 6cbf67f6 AddFontResourceExW EnterCriticalSection GetWindowLongW 3530->3531 3532 6cbf67e5 memset 3530->3532 3531->3533 3532->3531 3533->3494 3533->3530 3535 6cbf6854 SetMenu 3533->3535 3536 6cbf6886 3533->3536 3537 6cbf63fa 3534->3537 3535->3533 3540 6cbf5bb0 3536->3540 3539 6cbf51f0 2 API calls 3537->3539 3539->3516 3568 6cbf5320 SetWindowLongW GetAncestor SetWindowLongW 3540->3568 3542 6cbf5c0b 3569 6cbf5320 SetWindowLongW GetAncestor SetWindowLongW 3542->3569 3544 6cbf5c75 3572 6cbf5320 SetWindowLongW GetAncestor SetWindowLongW 3544->3572 3547 6cbf5c22 3547->3544 3548 6cbf5c5c 3547->3548 3570 6cbf5320 SetWindowLongW GetAncestor SetWindowLongW 3547->3570 3571 6cbf5320 SetWindowLongW GetAncestor SetWindowLongW 3548->3571 3550 6cbf5ddb 3576 6cbf5320 SetWindowLongW GetAncestor SetWindowLongW 3550->3576 3551 6cbf5cf6 GetCurrentProcessId 3553 6cbf5cc1 3551->3553 3553->3551 3555 6cbf5d72 3553->3555 3556 6cbf5320 SetWindowLongW GetAncestor SetWindowLongW 3553->3556 3566 6cbf5d58 3553->3566 3555->3550 3559 6cbf5320 SetWindowLongW GetAncestor SetWindowLongW 3555->3559 3563 6cbf5dc7 3555->3563 3556->3553 3557 6cbf5df1 3577 6cbf59f0 3557->3577 3558 6cbf5c85 3558->3553 3573 6cbf5320 SetWindowLongW GetAncestor SetWindowLongW 3558->3573 3559->3555 3562 6cbf59f0 9 API calls 3564 6cbf5e1c 3562->3564 3575 6cbf5320 SetWindowLongW GetAncestor SetWindowLongW 3563->3575 3564->3494 3574 6cbf5320 SetWindowLongW GetAncestor SetWindowLongW 3566->3574 3568->3542 3569->3547 3570->3547 3571->3544 3572->3558 3573->3558 3574->3555 3575->3550 3576->3557 3582 6cbf5a37 3577->3582 3578 6cbf5a5d VirtualAlloc 3579 6cbf5aa1 memset SetWindowLongW SetClassLongW SetWindowLongW VirtualFree 3578->3579 3581 6cbf5a9a 3578->3581 3579->3581 3581->3562 3582->3578 3583 6cbf5a50 3582->3583 3584 6cbf5320 SetWindowLongW GetAncestor SetWindowLongW 3582->3584 3583->3578 3584->3582 3590 6cbf5592 3585->3590 3586 6cbf5752 3587 6cbf5240 UnregisterClassW 3586->3587 3588 6cbf5757 3587->3588 3589 6cbf564e EnterCriticalSection SuspendThread 3589->3590 3590->3586 3590->3589 3591 6cbf5240 UnregisterClassW 3590->3591 3592 6cbf56bf RegisterClassExW 3590->3592 3593 6cbf56ab RemoveFontResourceExW 3590->3593 3594 6cbf5240 UnregisterClassW 3590->3594 3595 6cbf5722 ResumeThread LeaveCriticalSection SwitchToThread 3590->3595 3591->3590 3592->3590 3593->3592 3594->3595 3595->3590 3599 6cbf53fb 3596->3599 3597 6cbf54f0 3598 6cbf542f RemoveFontResourceExW SetThreadAffinityMask 3598->3599 3599->3597 3599->3598 3600 6cbf5494 SetThreadPriority 3599->3600 3601 6cbf5473 SetThreadAffinityMask 3599->3601 3602 6cbf54e5 SwitchToThread 3599->3602 3603 6cbf54d2 ResumeThread 3599->3603 3600->3599 3601->3599 3602->3599 3603->3602 3621 6cbf3b2b GetTempPathA 3604->3621 3606 6cbf3ba2 3607 6cbf1d52 3606->3607 3608 6cbf361f 4 API calls 3606->3608 3607->2846 3611 6cbf3ac5 CreateFileW 3607->3611 3609 6cbf3bb0 3608->3609 3631 6cbf11c7 RtlFreeHeap 3609->3631 3612 6cbf3aeb GetLastError 3611->3612 3613 6cbf3af5 WriteFile 3611->3613 3614 6cbf3b23 3612->3614 3615 6cbf3b0b SetEndOfFile 3613->3615 3616 6cbf3b14 GetLastError 3613->3616 3614->2839 3617 6cbf3b1c CloseHandle 3615->3617 3616->3617 3617->3614 3618->2842 3619->2849 3620->2846 3622 6cbf3b40 3621->3622 3630 6cbf3b8b 3621->3630 3632 6cbf11b2 RtlAllocateHeap 3622->3632 3624 6cbf3b49 3625 6cbf3b4f GetTempPathA 3624->3625 3624->3630 3626 6cbf3b57 GetTickCount GetTempFileNameA 3625->3626 3627 6cbf3b85 3625->3627 3626->3627 3628 6cbf3b70 PathFindExtensionA lstrcpyA 3626->3628 3633 6cbf11c7 RtlFreeHeap 3627->3633 3628->3630 3630->3606 3631->3607 3632->3624 3633->3630 3634->2864 3635->2864 3636->2858 3637->2867 3658 6cbf62a7 3660 6cbf62b6 3658->3660 3659 6cbf6525 3663 6cbf6549 SetParent SetWindowLongW GetWindowLongW 3659->3663 3685 6cbf6542 3659->3685 3661 6cbf6419 3660->3661 3662 6cbf51f0 2 API calls 3660->3662 3661->3659 3664 6cbf650f DestroyWindow 3661->3664 3665 6cbf6308 3662->3665 3666 6cbf6598 SetWindowLongW 3663->3666 3663->3685 3664->3661 3667 6cbf51f0 2 API calls 3665->3667 3668 6cbf65d3 EnterCriticalSection CreateThread CreateThread SetThreadAffinityMask 3666->3668 3674 6cbf6324 3667->3674 3669 6cbf664a SetThreadAffinityMask 3668->3669 3668->3685 3686 6cbf5500 9 API calls 3668->3686 3687 6cbf53f0 6 API calls 3668->3687 3670 6cbf667f SetThreadAffinityMask 3669->3670 3669->3685 3671 6cbf6698 7 API calls 3670->3671 3672 6cbf6706 7 API calls 3670->3672 3673 6cbf6772 ResumeThread ResumeThread Sleep 3671->3673 3672->3673 3678 6cbf679f 3673->3678 3674->3661 3679 6cbf51f0 2 API calls 3674->3679 3675 6cbf67c5 LeaveCriticalSection 3676 6cbf67f6 AddFontResourceExW EnterCriticalSection GetWindowLongW 3675->3676 3677 6cbf67e5 memset 3675->3677 3676->3678 3677->3676 3678->3675 3680 6cbf6854 SetMenu 3678->3680 3681 6cbf6886 3678->3681 3678->3685 3682 6cbf63fa 3679->3682 3680->3678 3683 6cbf5bb0 10 API calls 3681->3683 3684 6cbf51f0 2 API calls 3682->3684 3683->3685 3684->3661 3688 6cbf70a6 3689 6cbf7139 3688->3689 3690 6cbf714e CreateThread 3689->3690 3691 6cbf7147 3689->3691 3692 6cbf72a7 UnregisterClassW VirtualFree 3690->3692 3693 6cbf7182 WaitForSingleObject 3690->3693 3704 6cbf5e30 67 API calls 3690->3704 3692->3691 3694 6cbf71a8 3693->3694 3695 6cbf71b7 TerminateThread 3693->3695 3694->3695 3696 6cbf71da WaitForSingleObject TerminateThread 3695->3696 3697 6cbf7206 3695->3697 3696->3697 3698 6cbf7215 WaitForSingleObject TerminateThread 3697->3698 3699 6cbf7241 RemoveFontResourceExW 3697->3699 3698->3699 3700 6cbf725b 3699->3700 3701 6cbf7259 3699->3701 3702 6cbf5240 UnregisterClassW 3700->3702 3701->3699 3703 6cbf7260 UnregisterClassW UnregisterClassW UnregisterClassW 3702->3703 3703->3692 3793 6cbf6645 3794 6cbf6772 ResumeThread ResumeThread Sleep 3793->3794 3800 6cbf679f 3794->3800 3795 6cbf67c5 LeaveCriticalSection 3796 6cbf67f6 AddFontResourceExW EnterCriticalSection GetWindowLongW 3795->3796 3797 6cbf67e5 memset 3795->3797 3796->3800 3797->3796 3798 6cbf6854 SetMenu 3798->3800 3799 6cbf6886 3801 6cbf5bb0 10 API calls 3799->3801 3800->3795 3800->3798 3800->3799 3802 6cbf688b 3800->3802 3801->3802 3803 6cbf7344 3804 6cbf7362 3803->3804 3806 6cbf73f8 3803->3806 3805 6cbf755d NtQueryVirtualMemory 3804->3805 3808 6cbf737d 3805->3808 3807 6cbf7448 RtlUnwind 3807->3808 3808->3806 3808->3807 3651 6cbf1142 3652 6cbf114f 3651->3652 3653 6cbf1191 InterlockedDecrement 3651->3653 3654 6cbf1179 3652->3654 3656 6cbf1152 InterlockedIncrement 3652->3656 3653->3654 3655 6cbf11a0 HeapDestroy 3653->3655 3655->3654 3656->3654 3657 6cbf1161 HeapCreate 3656->3657 3657->3654 3751 6cbf5300 DefWindowProcW

                                                                                                                                                                                  Executed Functions

                                                                                                                                                                                  Function 6CBF2FCE Relevance: 47.5, APIs: 23, Strings: 4, Instructions: 209memoryfiletimeCOMMON
                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                  APIs
                                                                                                                                                                                  • HeapAlloc.KERNEL32(00000000,EE553B4E,00000000,6CBFAA50,00000001), ref: 6CBF2FF9
                                                                                                                                                                                  • HeapAlloc.KERNEL32(00000000,EE553B4E), ref: 6CBF301B
                                                                                                                                                                                  • memset.NTDLL ref: 6CBF3035
                                                                                                                                                                                    • Part of subcall function 6CBF3585: ExpandEnvironmentStringsA.KERNEL32(00000000,00000000,00000000,00000000,6CBF0000,EE553B43,6CBF3047,%systemroot%\system32\c_1252.nls), ref: 6CBF3596
                                                                                                                                                                                    • Part of subcall function 6CBF3585: ExpandEnvironmentStringsA.KERNEL32(?,00000000,00000000,00000000), ref: 6CBF35B0
                                                                                                                                                                                  • CreateFileA.KERNELBASE(00000000,80000000,00000001,00000000,00000003,00000080,00000000,%systemroot%\system32\c_1252.nls), ref: 6CBF306C
                                                                                                                                                                                  • GetFileTime.KERNEL32(00000000,?,00000000,00000000), ref: 6CBF3080
                                                                                                                                                                                  • CloseHandle.KERNEL32(?), ref: 6CBF3097
                                                                                                                                                                                  • StrRChrA.KERNELBASE(6CBF11FC,00000000,0000005C), ref: 6CBF30A3
                                                                                                                                                                                  • lstrcatA.KERNEL32(6CBF11FC,\*.dll), ref: 6CBF30DD
                                                                                                                                                                                  • FindFirstFileA.KERNELBASE(6CBF11FC,?), ref: 6CBF30F3
                                                                                                                                                                                  • CompareFileTime.KERNEL32(?,?), ref: 6CBF3111
                                                                                                                                                                                  • FindNextFileA.KERNEL32(?,?), ref: 6CBF3125
                                                                                                                                                                                  • FindClose.KERNEL32(?), ref: 6CBF3132
                                                                                                                                                                                  • FindFirstFileA.KERNEL32(6CBF11FC,?), ref: 6CBF313E
                                                                                                                                                                                  • CompareFileTime.KERNEL32(?,?), ref: 6CBF3160
                                                                                                                                                                                  • StrChrA.SHLWAPI(?,0000002E), ref: 6CBF3193
                                                                                                                                                                                  • memcpy.NTDLL(00000000,?,00000000), ref: 6CBF31CC
                                                                                                                                                                                  • FindNextFileA.KERNELBASE(?,?), ref: 6CBF31E1
                                                                                                                                                                                  • FindClose.KERNEL32(?), ref: 6CBF31EE
                                                                                                                                                                                  • FindFirstFileA.KERNEL32(6CBF11FC,?), ref: 6CBF31FA
                                                                                                                                                                                  • CompareFileTime.KERNEL32(?,?), ref: 6CBF320A
                                                                                                                                                                                  • FindClose.KERNELBASE(?), ref: 6CBF322E
                                                                                                                                                                                  • HeapFree.KERNEL32(00000000,00000000,%systemroot%\system32\c_1252.nls), ref: 6CBF3240
                                                                                                                                                                                  • HeapFree.KERNEL32(00000000,6CBF11FC), ref: 6CBF3250
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000005.00000002.1716486508.000000006CBF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 6CBF0000, based on PE: true
                                                                                                                                                                                  • Associated: 00000005.00000002.1716468666.000000006CBF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000005.00000002.1716486508.000000006CBFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_5_2_6cbf0000_rundll32.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: File$Find$CloseHeapTime$CompareFirst$AllocEnvironmentExpandFreeNextStrings$CreateHandlelstrcatmemcpymemset
                                                                                                                                                                                  • String ID: %systemroot%\system32\c_1252.nls$C;U$N;U$\*.dll
                                                                                                                                                                                  • API String ID: 65366329-1666359264
                                                                                                                                                                                  • Opcode ID: 8bfe85c686b859e32d663bfbdc38469e68eb924290b9e3af41769beda2d7145c
                                                                                                                                                                                  • Instruction ID: 05d5463d24ce46c45770ecb8a2ba2b729a7eeb245f1c4261e05fee7f870330c0
                                                                                                                                                                                  • Opcode Fuzzy Hash: 8bfe85c686b859e32d663bfbdc38469e68eb924290b9e3af41769beda2d7145c
                                                                                                                                                                                  • Instruction Fuzzy Hash: 55815AB1E00159AFDF119FA5DC88AEEBBB9FB4A300F10416AE525E3350D7319A49CF61
                                                                                                                                                                                  Function 6CBF1000 Relevance: 22.8, APIs: 9, Strings: 4, Instructions: 97COMMON
                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                  APIs
                                                                                                                                                                                  • SetupDiGetClassDevsA.SETUPAPI(?,00000000,00000000,00000002), ref: 6CBF1022
                                                                                                                                                                                  • SetupDiEnumDeviceInfo.SETUPAPI(00000000,00000000,?), ref: 6CBF1043
                                                                                                                                                                                  • SetupDiGetDeviceRegistryPropertyA.SETUPAPI(00000000,0000001C,0000000C,?,00000000,00000000,?), ref: 6CBF1068
                                                                                                                                                                                    • Part of subcall function 6CBF11B2: RtlAllocateHeap.NTDLL(00000000,6CBF0000,6CBF1B4C,6CBF0000), ref: 6CBF11BE
                                                                                                                                                                                  • SetupDiGetDeviceRegistryPropertyA.SETUPAPI(?,0000001C,0000000C,?,00000000,?,?), ref: 6CBF1092
                                                                                                                                                                                  • StrStrIA.SHLWAPI(00000000,vbox), ref: 6CBF10A4
                                                                                                                                                                                  • StrStrIA.SHLWAPI(00000000,qemu), ref: 6CBF10B0
                                                                                                                                                                                  • StrStrIA.SHLWAPI(00000000,vmware), ref: 6CBF10BC
                                                                                                                                                                                  • StrStrIA.SHLWAPI(00000000,virtual hd), ref: 6CBF10C8
                                                                                                                                                                                  • SetupDiDestroyDeviceInfoList.SETUPAPI(?), ref: 6CBF10DA
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000005.00000002.1716486508.000000006CBF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 6CBF0000, based on PE: true
                                                                                                                                                                                  • Associated: 00000005.00000002.1716468666.000000006CBF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000005.00000002.1716486508.000000006CBFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_5_2_6cbf0000_rundll32.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: Setup$Device$InfoPropertyRegistry$AllocateClassDestroyDevsEnumHeapList
                                                                                                                                                                                  • String ID: qemu$vbox$virtual hd$vmware
                                                                                                                                                                                  • API String ID: 2901969455-1017834832
                                                                                                                                                                                  • Opcode ID: 8f012ec0d5601a490ebe33426e5b0493e48f26cd71df1a1425a387c5d675511a
                                                                                                                                                                                  • Instruction ID: fd22ef24022785b512a174992cb252a9fd1467c273b143b92da56823b82780ef
                                                                                                                                                                                  • Opcode Fuzzy Hash: 8f012ec0d5601a490ebe33426e5b0493e48f26cd71df1a1425a387c5d675511a
                                                                                                                                                                                  • Instruction Fuzzy Hash: 5B21697190115DBAEF01DAA5CD80DFFBBBCEB06758F140526F920E3640D7719E0A9B61
                                                                                                                                                                                  Function 6CBF3ED3 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 166nativeCOMMON
                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                  • Executed
                                                                                                                                                                                  • Not Executed
                                                                                                                                                                                  control_flow_graph 296 6cbf3ed3-6cbf3ef6 297 6cbf3ef8-6cbf3eff 296->297 298 6cbf3f10-6cbf3f15 296->298 297->298 299 6cbf3f01-6cbf3f0e 297->299 300 6cbf3f17-6cbf3f19 298->300 299->300 301 6cbf3f1b-6cbf3f22 300->301 302 6cbf3f27-6cbf3f62 call 6cbf4943 300->302 303 6cbf40c4-6cbf40ca 301->303 306 6cbf409d-6cbf40a1 302->306 307 6cbf3f68-6cbf3f92 call 6cbf4904 302->307 308 6cbf40b5-6cbf40b9 306->308 309 6cbf40a3-6cbf40af NtUnmapViewOfSection RtlNtStatusToDosError 306->309 307->306 313 6cbf3f98-6cbf3fab call 6cbf4a02 307->313 308->303 311 6cbf40bb-6cbf40be CloseHandle 308->311 309->308 311->303 313->306 316 6cbf3fb1-6cbf3fb6 313->316 317 6cbf3fb8-6cbf3fc1 memcpy 316->317 318 6cbf3fc4-6cbf3fc9 316->318 317->318 319 6cbf3fcb-6cbf3fd3 318->319 320 6cbf3ff6-6cbf4019 memcpy 318->320 319->320 321 6cbf3fd5 319->321 322 6cbf402c-6cbf4030 320->322 323 6cbf401b-6cbf4029 320->323 324 6cbf3fda-6cbf3ff4 321->324 325 6cbf4048-6cbf404c 322->325 326 6cbf4032-6cbf4045 322->326 323->322 324->320 327 6cbf3fd7 324->327 328 6cbf404e-6cbf4055 325->328 329 6cbf4064-6cbf4065 call 6cbf3d87 325->329 326->325 327->324 328->329 331 6cbf4057-6cbf405d call 6cbf3e34 328->331 333 6cbf406a-6cbf406f 329->333 334 6cbf4062 331->334 333->306 335 6cbf4071-6cbf4095 memcpy call 6cbf29aa 333->335 334->333 337 6cbf409a 335->337 337->306
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • memcpy.NTDLL(?,CCCCFEEB,?,?,?,6CBF45C5,?,6CBF45C5,6CBF45C5,?,?,?,?,00000000), ref: 6CBF3FBC
                                                                                                                                                                                  • memcpy.NTDLL(?,CCCCFEEB,00000018,?,?,6CBF45C5,?,6CBF45C5,6CBF45C5,?,?,?,?,00000000), ref: 6CBF400D
                                                                                                                                                                                    • Part of subcall function 6CBF3E34: memcpy.NTDLL(CCCCFEEB,6CBFA9DC,00000018,CCCCFEEB,ZwProtectVirtualMemory,CCCCFEEB,LdrGetProcedureAddress,CCCCFEEB,LdrLoadDll,CCCCFEEB,6CBF4062,?,6CBF45C5,?,?,00000000), ref: 6CBF3EC5
                                                                                                                                                                                  • memcpy.NTDLL(?,6CBF46C5,00000800,?,?,?,00000000), ref: 6CBF407D
                                                                                                                                                                                    • Part of subcall function 6CBF29AA: memset.NTDLL ref: 6CBF29C9
                                                                                                                                                                                  • NtUnmapViewOfSection.NTDLL ref: 6CBF40A8
                                                                                                                                                                                  • RtlNtStatusToDosError.NTDLL ref: 6CBF40AF
                                                                                                                                                                                  • CloseHandle.KERNELBASE(00000000,?,?,?,?,00000000), ref: 6CBF40BE
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000005.00000002.1716486508.000000006CBF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 6CBF0000, based on PE: true
                                                                                                                                                                                  • Associated: 00000005.00000002.1716468666.000000006CBF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000005.00000002.1716486508.000000006CBFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_5_2_6cbf0000_rundll32.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: memcpy$CloseErrorHandleSectionStatusUnmapViewmemset
                                                                                                                                                                                  • String ID: N;U
                                                                                                                                                                                  • API String ID: 742001727-3665909347
                                                                                                                                                                                  • Opcode ID: 6a2aff8036133dcb8dda18dd985905ccb66f3271b6975419e560affa78638d94
                                                                                                                                                                                  • Instruction ID: 77e417ceb0d9adca1ac51cfcdb02af875be58890c25355191e9974a46a12a127
                                                                                                                                                                                  • Opcode Fuzzy Hash: 6a2aff8036133dcb8dda18dd985905ccb66f3271b6975419e560affa78638d94
                                                                                                                                                                                  • Instruction Fuzzy Hash: 6D613AB1A0124AEFDF10CFA8C984A9EBBB9FF04308F104569E925A7751D731A64ACF51
                                                                                                                                                                                  Function 6CBF1ACC Relevance: 10.6, APIs: 7, Instructions: 81nativeCOMMON
                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                  APIs
                                                                                                                                                                                  • ZwOpenProcess.NTDLL(6CBF0000,00000400,?,?,?,00000000,00000000), ref: 6CBF1B14
                                                                                                                                                                                  • ZwOpenProcessToken.NTDLL(6CBF0000,00000008,00000000), ref: 6CBF1B27
                                                                                                                                                                                  • ZwQueryInformationToken.NTDLL(00000000,00000001,00000000,00000000,6CBF0000), ref: 6CBF1B42
                                                                                                                                                                                    • Part of subcall function 6CBF11B2: RtlAllocateHeap.NTDLL(00000000,6CBF0000,6CBF1B4C,6CBF0000), ref: 6CBF11BE
                                                                                                                                                                                  • ZwQueryInformationToken.NTDLL(00000000,00000001,00000000,6CBF0000,6CBF0000,6CBF0000), ref: 6CBF1B5F
                                                                                                                                                                                  • memcpy.NTDLL(00000000,00000000,0000001C), ref: 6CBF1B6C
                                                                                                                                                                                  • ZwClose.NTDLL(00000000,6CBF0000), ref: 6CBF1B7E
                                                                                                                                                                                  • ZwClose.NTDLL(6CBF0000), ref: 6CBF1B87
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000005.00000002.1716486508.000000006CBF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 6CBF0000, based on PE: true
                                                                                                                                                                                  • Associated: 00000005.00000002.1716468666.000000006CBF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000005.00000002.1716486508.000000006CBFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_5_2_6cbf0000_rundll32.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: Token$CloseInformationOpenProcessQuery$AllocateHeapmemcpy
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 2575439697-0
                                                                                                                                                                                  • Opcode ID: c48102cee9c17cd9f4ffe5241106520557f460b3a1b033464a67b59e6be0c962
                                                                                                                                                                                  • Instruction ID: 835a9d551e7a3b4cbb89d56226c5fc3c20b14dc4dff64b5f9f73d6a45fe889c3
                                                                                                                                                                                  • Opcode Fuzzy Hash: c48102cee9c17cd9f4ffe5241106520557f460b3a1b033464a67b59e6be0c962
                                                                                                                                                                                  • Instruction Fuzzy Hash: F22119B1A00118BBDF01DFA5CC449DEBFBDEF09750F104066F514E6221D7719A4A9BA0
                                                                                                                                                                                  Function 6CBF2492 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 166librarynativeloaderCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • GetProcAddress.KERNEL32(ZwWow64QueryInformationProcess64,00000318), ref: 6CBF24B0
                                                                                                                                                                                  • NtWow64QueryInformationProcess64.NTDLL(00000000,00000000,?,00000030,00000000), ref: 6CBF24CC
                                                                                                                                                                                    • Part of subcall function 6CBF11B2: RtlAllocateHeap.NTDLL(00000000,6CBF0000,6CBF1B4C,6CBF0000), ref: 6CBF11BE
                                                                                                                                                                                    • Part of subcall function 6CBF241D: GetProcAddress.KERNEL32(ZwWow64ReadVirtualMemory64,00000000), ref: 6CBF243F
                                                                                                                                                                                    • Part of subcall function 6CBF241D: NtWow64ReadVirtualMemory64.NTDLL(00000100,?,?,00000028,00000000,00000000,00000100,00000000,?,?,?,6CBF250D,00000000,00000000,00000028,00000100), ref: 6CBF2461
                                                                                                                                                                                  • StrRChrA.SHLWAPI(00000018,00000000,0000005C,00000000,00000318,?,00000000,00000068,00000098,00000000,00000028,00000040,00000000,00000000,00000028,00000100), ref: 6CBF2636
                                                                                                                                                                                  Strings
                                                                                                                                                                                  • ZwWow64QueryInformationProcess64, xrefs: 6CBF24A3
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000005.00000002.1716486508.000000006CBF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 6CBF0000, based on PE: true
                                                                                                                                                                                  • Associated: 00000005.00000002.1716468666.000000006CBF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000005.00000002.1716486508.000000006CBFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_5_2_6cbf0000_rundll32.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: AddressProcWow64$AllocateHeapInformationMemory64Process64QueryReadVirtual
                                                                                                                                                                                  • String ID: ZwWow64QueryInformationProcess64
                                                                                                                                                                                  • API String ID: 3547194813-1903490642
                                                                                                                                                                                  • Opcode ID: 05f1efe74f99b7656b22f72659955ac0f70f50a459cbac4813125ac03fea6f88
                                                                                                                                                                                  • Instruction ID: bf70ba9ce6e551137f06e5f2f295773d0e82bfd0e0e834d7786fb84ced7a2c54
                                                                                                                                                                                  • Opcode Fuzzy Hash: 05f1efe74f99b7656b22f72659955ac0f70f50a459cbac4813125ac03fea6f88
                                                                                                                                                                                  • Instruction Fuzzy Hash: 62616270A01286EBDF05CFA5D894BEEBBB4FF08304F104529E964A7741D770E959CBA2
                                                                                                                                                                                  Function 6CBF4943 Relevance: 6.1, APIs: 4, Instructions: 79nativeCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • NtCreateSection.NTDLL(?,000F001F,?,?,00000040,08000000,00000000), ref: 6CBF499E
                                                                                                                                                                                  • memset.NTDLL ref: 6CBF49C3
                                                                                                                                                                                  • RtlNtStatusToDosError.NTDLL ref: 6CBF49DF
                                                                                                                                                                                  • ZwClose.NTDLL(?), ref: 6CBF49F3
                                                                                                                                                                                    • Part of subcall function 6CBF4904: NtMapViewOfSection.NTDLL ref: 6CBF4931
                                                                                                                                                                                    • Part of subcall function 6CBF4904: RtlNtStatusToDosError.NTDLL ref: 6CBF4938
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000005.00000002.1716486508.000000006CBF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 6CBF0000, based on PE: true
                                                                                                                                                                                  • Associated: 00000005.00000002.1716468666.000000006CBF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000005.00000002.1716486508.000000006CBFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_5_2_6cbf0000_rundll32.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: ErrorSectionStatus$CloseCreateViewmemset
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 783833395-0
                                                                                                                                                                                  • Opcode ID: 261faad25c5984be6ea00c71347fb2d77715250537ddec8c28c4c14ea1fb5024
                                                                                                                                                                                  • Instruction ID: 73a2bb660cde6f3345ac6d6d02d1d5e594ad71e821b93691309b4e7821b780b6
                                                                                                                                                                                  • Opcode Fuzzy Hash: 261faad25c5984be6ea00c71347fb2d77715250537ddec8c28c4c14ea1fb5024
                                                                                                                                                                                  • Instruction Fuzzy Hash: 55215975A00269AFCF01CFA8CD449EEBBB8EB09720F104516F920E7240D7719A598FA5
                                                                                                                                                                                  Function 6CBF241D Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 33librarynativeloaderCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • GetProcAddress.KERNEL32(ZwWow64ReadVirtualMemory64,00000000), ref: 6CBF243F
                                                                                                                                                                                  • NtWow64ReadVirtualMemory64.NTDLL(00000100,?,?,00000028,00000000,00000000,00000100,00000000,?,?,?,6CBF250D,00000000,00000000,00000028,00000100), ref: 6CBF2461
                                                                                                                                                                                  Strings
                                                                                                                                                                                  • ZwWow64ReadVirtualMemory64, xrefs: 6CBF2434
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000005.00000002.1716486508.000000006CBF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 6CBF0000, based on PE: true
                                                                                                                                                                                  • Associated: 00000005.00000002.1716468666.000000006CBF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000005.00000002.1716486508.000000006CBFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_5_2_6cbf0000_rundll32.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: AddressMemory64ProcReadVirtualWow64
                                                                                                                                                                                  • String ID: ZwWow64ReadVirtualMemory64
                                                                                                                                                                                  • API String ID: 752694512-2880279267
                                                                                                                                                                                  • Opcode ID: 8b80fd60fe25bdc1351b822f87e780fb6ca7762dad24d9f9044d44fe3caa4518
                                                                                                                                                                                  • Instruction ID: 31dffb25bcd454abb4ef14d41b2bda261722909730cd7705e27962e654375083
                                                                                                                                                                                  • Opcode Fuzzy Hash: 8b80fd60fe25bdc1351b822f87e780fb6ca7762dad24d9f9044d44fe3caa4518
                                                                                                                                                                                  • Instruction Fuzzy Hash: EFF03A76600644BFCF068F96DC04C4EFFBAEB89350B108429F96093320D271D956DF21
                                                                                                                                                                                  Function 6CBF2286 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 21librarynativeloaderCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • GetProcAddress.KERNEL32(ZwWow64QueryInformationProcess64,00000000), ref: 6CBF22A0
                                                                                                                                                                                  • NtWow64QueryInformationProcess64.NTDLL(6CBF4211,00000000,00000000,00000030,6CBF4211,00000000,6CBF4211,?,?,C000009A,?,00000000,00000000), ref: 6CBF22BF
                                                                                                                                                                                  Strings
                                                                                                                                                                                  • ZwWow64QueryInformationProcess64, xrefs: 6CBF2295
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000005.00000002.1716486508.000000006CBF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 6CBF0000, based on PE: true
                                                                                                                                                                                  • Associated: 00000005.00000002.1716468666.000000006CBF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000005.00000002.1716486508.000000006CBFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_5_2_6cbf0000_rundll32.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: AddressInformationProcProcess64QueryWow64
                                                                                                                                                                                  • String ID: ZwWow64QueryInformationProcess64
                                                                                                                                                                                  • API String ID: 1650446693-1903490642
                                                                                                                                                                                  • Opcode ID: 03dbfdff6cd75c8ea48697c67881109ea3a60b4359ae4a5203fb201d46f21fe0
                                                                                                                                                                                  • Instruction ID: 70f10d12b7686bd382422908f4539a7a2e55624809dfc16690092b60b051b051
                                                                                                                                                                                  • Opcode Fuzzy Hash: 03dbfdff6cd75c8ea48697c67881109ea3a60b4359ae4a5203fb201d46f21fe0
                                                                                                                                                                                  • Instruction Fuzzy Hash: 64E04F31305351AFEB028A54EC05F057BB4AB5A754F054425B534E3350D321CD15DF52
                                                                                                                                                                                  Function 02A40000 Relevance: 4.9, APIs: 3, Instructions: 387nativememoryCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • NtProtectVirtualMemory.NTDLL(000000FF,?,?,00000040,?,?,00000000,DF18C02A), ref: 02A40532
                                                                                                                                                                                  • NtAllocateVirtualMemory.NTDLL(000000FF,00000000,00000000,?,00003000,00000040), ref: 02A40569
                                                                                                                                                                                  • NtProtectVirtualMemory.NTDLL(000000FF,?,00001000,00000002,?,?,?,DF18C02A,?,?,?,00000000,?,00000000), ref: 02A4084C
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000005.00000002.1716055121.0000000002A40000.00000040.00001000.00020000.00000000.sdmp, Offset: 02A40000, based on PE: false
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_5_2_2a40000_rundll32.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: MemoryVirtual$Protect$Allocate
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 955180148-0
                                                                                                                                                                                  • Opcode ID: 0276ce237686d955ecd96cb5b1eef00a4676b752b1876b5eb49befe3360d61fd
                                                                                                                                                                                  • Instruction ID: 69c28ff374d73e8e6d762d9deebcb14510736e5e3a849916490fa74115626399
                                                                                                                                                                                  • Opcode Fuzzy Hash: 0276ce237686d955ecd96cb5b1eef00a4676b752b1876b5eb49befe3360d61fd
                                                                                                                                                                                  • Instruction Fuzzy Hash: 18F12772E012189FDF18CFA5C980ADDBBB2FF88310F258169D919BB255DB74A942CF50
                                                                                                                                                                                  Function 6CBF2E32 Relevance: 4.5, APIs: 3, Instructions: 29memorynativeCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • NtAllocateVirtualMemory.NTDLL(6CBF28CF,00000000,00000000,6CBF28CF,00003000,00000040), ref: 6CBF2E63
                                                                                                                                                                                  • RtlNtStatusToDosError.NTDLL ref: 6CBF2E6A
                                                                                                                                                                                  • SetLastError.KERNEL32(00000000), ref: 6CBF2E71
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000005.00000002.1716486508.000000006CBF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 6CBF0000, based on PE: true
                                                                                                                                                                                  • Associated: 00000005.00000002.1716468666.000000006CBF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000005.00000002.1716486508.000000006CBFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_5_2_6cbf0000_rundll32.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: Error$AllocateLastMemoryStatusVirtual
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 722216270-0
                                                                                                                                                                                  • Opcode ID: 75bb827979cdcd05515bbc0a4a26ac162cff3245928404c257da9dd8c04c69e4
                                                                                                                                                                                  • Instruction ID: e1696c6e52f82c8b35b8127d70b07aa4c4083810d5045a848bfb14f64b6b2c96
                                                                                                                                                                                  • Opcode Fuzzy Hash: 75bb827979cdcd05515bbc0a4a26ac162cff3245928404c257da9dd8c04c69e4
                                                                                                                                                                                  • Instruction Fuzzy Hash: A4F05E71A11309FBEB04CB95D819B9EB7BCAB05305F104048A210A6280EBB4EB04CB65
                                                                                                                                                                                  Function 6CBF2DF1 Relevance: 4.5, APIs: 3, Instructions: 26nativeCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • NtWriteVirtualMemory.NTDLL(?,00000004,6CBF468D,6CBF468D,00000000,74E05030,?,6CBF3C80,?,00000004,6CBF468D,00000004,?), ref: 6CBF2E0F
                                                                                                                                                                                  • RtlNtStatusToDosError.NTDLL ref: 6CBF2E1E
                                                                                                                                                                                  • SetLastError.KERNEL32(00000000,?,6CBF3C80,?,00000004,6CBF468D,00000004,?,?,?,?,6CBF453C,00000000,6CBF468D,CCCCFEEB,00000000), ref: 6CBF2E25
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000005.00000002.1716486508.000000006CBF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 6CBF0000, based on PE: true
                                                                                                                                                                                  • Associated: 00000005.00000002.1716468666.000000006CBF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000005.00000002.1716486508.000000006CBFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_5_2_6cbf0000_rundll32.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: Error$LastMemoryStatusVirtualWrite
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 1089604434-0
                                                                                                                                                                                  • Opcode ID: 1816e23932a08f6edab7dbc4c08106460807a28bf86feace411f7ace092c444e
                                                                                                                                                                                  • Instruction ID: b68facb3353404949bade2746c938b6a2a580ca39d6f051695f5ef0a5dfee969
                                                                                                                                                                                  • Opcode Fuzzy Hash: 1816e23932a08f6edab7dbc4c08106460807a28bf86feace411f7ace092c444e
                                                                                                                                                                                  • Instruction Fuzzy Hash: 08E01232241299ABDF015FE9AC08D8B7B69EB0D751B104425BA21C6711C731D5219BA1
                                                                                                                                                                                  Function 02A40DD2 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 185libraryloaderCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • LdrLoadDll.NTDLL(00000000,00000000,?,?,?,02A4080D,?,DF18C02A,?,?,?,00000000,?,00000000), ref: 02A40E7A
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000005.00000002.1716055121.0000000002A40000.00000040.00001000.00020000.00000000.sdmp, Offset: 02A40000, based on PE: false
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_5_2_2a40000_rundll32.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: Load
                                                                                                                                                                                  • String ID: U/
                                                                                                                                                                                  • API String ID: 2234796835-28647567
                                                                                                                                                                                  • Opcode ID: 95ad536bfe3863d19e965b884b539d5f883aa0a128a14424d074b338dc3537cf
                                                                                                                                                                                  • Instruction ID: c7650566964fd419f7ab07aa6276d8ea0a5bb81c4a2d3b93c5f67125e3828012
                                                                                                                                                                                  • Opcode Fuzzy Hash: 95ad536bfe3863d19e965b884b539d5f883aa0a128a14424d074b338dc3537cf
                                                                                                                                                                                  • Instruction Fuzzy Hash: B061ED75E10209AFDF08CFA5D9819AEBBB2FF88310F14C569E916A7244DB34EA45CF50
                                                                                                                                                                                  Function 6CBF2D19 Relevance: 3.0, APIs: 2, Instructions: 48nativeCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • NtQuerySystemInformation.NTDLL ref: 6CBF2D4A
                                                                                                                                                                                  • RtlNtStatusToDosError.NTDLL ref: 6CBF2D83
                                                                                                                                                                                    • Part of subcall function 6CBF11C7: RtlFreeHeap.NTDLL(00000000,00000000,6CBF1B7B,00000000), ref: 6CBF11D3
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000005.00000002.1716486508.000000006CBF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 6CBF0000, based on PE: true
                                                                                                                                                                                  • Associated: 00000005.00000002.1716468666.000000006CBF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000005.00000002.1716486508.000000006CBFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_5_2_6cbf0000_rundll32.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: ErrorFreeHeapInformationQueryStatusSystem
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 2533303245-0
                                                                                                                                                                                  • Opcode ID: 018a6a352cd8302c377f9c1458485a88046f2ded7464776cd8e5e7db952c1dcf
                                                                                                                                                                                  • Instruction ID: f03f2fbc581efe32e4f056fd35d422eeb25efae4bed09f61f2f51062f8b05a37
                                                                                                                                                                                  • Opcode Fuzzy Hash: 018a6a352cd8302c377f9c1458485a88046f2ded7464776cd8e5e7db952c1dcf
                                                                                                                                                                                  • Instruction Fuzzy Hash: D701F27A9039F4AAD7124655890CBDE7968CF46B58F110114ED30A7B00D770CE0A82F3
                                                                                                                                                                                  Function 6CBF4904 Relevance: 3.0, APIs: 2, Instructions: 28nativeCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000005.00000002.1716486508.000000006CBF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 6CBF0000, based on PE: true
                                                                                                                                                                                  • Associated: 00000005.00000002.1716468666.000000006CBF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000005.00000002.1716486508.000000006CBFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_5_2_6cbf0000_rundll32.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: ErrorSectionStatusView
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 1313840181-0
                                                                                                                                                                                  • Opcode ID: 19fc8330002138bc4df6f376718265aa4d97c29fc6e373bfe2bd4d1a22473c08
                                                                                                                                                                                  • Instruction ID: 83790d556e31726be7f376e3c44faf6c4d30b93a27a300a62e93d82d0fcede85
                                                                                                                                                                                  • Opcode Fuzzy Hash: 19fc8330002138bc4df6f376718265aa4d97c29fc6e373bfe2bd4d1a22473c08
                                                                                                                                                                                  • Instruction Fuzzy Hash: 31E0E5B6900208FFEF059F95DC0FDEF7B7DEB45300F00856AF615A6151E6B1AA149B60
                                                                                                                                                                                  Function 6CBF4B80 Relevance: 1.5, APIs: 1, Instructions: 37nativeCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • NtProtectVirtualMemory.NTDLL ref: 6CBF4BCB
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000005.00000002.1716486508.000000006CBF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 6CBF0000, based on PE: true
                                                                                                                                                                                  • Associated: 00000005.00000002.1716468666.000000006CBF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000005.00000002.1716486508.000000006CBFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_5_2_6cbf0000_rundll32.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: MemoryProtectVirtual
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 2706961497-0
                                                                                                                                                                                  • Opcode ID: af5b7e29ad1b2268868168bc09b01d4086c669db7eb639983e2640be428b1d8f
                                                                                                                                                                                  • Instruction ID: 28cc42cccdb4055abea283a3ea790c5e4a853cf746611ce8e43d63e46f8e3474
                                                                                                                                                                                  • Opcode Fuzzy Hash: af5b7e29ad1b2268868168bc09b01d4086c669db7eb639983e2640be428b1d8f
                                                                                                                                                                                  • Instruction Fuzzy Hash: 75F0243101860A5BD714EB58CC82EA6B3ECFF49310F04065CBCA5873D1E671B964CBC2
                                                                                                                                                                                  Function 6CBF1F0F Relevance: 72.0, APIs: 33, Strings: 8, Instructions: 278registrystringmemoryCOMMON
                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                  • Executed
                                                                                                                                                                                  • Not Executed
                                                                                                                                                                                  control_flow_graph 0 6cbf1f0f-6cbf1f2a 1 6cbf1f2c 0->1 2 6cbf1f33-6cbf1f39 0->2 1->2 3 6cbf1f3f-6cbf1f47 2->3 4 6cbf2277-6cbf2283 2->4 3->4 5 6cbf1f4d-6cbf1f5a StrChrA 3->5 5->4 6 6cbf1f60-6cbf1fa8 lstrcpyA lstrcatA * 2 RegOpenKeyA 5->6 6->4 7 6cbf1fae-6cbf1fcb RegQueryValueExW 6->7 8 6cbf2267 7->8 9 6cbf1fd1-6cbf1ff9 lstrlenW HeapAlloc 7->9 11 6cbf226e-6cbf2271 RegCloseKey 8->11 9->8 10 6cbf1fff-6cbf2015 RegQueryValueExW 9->10 12 6cbf201b-6cbf2068 PathCombineW CreateDirectoryW PathCombineW CreateDirectoryW PathCombineW lstrcmpiW 10->12 13 6cbf2257-6cbf2265 HeapFree 10->13 11->4 14 6cbf206e-6cbf2076 12->14 15 6cbf2250 12->15 13->11 16 6cbf2078-6cbf207f call 6cbf32ee 14->16 17 6cbf2081-6cbf2082 call 6cbf35c6 14->17 15->13 21 6cbf2087-6cbf208c 16->21 17->21 22 6cbf2247-6cbf224e 21->22 23 6cbf2092-6cbf20cb lstrcpyA RegOpenKeyExA 21->23 22->13 24 6cbf20cd-6cbf20ff lstrlenW RegSetValueExW RegCloseKey 23->24 25 6cbf2105-6cbf210a 23->25 24->25 26 6cbf2235-6cbf2245 HeapFree 24->26 27 6cbf210c-6cbf2111 call 6cbf1be5 25->27 28 6cbf2121-6cbf2133 call 6cbf1c30 25->28 26->13 31 6cbf2116-6cbf211b 27->31 34 6cbf21de-6cbf21e1 28->34 35 6cbf2139-6cbf213b 28->35 31->28 33 6cbf2232 31->33 33->26 36 6cbf222f 34->36 37 6cbf21e3-6cbf21fd RegOpenKeyExA 34->37 38 6cbf213d-6cbf2145 call 6cbf35c6 35->38 39 6cbf2147-6cbf2174 lstrcpyA RegCreateKeyA 35->39 36->33 37->33 40 6cbf21ff-6cbf2218 RegOpenKeyW 37->40 38->39 39->33 42 6cbf217a-6cbf219d RegQueryValueExA 39->42 43 6cbf221a-6cbf222d RegDeleteValueW RegCloseKey 40->43 44 6cbf21d3-6cbf21dc RegCloseKey 40->44 46 6cbf219f-6cbf21a3 42->46 47 6cbf21bb-6cbf21c0 42->47 43->44 44->33 46->47 48 6cbf21a5-6cbf21b9 RegSetValueExA 46->48 47->44 49 6cbf21c2-6cbf21d1 RegSetValueExA 47->49 48->47 49->44
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • StrChrA.SHLWAPI(?,0000005F,00000000,00000000,00000104), ref: 6CBF1F52
                                                                                                                                                                                  • lstrcpyA.KERNEL32(?,?), ref: 6CBF1F6A
                                                                                                                                                                                  • lstrcatA.KERNEL32(?,\Software\Microsoft\Windows\CurrentVersion), ref: 6CBF1F82
                                                                                                                                                                                  • lstrcatA.KERNEL32(?,\Explorer\Shell Folders), ref: 6CBF1F90
                                                                                                                                                                                  • RegOpenKeyA.ADVAPI32(?,?,?), ref: 6CBF1FA0
                                                                                                                                                                                  • RegQueryValueExW.KERNELBASE(?,AppData,00000000,?,00000000,?), ref: 6CBF1FC6
                                                                                                                                                                                  • lstrlenW.KERNEL32 ref: 6CBF1FD7
                                                                                                                                                                                  • HeapAlloc.KERNEL32(00000000,?), ref: 6CBF1FEC
                                                                                                                                                                                  • RegQueryValueExW.KERNELBASE(?,AppData,00000000,?,00000000,?), ref: 6CBF2011
                                                                                                                                                                                  • PathCombineW.SHLWAPI(00000000,00000000,Microsoft), ref: 6CBF2033
                                                                                                                                                                                  • CreateDirectoryW.KERNELBASE(00000000,00000000), ref: 6CBF2037
                                                                                                                                                                                  • PathCombineW.SHLWAPI(00000000,00000000), ref: 6CBF2045
                                                                                                                                                                                  • CreateDirectoryW.KERNELBASE(00000000,00000000), ref: 6CBF2049
                                                                                                                                                                                  • PathCombineW.SHLWAPI(00000000,00000000), ref: 6CBF2057
                                                                                                                                                                                  • lstrcmpiW.KERNEL32(00000000), ref: 6CBF2060
                                                                                                                                                                                    • Part of subcall function 6CBF32EE: lstrlenW.KERNEL32(00000000,00000000,?,6CBF207F,00000000,FF571A75), ref: 6CBF3301
                                                                                                                                                                                    • Part of subcall function 6CBF32EE: lstrlenA.KERNEL32(6CBF207F,?,6CBF207F,00000000,FF571A75), ref: 6CBF330C
                                                                                                                                                                                    • Part of subcall function 6CBF32EE: HeapAlloc.KERNEL32(00000000,00000022,?,6CBF207F,00000000,FF571A75), ref: 6CBF3321
                                                                                                                                                                                    • Part of subcall function 6CBF32EE: wsprintfW.USER32 ref: 6CBF3339
                                                                                                                                                                                  • lstrcpyA.KERNEL32(?,\Run,00000000), ref: 6CBF20A2
                                                                                                                                                                                  • RegOpenKeyExA.KERNELBASE(?,?,00000000,6CBF3417,?), ref: 6CBF20C3
                                                                                                                                                                                  • lstrlenW.KERNEL32(?), ref: 6CBF20D0
                                                                                                                                                                                  • RegSetValueExW.KERNELBASE(?,00000000,00000001,?,?), ref: 6CBF20EA
                                                                                                                                                                                  • RegCloseKey.ADVAPI32(?), ref: 6CBF20F6
                                                                                                                                                                                  • lstrcpyA.KERNEL32(?,?,6CBF342F,0AEBFFFF), ref: 6CBF2158
                                                                                                                                                                                  • RegCreateKeyA.ADVAPI32(?,?,?), ref: 6CBF216C
                                                                                                                                                                                  • RegQueryValueExA.KERNELBASE(?,Client,00000000,?,?,?), ref: 6CBF218F
                                                                                                                                                                                  • RegSetValueExA.ADVAPI32(?,Client,00000000,00000003,?,00000028), ref: 6CBF21B9
                                                                                                                                                                                  • RegSetValueExA.ADVAPI32(?,Client32,00000000,00000003,BFA98035,3D6CBF80), ref: 6CBF21D1
                                                                                                                                                                                  • RegCloseKey.KERNELBASE(?), ref: 6CBF21D6
                                                                                                                                                                                  • RegOpenKeyExA.ADVAPI32(?,?,00000000,6CBF3417,?,?,6CBF342F,0AEBFFFF), ref: 6CBF21F5
                                                                                                                                                                                  • RegOpenKeyW.ADVAPI32(?,00000000,?), ref: 6CBF2210
                                                                                                                                                                                  • RegDeleteValueW.ADVAPI32(?,04B686E0), ref: 6CBF221E
                                                                                                                                                                                  • RegCloseKey.ADVAPI32(?), ref: 6CBF2227
                                                                                                                                                                                  • HeapFree.KERNEL32(00000000,?,?,6CBF342F,0AEBFFFF), ref: 6CBF223F
                                                                                                                                                                                  • HeapFree.KERNEL32(00000000,00000000), ref: 6CBF225F
                                                                                                                                                                                  • RegCloseKey.ADVAPI32(?), ref: 6CBF2271
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000005.00000002.1716486508.000000006CBF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 6CBF0000, based on PE: true
                                                                                                                                                                                  • Associated: 00000005.00000002.1716468666.000000006CBF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000005.00000002.1716486508.000000006CBFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_5_2_6cbf0000_rundll32.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: Value$CloseHeapOpenlstrlen$CombineCreatePathQuerylstrcpy$AllocDirectoryFreelstrcat$Deletelstrcmpiwsprintf
                                                                                                                                                                                  • String ID: ($AppData$Client$Client32$Microsoft$\Explorer\Shell Folders$\Run$\Software\Microsoft\Windows\CurrentVersion
                                                                                                                                                                                  • API String ID: 4063272932-2954684206
                                                                                                                                                                                  • Opcode ID: d6ba58318e9012b8fabbc5c54a49635f953442c0bf75067a8ade2a0ff9c3dac8
                                                                                                                                                                                  • Instruction ID: d5b5995981af87601f0265e63448b9721a9a69c03413a0e9ad7d1cc960552da6
                                                                                                                                                                                  • Opcode Fuzzy Hash: d6ba58318e9012b8fabbc5c54a49635f953442c0bf75067a8ade2a0ff9c3dac8
                                                                                                                                                                                  • Instruction Fuzzy Hash: 23A12671A00189FFDF119FA2DC88DAEBB7DFB0A344F104422F925A6610D7319A5ADF52
                                                                                                                                                                                  Function 6CBF16B2 Relevance: 42.3, APIs: 20, Strings: 4, Instructions: 286filetimesleepCOMMON
                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                  • Executed
                                                                                                                                                                                  • Not Executed
                                                                                                                                                                                  control_flow_graph 84 6cbf16b2-6cbf16dc call 6cbf1a53 87 6cbf1a48-6cbf1a50 84->87 88 6cbf16e2-6cbf16ed 84->88 89 6cbf16f1-6cbf1729 GetCursorInfo call 6cbf345b 88->89 92 6cbf172b-6cbf172d 89->92 92->87 93 6cbf1733-6cbf1740 call 6cbf22c9 92->93 96 6cbf1754-6cbf1757 93->96 97 6cbf1742-6cbf174c 93->97 98 6cbf1759-6cbf176d call 6cbf2c92 96->98 99 6cbf17b2-6cbf17d8 CreateFileA 96->99 97->96 98->99 109 6cbf176f-6cbf1781 GetLongPathNameW 98->109 101 6cbf17fd-6cbf1801 99->101 102 6cbf17da-6cbf17f0 ReadFile 99->102 103 6cbf1818-6cbf1830 call 6cbf389c 101->103 104 6cbf1803 call 6cbf1000 101->104 106 6cbf17f6-6cbf17f7 CloseHandle 102->106 107 6cbf17f2 102->107 117 6cbf1843-6cbf186b call 6cbf150f call 6cbf1b96 103->117 118 6cbf1832-6cbf1837 103->118 111 6cbf1808-6cbf180e 104->111 106->101 107->106 112 6cbf17a9-6cbf17ad 109->112 113 6cbf1783-6cbf1794 call 6cbf11b2 109->113 111->103 115 6cbf1810 111->115 112->99 113->112 123 6cbf1796-6cbf17a2 GetLongPathNameW call 6cbf11c7 113->123 119 6cbf1812-6cbf1813 115->119 130 6cbf186d-6cbf187f call 6cbf1b96 117->130 131 6cbf1885-6cbf1898 call 6cbf2e82 117->131 118->117 121 6cbf1839-6cbf183e call 6cbf1638 118->121 119->87 121->117 129 6cbf17a7 123->129 129->99 130->131 136 6cbf1a40-6cbf1a46 GetLastError 130->136 137 6cbf189e-6cbf18a5 call 6cbf11dc 131->137 138 6cbf1a3b-6cbf1a3e 131->138 136->87 137->87 141 6cbf18ab-6cbf18b1 137->141 138->87 138->136 142 6cbf18bc-6cbf18c1 call 6cbf2f05 141->142 143 6cbf18b3 call 6cbf128f 141->143 146 6cbf18c6-6cbf18c8 142->146 147 6cbf18b8-6cbf18ba 143->147 148 6cbf190b-6cbf1916 call 6cbf137f 146->148 149 6cbf18ca-6cbf18d2 146->149 147->142 147->148 154 6cbf191f-6cbf193a 148->154 155 6cbf1918 148->155 149->148 150 6cbf18d4-6cbf18db call 6cbf14c3 149->150 150->148 159 6cbf18dd-6cbf18e3 150->159 157 6cbf193c-6cbf1941 154->157 158 6cbf1943 154->158 155->154 160 6cbf1948-6cbf196a ConvertStringSecurityDescriptorToSecurityDescriptorA CreateEventA 157->160 158->160 161 6cbf18fb-6cbf1906 call 6cbf1ddb 159->161 162 6cbf18e5-6cbf18f9 call 6cbf1d2e 159->162 163 6cbf196c-6cbf1974 GetLastError 160->163 164 6cbf1996-6cbf19b9 call 6cbf3349 160->164 161->119 162->148 162->161 167 6cbf198f-6cbf1990 CloseHandle 163->167 168 6cbf1976-6cbf1989 SetEvent Sleep ResetEvent 163->168 173 6cbf19bb-6cbf19bd 164->173 174 6cbf19e2-6cbf19f0 call 6cbf2d19 164->174 167->164 168->167 176 6cbf1a2f-6cbf1a39 LocalFree 173->176 177 6cbf19bf-6cbf19c6 173->177 174->138 180 6cbf19f2-6cbf1a09 CreateWaitableTimerA 174->180 176->138 177->174 179 6cbf19c8-6cbf19d1 DeleteFileW 177->179 179->174 181 6cbf19d3-6cbf19dc MoveFileExW 179->181 180->176 182 6cbf1a0b-6cbf1a29 SetWaitableTimer CloseHandle 180->182 181->174 182->176
                                                                                                                                                                                  APIs
                                                                                                                                                                                    • Part of subcall function 6CBF1A53: CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,?,6CBF16D8), ref: 6CBF1A62
                                                                                                                                                                                    • Part of subcall function 6CBF1A53: GetVersion.KERNEL32(?,6CBF16D8), ref: 6CBF1A71
                                                                                                                                                                                    • Part of subcall function 6CBF1A53: GetCurrentProcessId.KERNEL32(?,6CBF16D8), ref: 6CBF1A8D
                                                                                                                                                                                    • Part of subcall function 6CBF1A53: OpenProcess.KERNEL32(0000047A,00000000,00000000,?,6CBF16D8), ref: 6CBF1AA6
                                                                                                                                                                                  • GetCursorInfo.USER32 ref: 6CBF16FE
                                                                                                                                                                                    • Part of subcall function 6CBF345B: lstrcpynA.KERNEL32(?,.bss,00000008,?,00000000,00000000,?,?,?,?,?,?,?), ref: 6CBF3489
                                                                                                                                                                                  • GetLongPathNameW.KERNELBASE(?,00000000,00000000), ref: 6CBF177B
                                                                                                                                                                                  • GetLongPathNameW.KERNELBASE(?,00000000,00000000), ref: 6CBF179C
                                                                                                                                                                                  • CreateFileA.KERNELBASE(c:\321.txt,80000000,00000001,00000000,00000003,00000080,00000000,00000000,?), ref: 6CBF17CD
                                                                                                                                                                                  • ReadFile.KERNEL32(00000000,?,00000004,?,00000000), ref: 6CBF17E8
                                                                                                                                                                                  • CloseHandle.KERNEL32(00000000), ref: 6CBF17F7
                                                                                                                                                                                    • Part of subcall function 6CBF389C: lstrcmpA.KERNEL32(?,?,00000000,00000000), ref: 6CBF3950
                                                                                                                                                                                  • ConvertStringSecurityDescriptorToSecurityDescriptorA.ADVAPI32(S:(ML;;NW;;;LW)D:(A;;0x1fffff;;;WD)(A;;0x1fffff;;;S-1-15-2-1),00000001,?,00000000), ref: 6CBF1948
                                                                                                                                                                                  • CreateEventA.KERNEL32(?,00000001,00000000,?,EE553B4E,00000001,00000000,6CBFA95C), ref: 6CBF195B
                                                                                                                                                                                  • GetLastError.KERNEL32 ref: 6CBF196C
                                                                                                                                                                                  • SetEvent.KERNEL32(00000000), ref: 6CBF1977
                                                                                                                                                                                  • Sleep.KERNEL32(00000BB8), ref: 6CBF1982
                                                                                                                                                                                  • ResetEvent.KERNEL32(00000000), ref: 6CBF1989
                                                                                                                                                                                  • CloseHandle.KERNELBASE(00000000), ref: 6CBF1990
                                                                                                                                                                                  • DeleteFileW.KERNELBASE(04B687C8,?), ref: 6CBF19C9
                                                                                                                                                                                  • MoveFileExW.KERNELBASE(00000000,00000004), ref: 6CBF19DC
                                                                                                                                                                                  • CreateWaitableTimerA.KERNEL32(?,00000001,?), ref: 6CBF19FF
                                                                                                                                                                                  • SetWaitableTimer.KERNELBASE(00000000,0000000C,00000000,00000000,00000000,00000000), ref: 6CBF1A22
                                                                                                                                                                                  • CloseHandle.KERNEL32(00000000), ref: 6CBF1A29
                                                                                                                                                                                  • LocalFree.KERNEL32(?), ref: 6CBF1A33
                                                                                                                                                                                  • GetLastError.KERNEL32(EE553B4E,00000001,00000000,6CBFA95C), ref: 6CBF1A40
                                                                                                                                                                                  Strings
                                                                                                                                                                                  • D:(D;OICI;GA;;;BG)(D;OICI;GA;;;AN)(A;OICI;GA;;;AU)(A;OICI;GA;;;BA), xrefs: 6CBF193C
                                                                                                                                                                                  • c:\321.txt, xrefs: 6CBF17C4
                                                                                                                                                                                  • N;U, xrefs: 6CBF1851
                                                                                                                                                                                  • S:(ML;;NW;;;LW)D:(A;;0x1fffff;;;WD)(A;;0x1fffff;;;S-1-15-2-1), xrefs: 6CBF1943
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000005.00000002.1716486508.000000006CBF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 6CBF0000, based on PE: true
                                                                                                                                                                                  • Associated: 00000005.00000002.1716468666.000000006CBF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000005.00000002.1716486508.000000006CBFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_5_2_6cbf0000_rundll32.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: CreateEventFile$CloseHandle$DescriptorErrorLastLongNamePathProcessSecurityTimerWaitable$ConvertCurrentCursorDeleteFreeInfoLocalMoveOpenReadResetSleepStringVersionlstrcmplstrcpyn
                                                                                                                                                                                  • String ID: D:(D;OICI;GA;;;BG)(D;OICI;GA;;;AN)(A;OICI;GA;;;AU)(A;OICI;GA;;;BA)$N;U$S:(ML;;NW;;;LW)D:(A;;0x1fffff;;;WD)(A;;0x1fffff;;;S-1-15-2-1)$c:\321.txt
                                                                                                                                                                                  • API String ID: 400546999-400329992
                                                                                                                                                                                  • Opcode ID: 8a067fc74be49b56aa86a033110dc9262dd7eb954261ea7a8f4fcad245bd981d
                                                                                                                                                                                  • Instruction ID: 0bfabbcd689d29662f5e76863d64d4601979bad7f637ba32e1b45e975acdee41
                                                                                                                                                                                  • Opcode Fuzzy Hash: 8a067fc74be49b56aa86a033110dc9262dd7eb954261ea7a8f4fcad245bd981d
                                                                                                                                                                                  • Instruction Fuzzy Hash: 31A1B4B26052859FDB009F75D884A9E77F8EB45308F498E2AF571D3750D730D84E8B92
                                                                                                                                                                                  Function 6CBF150F Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 45libraryloaderCOMMON
                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                  • Executed
                                                                                                                                                                                  • Not Executed
                                                                                                                                                                                  control_flow_graph 199 6cbf150f-6cbf1526 LoadLibraryA 200 6cbf1528-6cbf153c GetProcAddress 199->200 201 6cbf1574-6cbf1579 199->201 202 6cbf153e-6cbf1551 GetModuleHandleA GetProcAddress 200->202 203 6cbf1572-6cbf1573 200->203 202->203 204 6cbf1553-6cbf155e FindWindowA 202->204 203->201 204->203 205 6cbf1560-6cbf1569 204->205 205->203 207 6cbf156b 205->207 207->203
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • LoadLibraryA.KERNEL32(USER32.DLL,6CBF0000,?,?,6CBF1851,00000001,00000000,6CBFA95C), ref: 6CBF151E
                                                                                                                                                                                  • GetProcAddress.KERNEL32(00000000,FindWindowA), ref: 6CBF1536
                                                                                                                                                                                  • GetModuleHandleA.KERNEL32(USER32.DLL,GetWindowThreadProcessId,?,?,6CBF1851,00000001,00000000,6CBFA95C), ref: 6CBF1544
                                                                                                                                                                                  • GetProcAddress.KERNEL32(00000000), ref: 6CBF154B
                                                                                                                                                                                  • FindWindowA.USER32(ProgMan,00000000,?,?,6CBF1851,00000001,00000000,6CBFA95C), ref: 6CBF155A
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000005.00000002.1716486508.000000006CBF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 6CBF0000, based on PE: true
                                                                                                                                                                                  • Associated: 00000005.00000002.1716468666.000000006CBF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000005.00000002.1716486508.000000006CBFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_5_2_6cbf0000_rundll32.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: AddressProc$FindHandleLibraryLoadModuleWindow
                                                                                                                                                                                  • String ID: FindWindowA$GetWindowThreadProcessId$N;U$N;U$ProgMan$USER32.DLL
                                                                                                                                                                                  • API String ID: 2344282417-784344377
                                                                                                                                                                                  • Opcode ID: 422b2af1b541a86876b29d354e38b63c40898ec4c5ad9808d6f57bba39ac3f5d
                                                                                                                                                                                  • Instruction ID: 90303c8af2e5426ee61dd3f30d4da4a227fc22531a4cb19a3f2950c7a1b0db72
                                                                                                                                                                                  • Opcode Fuzzy Hash: 422b2af1b541a86876b29d354e38b63c40898ec4c5ad9808d6f57bba39ac3f5d
                                                                                                                                                                                  • Instruction Fuzzy Hash: 8EF0F6B2E01259B7EF0196B99C46FAF7AECDB06654F60041AA533E3700DA74DD0A86B1
                                                                                                                                                                                  Function 6CBF1C30 Relevance: 18.1, APIs: 12, Instructions: 98fileCOMMON
                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                  APIs
                                                                                                                                                                                  • CreateFileW.KERNELBASE(6CBF342F,C0000000,00000001,00000000,00000004,00000080,00000000,6CBF3417,00000000,6CBF342F,?,6CBF212E,?,6CBF342F,0AEBFFFF), ref: 6CBF1C6C
                                                                                                                                                                                  • WriteFile.KERNELBASE(6CBF342F,?,?,6CBF212E,00000000,?,6CBF212E,?,6CBF342F,0AEBFFFF), ref: 6CBF1C92
                                                                                                                                                                                  • WriteFile.KERNELBASE(6CBF342F,?,?,6CBF212E,00000000,?,6CBF212E,?,6CBF342F,0AEBFFFF), ref: 6CBF1CAB
                                                                                                                                                                                  • GetLastError.KERNEL32(?,6CBF212E,?,6CBF342F,0AEBFFFF), ref: 6CBF1CB1
                                                                                                                                                                                  • SetEndOfFile.KERNELBASE(6CBF342F,?,6CBF212E,?,6CBF342F,0AEBFFFF), ref: 6CBF1CBD
                                                                                                                                                                                  • CloseHandle.KERNELBASE(6CBF342F,?,6CBF212E,?,6CBF342F,0AEBFFFF), ref: 6CBF1CC6
                                                                                                                                                                                  • GetLastError.KERNEL32(?,6CBF212E,?,6CBF342F,0AEBFFFF), ref: 6CBF1CCE
                                                                                                                                                                                  • CreateFileW.KERNELBASE(6CBF342F,C0000000,00000001,00000000,00000003,00000080,00000000,?,6CBF212E,?,6CBF342F,0AEBFFFF), ref: 6CBF1CED
                                                                                                                                                                                  • WriteFile.KERNELBASE(00000000,?,?,6CBF212E,00000000,?,6CBF212E,?,6CBF342F,0AEBFFFF), ref: 6CBF1D03
                                                                                                                                                                                  • GetLastError.KERNEL32(?,6CBF212E,?,6CBF342F,0AEBFFFF), ref: 6CBF1D09
                                                                                                                                                                                  • FlushFileBuffers.KERNEL32(00000000,?,6CBF212E,?,6CBF342F,0AEBFFFF), ref: 6CBF1D13
                                                                                                                                                                                  • GetLastError.KERNEL32(?,6CBF212E,?,6CBF342F,0AEBFFFF), ref: 6CBF1D1B
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000005.00000002.1716486508.000000006CBF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 6CBF0000, based on PE: true
                                                                                                                                                                                  • Associated: 00000005.00000002.1716468666.000000006CBF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000005.00000002.1716486508.000000006CBFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_5_2_6cbf0000_rundll32.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: File$ErrorLast$Write$Create$BuffersCloseFlushHandle
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 2625730619-0
                                                                                                                                                                                  • Opcode ID: 8c9d14119bf1386cb7670a2b000947b6485c6d57e9bee74cb1d5ba9eb7cc7bcf
                                                                                                                                                                                  • Instruction ID: 71b52acd720305bbb8fdd735e3808596cbd223411343c519a1023ed0fa8217e4
                                                                                                                                                                                  • Opcode Fuzzy Hash: 8c9d14119bf1386cb7670a2b000947b6485c6d57e9bee74cb1d5ba9eb7cc7bcf
                                                                                                                                                                                  • Instruction Fuzzy Hash: E83162B1A00208FFEF00DFA5CD44BAEBBB9EB4A754F148515F920E7290D7719A019B21
                                                                                                                                                                                  Function 6CBF13E7 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 81processmemorysynchronizationCOMMON
                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                  APIs
                                                                                                                                                                                  • memset.NTDLL ref: 6CBF1407
                                                                                                                                                                                    • Part of subcall function 6CBF3585: ExpandEnvironmentStringsA.KERNEL32(00000000,00000000,00000000,00000000,6CBF0000,EE553B43,6CBF3047,%systemroot%\system32\c_1252.nls), ref: 6CBF3596
                                                                                                                                                                                    • Part of subcall function 6CBF3585: ExpandEnvironmentStringsA.KERNEL32(?,00000000,00000000,00000000), ref: 6CBF35B0
                                                                                                                                                                                    • Part of subcall function 6CBF2344: GetProcAddress.KERNEL32(Wow64EnableWow64FsRedirection,6CBF3278), ref: 6CBF2358
                                                                                                                                                                                  • CreateProcessA.KERNELBASE(00000000,00000000,00000000,00000000,00000000,04000004,00000000,00000000,00000044,?,00000000,%systemroot%\system32\svchost.exe,C000009A,?,00000000), ref: 6CBF1444
                                                                                                                                                                                  • WaitForSingleObject.KERNEL32(?,000000FF,?,00000000,00000001), ref: 6CBF1470
                                                                                                                                                                                  • GetExitCodeProcess.KERNEL32(?,00000000), ref: 6CBF1481
                                                                                                                                                                                  • CloseHandle.KERNELBASE(00000000,?,00000000,00000001), ref: 6CBF1490
                                                                                                                                                                                  • CloseHandle.KERNEL32(?), ref: 6CBF1495
                                                                                                                                                                                  • GetLastError.KERNEL32(00000001), ref: 6CBF1499
                                                                                                                                                                                  • HeapFree.KERNEL32(00000000,00000000), ref: 6CBF14AA
                                                                                                                                                                                    • Part of subcall function 6CBF449E: memset.NTDLL ref: 6CBF44C1
                                                                                                                                                                                    • Part of subcall function 6CBF449E: ResumeThread.KERNEL32(?,00000000,6CBF468D,CCCCFEEB,00000000,6CBF468D,6CBF468D,00000004,?,00000000,00000000,74DEF550,00000000), ref: 6CBF454C
                                                                                                                                                                                    • Part of subcall function 6CBF449E: WaitForSingleObject.KERNEL32(00000064), ref: 6CBF455A
                                                                                                                                                                                    • Part of subcall function 6CBF449E: SuspendThread.KERNEL32(?), ref: 6CBF456D
                                                                                                                                                                                    • Part of subcall function 6CBF449E: GetLastError.KERNEL32(00000000,6CBF468D,6CBF468D,00000004,?,00000000,00000000,74DEF550,00000000), ref: 6CBF45D9
                                                                                                                                                                                    • Part of subcall function 6CBF449E: ResumeThread.KERNELBASE(?), ref: 6CBF45E4
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000005.00000002.1716486508.000000006CBF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 6CBF0000, based on PE: true
                                                                                                                                                                                  • Associated: 00000005.00000002.1716468666.000000006CBF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000005.00000002.1716486508.000000006CBFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_5_2_6cbf0000_rundll32.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: Thread$CloseEnvironmentErrorExpandHandleLastObjectProcessResumeSingleStringsWaitmemset$AddressCodeCreateExitFreeHeapProcSuspend
                                                                                                                                                                                  • String ID: %systemroot%\system32\svchost.exe$D
                                                                                                                                                                                  • API String ID: 3646439427-390745801
                                                                                                                                                                                  • Opcode ID: 3226b7cf6666db76aabcd5813f02de8ff0de0ed93508c22fe017790b0f40e487
                                                                                                                                                                                  • Instruction ID: dff90efabb4aff0f65664f43ecb5f690705236365ede14db7bfd50482c3267fd
                                                                                                                                                                                  • Opcode Fuzzy Hash: 3226b7cf6666db76aabcd5813f02de8ff0de0ed93508c22fe017790b0f40e487
                                                                                                                                                                                  • Instruction Fuzzy Hash: 012169B1901168BFCB019FA6DC489EF7F7DEF46365F108426F625A6250C7318A098FA2
                                                                                                                                                                                  Function 6CBF128F Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 78memoryregistrystringCOMMON
                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                  • Executed
                                                                                                                                                                                  • Not Executed
                                                                                                                                                                                  control_flow_graph 241 6cbf128f-6cbf12ac 242 6cbf12ae 241->242 243 6cbf12b3-6cbf12c9 call 6cbf32ee 241->243 242->243 246 6cbf12cf-6cbf12f4 RegOpenKeyExA 243->246 247 6cbf1378-6cbf137e 243->247 248 6cbf136b-6cbf1377 RtlFreeHeap 246->248 249 6cbf12f6-6cbf1318 lstrlenW HeapAlloc 246->249 248->247 250 6cbf131a-6cbf1335 RegQueryValueExW 249->250 251 6cbf1362-6cbf1365 RegCloseKey 249->251 252 6cbf1358-6cbf1360 HeapFree 250->252 253 6cbf1337-6cbf134f lstrcmpiW 250->253 251->248 252->251 253->252 254 6cbf1351 253->254 254->252
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • RegOpenKeyExA.KERNELBASE(80000001,Software\Microsoft\Windows\CurrentVersion\Run,00000000,00000000,?,6CBF0000,00000000,00000000), ref: 6CBF12E6
                                                                                                                                                                                  • lstrlenW.KERNEL32(?), ref: 6CBF12F9
                                                                                                                                                                                  • HeapAlloc.KERNEL32(00000000,?), ref: 6CBF130E
                                                                                                                                                                                  • RegQueryValueExW.KERNELBASE(?,00000000,00000001,00000000,?), ref: 6CBF132D
                                                                                                                                                                                  • lstrcmpiW.KERNEL32(00000000,?), ref: 6CBF1347
                                                                                                                                                                                  • HeapFree.KERNEL32(00000000,00000000), ref: 6CBF1360
                                                                                                                                                                                  • RegCloseKey.KERNELBASE(?), ref: 6CBF1365
                                                                                                                                                                                  • RtlFreeHeap.NTDLL(00000000,?), ref: 6CBF1375
                                                                                                                                                                                  Strings
                                                                                                                                                                                  • Software\Microsoft\Windows\CurrentVersion\Run, xrefs: 6CBF12DC
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000005.00000002.1716486508.000000006CBF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 6CBF0000, based on PE: true
                                                                                                                                                                                  • Associated: 00000005.00000002.1716468666.000000006CBF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000005.00000002.1716486508.000000006CBFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_5_2_6cbf0000_rundll32.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: Heap$Free$AllocCloseOpenQueryValuelstrcmpilstrlen
                                                                                                                                                                                  • String ID: Software\Microsoft\Windows\CurrentVersion\Run
                                                                                                                                                                                  • API String ID: 464076213-1428018034
                                                                                                                                                                                  • Opcode ID: 2eb2d9785ab97c7024d2949fd165d2bec1b261a6866681cc40e673d1e9812e36
                                                                                                                                                                                  • Instruction ID: fe687682966ef18a9cadcd1d6bf5c1e12d65ed12d7db68d216dd488f7ad79e6e
                                                                                                                                                                                  • Opcode Fuzzy Hash: 2eb2d9785ab97c7024d2949fd165d2bec1b261a6866681cc40e673d1e9812e36
                                                                                                                                                                                  • Instruction Fuzzy Hash: BF217C72A01119BFDF119FA2DC48EAFBBBCFB06348B554565E921E3310D3729915CBA0
                                                                                                                                                                                  Function 6CBF45F3 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 78libraryloaderCOMMON
                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                  • Executed
                                                                                                                                                                                  • Not Executed
                                                                                                                                                                                  control_flow_graph 255 6cbf45f3-6cbf4629 call 6cbf22c9 OpenProcess 258 6cbf462f-6cbf4631 255->258 259 6cbf46b4-6cbf46ba GetLastError 255->259 261 6cbf4633-6cbf463a 258->261 262 6cbf4641-6cbf4665 GetProcAddress * 2 258->262 260 6cbf46bc-6cbf46c2 259->260 261->262 263 6cbf463c-6cbf463f 261->263 264 6cbf4667-6cbf4669 262->264 265 6cbf46a4 262->265 266 6cbf46a9-6cbf46b2 CloseHandle 263->266 264->265 267 6cbf466b-6cbf467f 264->267 265->266 266->260 269 6cbf469a-6cbf46a2 GetLastError 267->269 270 6cbf4681-6cbf4698 call 6cbf449e CloseHandle 267->270 269->266 270->266
                                                                                                                                                                                  APIs
                                                                                                                                                                                    • Part of subcall function 6CBF22C9: GetModuleHandleA.KERNEL32(KERNEL32.DLL,?,00000000,?,?,6CBF173E,00000000,?), ref: 6CBF22E3
                                                                                                                                                                                    • Part of subcall function 6CBF22C9: GetProcAddress.KERNEL32(00000000,IsWow64Process), ref: 6CBF22F4
                                                                                                                                                                                    • Part of subcall function 6CBF22C9: OpenProcess.KERNEL32(00000400,00000000,?,?,00000000,?,?,6CBF173E,00000000,?), ref: 6CBF2311
                                                                                                                                                                                    • Part of subcall function 6CBF22C9: IsWow64Process.KERNEL32(0000027C,?,?,00000000,?,?,6CBF173E,00000000,?), ref: 6CBF2322
                                                                                                                                                                                    • Part of subcall function 6CBF22C9: CloseHandle.KERNELBASE(0000027C,?,?,6CBF173E,00000000,?), ref: 6CBF2335
                                                                                                                                                                                  • OpenProcess.KERNEL32(001F0FFF,00000000,6CBF1623,6CBF1623,C000009A,?,00000000,?,?,6CBF1623,?,?), ref: 6CBF461E
                                                                                                                                                                                  • GetProcAddress.KERNEL32(RtlExitUserThread), ref: 6CBF4652
                                                                                                                                                                                  • GetProcAddress.KERNEL32(CreateRemoteThread), ref: 6CBF4661
                                                                                                                                                                                  • CloseHandle.KERNEL32(6CBF1623,?,00000000,?,?,6CBF1623,?,?), ref: 6CBF4692
                                                                                                                                                                                  • GetLastError.KERNEL32(?,?,6CBF1623,?,?), ref: 6CBF469A
                                                                                                                                                                                  • CloseHandle.KERNEL32(?,?,?,6CBF1623,?,?), ref: 6CBF46AC
                                                                                                                                                                                  • GetLastError.KERNEL32(?,?,6CBF1623,?,?), ref: 6CBF46B4
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000005.00000002.1716486508.000000006CBF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 6CBF0000, based on PE: true
                                                                                                                                                                                  • Associated: 00000005.00000002.1716468666.000000006CBF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000005.00000002.1716486508.000000006CBFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_5_2_6cbf0000_rundll32.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: Handle$AddressCloseProcProcess$ErrorLastOpen$ModuleWow64
                                                                                                                                                                                  • String ID: CreateRemoteThread$RtlExitUserThread
                                                                                                                                                                                  • API String ID: 1303122091-3466022969
                                                                                                                                                                                  • Opcode ID: d2ad6cd9443b06fecb3b4a5cdf75bfdd9f2c83ac8ba909801f1b076520ecd619
                                                                                                                                                                                  • Instruction ID: 82551c7240de48624df413532e57212cef16f453a4b6d6d5af3e551ea2f3c787
                                                                                                                                                                                  • Opcode Fuzzy Hash: d2ad6cd9443b06fecb3b4a5cdf75bfdd9f2c83ac8ba909801f1b076520ecd619
                                                                                                                                                                                  • Instruction Fuzzy Hash: 7B219272A00198BFDF015FF5DD4889EBBB9EB0A354B114876E931E3710D6714D0E8E91
                                                                                                                                                                                  Function 6CBF2A18 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 108memorystringCOMMON
                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                  • Executed
                                                                                                                                                                                  • Not Executed
                                                                                                                                                                                  control_flow_graph 273 6cbf2a18-6cbf2a57 call 6cbf2492 VirtualAlloc 276 6cbf2a5d-6cbf2a68 call 6cbf2492 273->276 277 6cbf2b23 273->277 280 6cbf2a6d-6cbf2a73 276->280 279 6cbf2b2b-6cbf2b2d 277->279 281 6cbf2b2f-6cbf2b37 VirtualFree 279->281 282 6cbf2b3d-6cbf2b48 279->282 283 6cbf2a9b-6cbf2a9d 280->283 284 6cbf2a75-6cbf2a79 280->284 281->282 283->277 286 6cbf2aa3-6cbf2aa7 283->286 284->283 285 6cbf2a7b-6cbf2a99 VirtualFree VirtualAlloc 284->285 285->276 285->283 286->277 287 6cbf2aa9-6cbf2ab4 286->287 287->279 288 6cbf2ab6 287->288 289 6cbf2abc-6cbf2ace lstrcmpiA 288->289 290 6cbf2b00-6cbf2b1a 289->290 291 6cbf2ad0-6cbf2adb StrChrA 289->291 290->279 294 6cbf2b1c-6cbf2b21 290->294 292 6cbf2add-6cbf2aea lstrcmpiA 291->292 293 6cbf2aec-6cbf2afc 291->293 292->290 292->293 293->289 295 6cbf2afe 293->295 294->279 295->279
                                                                                                                                                                                  APIs
                                                                                                                                                                                    • Part of subcall function 6CBF2492: GetProcAddress.KERNEL32(ZwWow64QueryInformationProcess64,00000318), ref: 6CBF24B0
                                                                                                                                                                                    • Part of subcall function 6CBF2492: NtWow64QueryInformationProcess64.NTDLL(00000000,00000000,?,00000030,00000000), ref: 6CBF24CC
                                                                                                                                                                                  • VirtualAlloc.KERNELBASE(00000000,00000000,00003000,00000004), ref: 6CBF2A51
                                                                                                                                                                                  • VirtualFree.KERNELBASE(00000000,00000000,00008000), ref: 6CBF2B37
                                                                                                                                                                                    • Part of subcall function 6CBF2492: StrRChrA.SHLWAPI(00000018,00000000,0000005C,00000000,00000318,?,00000000,00000068,00000098,00000000,00000028,00000040,00000000,00000000,00000028,00000100), ref: 6CBF2636
                                                                                                                                                                                  • VirtualFree.KERNEL32(00000000,00000000,00008000,?,00000000,00000000,00000000), ref: 6CBF2A87
                                                                                                                                                                                  • VirtualAlloc.KERNEL32(00000000,00000000,00003000,00000004), ref: 6CBF2A93
                                                                                                                                                                                  • lstrcmpiA.KERNEL32(?,NTDLL.DLL), ref: 6CBF2ACA
                                                                                                                                                                                  • StrChrA.SHLWAPI(?,0000002E), ref: 6CBF2AD3
                                                                                                                                                                                  • lstrcmpiA.KERNEL32(?,NTDLL.DLL), ref: 6CBF2AE6
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000005.00000002.1716486508.000000006CBF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 6CBF0000, based on PE: true
                                                                                                                                                                                  • Associated: 00000005.00000002.1716468666.000000006CBF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000005.00000002.1716486508.000000006CBFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_5_2_6cbf0000_rundll32.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: Virtual$AllocFreelstrcmpi$AddressInformationProcProcess64QueryWow64
                                                                                                                                                                                  • String ID: NTDLL.DLL
                                                                                                                                                                                  • API String ID: 3901270786-1613819793
                                                                                                                                                                                  • Opcode ID: a828508e122c45feefb8b31460300ed9a2abf809ba81c706b52b66a93b1e3de2
                                                                                                                                                                                  • Instruction ID: 6feb7925d7ff07bc43edbcc22aa82d619937076948661425e6b66be1e10d63d6
                                                                                                                                                                                  • Opcode Fuzzy Hash: a828508e122c45feefb8b31460300ed9a2abf809ba81c706b52b66a93b1e3de2
                                                                                                                                                                                  • Instruction Fuzzy Hash: 2A31C371205792ABD321CF56C888F1BBBE8EF85754F110909F9A457781C730D90ACBA3
                                                                                                                                                                                  Function 6CBF22C9 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 44libraryloaderCOMMON
                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                  • Executed
                                                                                                                                                                                  • Not Executed
                                                                                                                                                                                  control_flow_graph 338 6cbf22c9-6cbf22dc 339 6cbf22de-6cbf2301 GetModuleHandleA GetProcAddress 338->339 340 6cbf2303-6cbf2306 338->340 339->340 341 6cbf233b-6cbf2341 339->341 342 6cbf2319-6cbf231b 340->342 343 6cbf2308-6cbf2317 OpenProcess 340->343 342->341 344 6cbf231d-6cbf232a IsWow64Process 342->344 343->342 345 6cbf232f-6cbf2332 344->345 346 6cbf232c 344->346 345->341 347 6cbf2334-6cbf2335 CloseHandle 345->347 346->345 347->341
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • GetModuleHandleA.KERNEL32(KERNEL32.DLL,?,00000000,?,?,6CBF173E,00000000,?), ref: 6CBF22E3
                                                                                                                                                                                  • GetProcAddress.KERNEL32(00000000,IsWow64Process), ref: 6CBF22F4
                                                                                                                                                                                  • OpenProcess.KERNEL32(00000400,00000000,?,?,00000000,?,?,6CBF173E,00000000,?), ref: 6CBF2311
                                                                                                                                                                                  • IsWow64Process.KERNEL32(0000027C,?,?,00000000,?,?,6CBF173E,00000000,?), ref: 6CBF2322
                                                                                                                                                                                  • CloseHandle.KERNELBASE(0000027C,?,?,6CBF173E,00000000,?), ref: 6CBF2335
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000005.00000002.1716486508.000000006CBF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 6CBF0000, based on PE: true
                                                                                                                                                                                  • Associated: 00000005.00000002.1716468666.000000006CBF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000005.00000002.1716486508.000000006CBFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_5_2_6cbf0000_rundll32.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: HandleProcess$AddressCloseModuleOpenProcWow64
                                                                                                                                                                                  • String ID: IsWow64Process$KERNEL32.DLL
                                                                                                                                                                                  • API String ID: 4157061983-1193389583
                                                                                                                                                                                  • Opcode ID: abfbc6cb4203a526b09b802b7cb11e2d9689af0901e908783d2001414961af3e
                                                                                                                                                                                  • Instruction ID: c0ab2c1abe1b4340081c7cdf9fe61c6d41a4c2e604a853c51e3d6d59090e8d96
                                                                                                                                                                                  • Opcode Fuzzy Hash: abfbc6cb4203a526b09b802b7cb11e2d9689af0901e908783d2001414961af3e
                                                                                                                                                                                  • Instruction Fuzzy Hash: 1601A7B5A02584FFDB069F66D90C89E7BBDEBCA7557204126E534D3300D2718B45CB63
                                                                                                                                                                                  Function 6CBF2F05 Relevance: 10.6, APIs: 7, Instructions: 75COMMON
                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                  APIs
                                                                                                                                                                                  • OpenProcessToken.ADVAPI32(000000FF,00020008,?,00000000), ref: 6CBF2F37
                                                                                                                                                                                  • GetTokenInformation.KERNELBASE(?,00000014(TokenIntegrityLevel),00000001,00000004,?,00000000), ref: 6CBF2F57
                                                                                                                                                                                  • GetTokenInformation.KERNELBASE(?,00000019(TokenIntegrityLevel),00000000,00000000,?), ref: 6CBF2F67
                                                                                                                                                                                  • CloseHandle.KERNELBASE(?), ref: 6CBF2FB7
                                                                                                                                                                                    • Part of subcall function 6CBF11B2: RtlAllocateHeap.NTDLL(00000000,6CBF0000,6CBF1B4C,6CBF0000), ref: 6CBF11BE
                                                                                                                                                                                  • GetTokenInformation.KERNELBASE(?,00000019(TokenIntegrityLevel),00000000,?,?,?,6CBF0000), ref: 6CBF2F8A
                                                                                                                                                                                  • GetSidSubAuthorityCount.ADVAPI32(00000000), ref: 6CBF2F92
                                                                                                                                                                                  • GetSidSubAuthority.ADVAPI32(00000000,?), ref: 6CBF2FA2
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000005.00000002.1716486508.000000006CBF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 6CBF0000, based on PE: true
                                                                                                                                                                                  • Associated: 00000005.00000002.1716468666.000000006CBF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000005.00000002.1716486508.000000006CBFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_5_2_6cbf0000_rundll32.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: Token$Information$Authority$AllocateCloseCountHandleHeapOpenProcess
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 1295030180-0
                                                                                                                                                                                  • Opcode ID: 313d0a405886b0580eabe38f40e1753d7e03a7272633623284ae07fee2ae8ef2
                                                                                                                                                                                  • Instruction ID: 9fc0a7b9fc51d0eebef006e9924587aee81be6ddab7e764d3136aa0c5d05aec2
                                                                                                                                                                                  • Opcode Fuzzy Hash: 313d0a405886b0580eabe38f40e1753d7e03a7272633623284ae07fee2ae8ef2
                                                                                                                                                                                  • Instruction Fuzzy Hash: 94212A75900249BFEF019FA5DD44DEEBBBDEB09304F104066E920A6350C7719A09EF61
                                                                                                                                                                                  Function 6CBF449E Relevance: 9.1, APIs: 6, Instructions: 105threadsynchronizationinjectionCOMMON
                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                  APIs
                                                                                                                                                                                  • memset.NTDLL ref: 6CBF44C1
                                                                                                                                                                                    • Part of subcall function 6CBF22C9: GetModuleHandleA.KERNEL32(KERNEL32.DLL,?,00000000,?,?,6CBF173E,00000000,?), ref: 6CBF22E3
                                                                                                                                                                                    • Part of subcall function 6CBF22C9: GetProcAddress.KERNEL32(00000000,IsWow64Process), ref: 6CBF22F4
                                                                                                                                                                                    • Part of subcall function 6CBF22C9: OpenProcess.KERNEL32(00000400,00000000,?,?,00000000,?,?,6CBF173E,00000000,?), ref: 6CBF2311
                                                                                                                                                                                    • Part of subcall function 6CBF22C9: IsWow64Process.KERNEL32(0000027C,?,?,00000000,?,?,6CBF173E,00000000,?), ref: 6CBF2322
                                                                                                                                                                                    • Part of subcall function 6CBF22C9: CloseHandle.KERNELBASE(0000027C,?,?,6CBF173E,00000000,?), ref: 6CBF2335
                                                                                                                                                                                  • ResumeThread.KERNEL32(?,00000000,6CBF468D,CCCCFEEB,00000000,6CBF468D,6CBF468D,00000004,?,00000000,00000000,74DEF550,00000000), ref: 6CBF454C
                                                                                                                                                                                  • WaitForSingleObject.KERNEL32(00000064), ref: 6CBF455A
                                                                                                                                                                                  • SuspendThread.KERNEL32(?), ref: 6CBF456D
                                                                                                                                                                                  • GetLastError.KERNEL32(00000000,6CBF468D,6CBF468D,00000004,?,00000000,00000000,74DEF550,00000000), ref: 6CBF45D9
                                                                                                                                                                                  • ResumeThread.KERNELBASE(?), ref: 6CBF45E4
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000005.00000002.1716486508.000000006CBF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 6CBF0000, based on PE: true
                                                                                                                                                                                  • Associated: 00000005.00000002.1716468666.000000006CBF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000005.00000002.1716486508.000000006CBFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_5_2_6cbf0000_rundll32.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: Thread$HandleProcessResume$AddressCloseErrorLastModuleObjectOpenProcSingleSuspendWaitWow64memset
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 3158980537-0
                                                                                                                                                                                  • Opcode ID: 3734b34cf50187578fea0984291a79839d0a1556893063e23c8320d4cbbb88c1
                                                                                                                                                                                  • Instruction ID: b7bf53af608e10ce6e97ce3a8b46c8b9165ff845f5aff955d537bd41850555bf
                                                                                                                                                                                  • Opcode Fuzzy Hash: 3734b34cf50187578fea0984291a79839d0a1556893063e23c8320d4cbbb88c1
                                                                                                                                                                                  • Instruction Fuzzy Hash: A231DD71900258BBDF02AFA5C944ADEBB78EF01368F008162F934A7750D7319E5ACF91
                                                                                                                                                                                  Function 6CBF11DC Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 59memorystringCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • lstrcatW.KERNEL32(.dll,?,6CBF0000,00000000,?), ref: 6CBF120F
                                                                                                                                                                                    • Part of subcall function 6CBF3723: lstrlenA.KERNEL32(6CBF1224,00000000,?,00000027,6CBF0000,00000000,00000000,?,?,?,6CBF1224,Software\AppDataLow\Software\Microsoft\,00000000), ref: 6CBF3759
                                                                                                                                                                                    • Part of subcall function 6CBF3723: lstrcpyA.KERNEL32(00000000,00000000,00000027,00000000,?,00000027,6CBF0000,00000000,00000000), ref: 6CBF377D
                                                                                                                                                                                    • Part of subcall function 6CBF3723: lstrcatA.KERNEL32(00000000,00000000,00000027,00000000,?,00000027,6CBF0000,00000000,00000000), ref: 6CBF3785
                                                                                                                                                                                  • HeapFree.KERNEL32(00000000,?,Local\,00000001,00000000,00000001,Local\,00000001,Software\AppDataLow\Software\Microsoft\,00000000), ref: 6CBF1282
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000005.00000002.1716486508.000000006CBF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 6CBF0000, based on PE: true
                                                                                                                                                                                  • Associated: 00000005.00000002.1716468666.000000006CBF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000005.00000002.1716486508.000000006CBFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_5_2_6cbf0000_rundll32.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: lstrcat$FreeHeaplstrcpylstrlen
                                                                                                                                                                                  • String ID: .dll$Local\$Software\AppDataLow\Software\Microsoft\
                                                                                                                                                                                  • API String ID: 2335496509-1273941773
                                                                                                                                                                                  • Opcode ID: 99acfeb630928c054cac7ebc5f14a659af525726996e787b8d8c49110735b278
                                                                                                                                                                                  • Instruction ID: f9ee55973e922b6819aef8c67e07787b0fef87324c2b223b26c882a5c12a0ba0
                                                                                                                                                                                  • Opcode Fuzzy Hash: 99acfeb630928c054cac7ebc5f14a659af525726996e787b8d8c49110735b278
                                                                                                                                                                                  • Instruction Fuzzy Hash: 3D115BB5A01289ABEF00CBA6ED45F9E7BB8EB91204F1050A6A431E7B40E730D609CF51
                                                                                                                                                                                  Function 6CBF3A18 Relevance: 7.6, APIs: 5, Instructions: 72fileCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • CreateFileW.KERNELBASE(6CBF342F,80000000,00000001,00000000,00000003,00000080,00000000,6CBF3417,04B687C8,6CBF342F,?,?,6CBF1BFB,04B687C8,00000000,00000000), ref: 6CBF3A36
                                                                                                                                                                                  • GetFileSize.KERNEL32(00000000,00000000,?,?,6CBF1BFB,04B687C8,00000000,00000000,6CBF3417,00000000,6CBF2116,6CBF342F,6CBF3433), ref: 6CBF3A46
                                                                                                                                                                                  • ReadFile.KERNELBASE(6CBF342F,00000000,00000000,6CBF3433,00000000,00000001,?,?,6CBF1BFB,04B687C8,00000000,00000000,6CBF3417,00000000,6CBF2116,6CBF342F), ref: 6CBF3A72
                                                                                                                                                                                  • GetLastError.KERNEL32(?,?,6CBF1BFB,04B687C8,00000000,00000000,6CBF3417,00000000,6CBF2116,6CBF342F,6CBF3433), ref: 6CBF3A97
                                                                                                                                                                                  • CloseHandle.KERNEL32(000000FF,?,?,6CBF1BFB,04B687C8,00000000,00000000,6CBF3417,00000000,6CBF2116), ref: 6CBF3AA8
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000005.00000002.1716486508.000000006CBF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 6CBF0000, based on PE: true
                                                                                                                                                                                  • Associated: 00000005.00000002.1716468666.000000006CBF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000005.00000002.1716486508.000000006CBFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_5_2_6cbf0000_rundll32.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: File$CloseCreateErrorHandleLastReadSize
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 3577853679-0
                                                                                                                                                                                  • Opcode ID: fda3ee3730789d3e6899d9ef718ab1b151eb642e4fda446a0e8122473d36ff17
                                                                                                                                                                                  • Instruction ID: 41644cd9c9b9f97e9c6811693926bc9ec7671719c589b5331f1cc4fe94abf577
                                                                                                                                                                                  • Opcode Fuzzy Hash: fda3ee3730789d3e6899d9ef718ab1b151eb642e4fda446a0e8122473d36ff17
                                                                                                                                                                                  • Instruction Fuzzy Hash: 14115972201295FFDB105F76CC88E9E7B6DDB063A4F10422AF934A7350D3319D4A86A2
                                                                                                                                                                                  Function 6CBF4341 Relevance: 6.1, APIs: 4, Instructions: 107threadsynchronizationCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • memset.NTDLL ref: 6CBF436F
                                                                                                                                                                                    • Part of subcall function 6CBF41BA: memset.NTDLL ref: 6CBF41F6
                                                                                                                                                                                  • ResumeThread.KERNELBASE(?,?,00000004,00000004,?,?,?,?,?,00000004,?), ref: 6CBF43F9
                                                                                                                                                                                  • WaitForSingleObject.KERNEL32(00000064), ref: 6CBF4407
                                                                                                                                                                                  • Wow64SuspendThread.KERNEL32(?), ref: 6CBF441A
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000005.00000002.1716486508.000000006CBF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 6CBF0000, based on PE: true
                                                                                                                                                                                  • Associated: 00000005.00000002.1716468666.000000006CBF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000005.00000002.1716486508.000000006CBFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_5_2_6cbf0000_rundll32.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: Threadmemset$ObjectResumeSingleSuspendWaitWow64
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 390528492-0
                                                                                                                                                                                  • Opcode ID: 5e0f3dc5824f10c5baaac7896e2811806b5f7e2b07f16bee91de0bc62893f99c
                                                                                                                                                                                  • Instruction ID: c5d6127d432ecac6846b5fedc38fa2e465c2ed4b195dba71b5713391a7266aa7
                                                                                                                                                                                  • Opcode Fuzzy Hash: 5e0f3dc5824f10c5baaac7896e2811806b5f7e2b07f16bee91de0bc62893f99c
                                                                                                                                                                                  • Instruction Fuzzy Hash: 8E317E71108381AFE711DF50C980AABBBA9FF88318F004929F6A492761DB71D95DDF93
                                                                                                                                                                                  Function 6CBF3349 Relevance: 6.1, APIs: 4, Instructions: 99registrysynchronizationCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • RegOpenKeyExA.KERNELBASE(80000003,00000000,00000000,?,?,00000000,000000B7,?,?,?,?), ref: 6CBF3370
                                                                                                                                                                                    • Part of subcall function 6CBF11B2: RtlAllocateHeap.NTDLL(00000000,6CBF0000,6CBF1B4C,6CBF0000), ref: 6CBF11BE
                                                                                                                                                                                  • RegEnumKeyExA.KERNELBASE(?,?,?,?,00000000,00000000,00000000,00000000,00000104,00000000,?,?,?,?), ref: 6CBF33B7
                                                                                                                                                                                  • WaitForSingleObject.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?), ref: 6CBF3424
                                                                                                                                                                                  • RegCloseKey.ADVAPI32(?,00000104,00000000,?,?,?,?), ref: 6CBF344C
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000005.00000002.1716486508.000000006CBF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 6CBF0000, based on PE: true
                                                                                                                                                                                  • Associated: 00000005.00000002.1716468666.000000006CBF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000005.00000002.1716486508.000000006CBFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_5_2_6cbf0000_rundll32.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: AllocateCloseEnumHeapObjectOpenSingleWait
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 3664505660-0
                                                                                                                                                                                  • Opcode ID: 40b6ca95bbdaf3820844f406a47fd0e91415fbb473234a72c875cc56133f205b
                                                                                                                                                                                  • Instruction ID: c01a025978880df60076113d02ef46dac7817f8015366d424635c291b44ed363
                                                                                                                                                                                  • Opcode Fuzzy Hash: 40b6ca95bbdaf3820844f406a47fd0e91415fbb473234a72c875cc56133f205b
                                                                                                                                                                                  • Instruction Fuzzy Hash: 1B317A71D00169EBCF129BAACC448EFFFB9EB85754F104526E9A1B3310C2714A49DB92
                                                                                                                                                                                  Function 6CBF3E34 Relevance: 6.0, APIs: 1, Strings: 3, Instructions: 43COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • memcpy.NTDLL(CCCCFEEB,6CBFA9DC,00000018,CCCCFEEB,ZwProtectVirtualMemory,CCCCFEEB,LdrGetProcedureAddress,CCCCFEEB,LdrLoadDll,CCCCFEEB,6CBF4062,?,6CBF45C5,?,?,00000000), ref: 6CBF3EC5
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000005.00000002.1716486508.000000006CBF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 6CBF0000, based on PE: true
                                                                                                                                                                                  • Associated: 00000005.00000002.1716468666.000000006CBF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000005.00000002.1716486508.000000006CBFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_5_2_6cbf0000_rundll32.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: memcpy
                                                                                                                                                                                  • String ID: LdrGetProcedureAddress$LdrLoadDll$ZwProtectVirtualMemory
                                                                                                                                                                                  • API String ID: 3510742995-2710412950
                                                                                                                                                                                  • Opcode ID: be35b3dbf3e632f08729bae97c3743b41f8eb14ba6ec141eeabd77bf1bb4688c
                                                                                                                                                                                  • Instruction ID: b26b4d089e5465923a51dcfe1ec991e96474259b2b81f3a0a30ba33eb298a4ef
                                                                                                                                                                                  • Opcode Fuzzy Hash: be35b3dbf3e632f08729bae97c3743b41f8eb14ba6ec141eeabd77bf1bb4688c
                                                                                                                                                                                  • Instruction Fuzzy Hash: AF0121707122819BCF48DF55E8C1896B7B1FB92354B12C836E2B497B21D331544E8FB2
                                                                                                                                                                                  Function 6CBF1142 Relevance: 6.0, APIs: 4, Instructions: 35memoryCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • InterlockedIncrement.KERNEL32(6CBFA948), ref: 6CBF1157
                                                                                                                                                                                  • HeapCreate.KERNELBASE(00000000,00400000,00000000), ref: 6CBF116A
                                                                                                                                                                                  • InterlockedDecrement.KERNEL32(6CBFA948), ref: 6CBF1196
                                                                                                                                                                                  • HeapDestroy.KERNELBASE ref: 6CBF11A6
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000005.00000002.1716486508.000000006CBF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 6CBF0000, based on PE: true
                                                                                                                                                                                  • Associated: 00000005.00000002.1716468666.000000006CBF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000005.00000002.1716486508.000000006CBFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_5_2_6cbf0000_rundll32.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: HeapInterlocked$CreateDecrementDestroyIncrement
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 4057829272-0
                                                                                                                                                                                  • Opcode ID: 552f1dafefe9ba85d1af7ce82a349d281e3d4f78fa30776a43028946b294a158
                                                                                                                                                                                  • Instruction ID: bb848c8a35e7dee50c46aa7aba71969739e237411599ff4d1c02f77b26540bbe
                                                                                                                                                                                  • Opcode Fuzzy Hash: 552f1dafefe9ba85d1af7ce82a349d281e3d4f78fa30776a43028946b294a158
                                                                                                                                                                                  • Instruction Fuzzy Hash: 92F0F978786282AFEB049F2ADC09B06BEB4EB87764F598925E474D2740D730D54A8B12
                                                                                                                                                                                  Function 6CBF157A Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 63COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • RtlUpcaseUnicodeString.NTDLL ref: 6CBF15A6
                                                                                                                                                                                  • RtlFreeUnicodeString.NTDLL(?,?,?), ref: 6CBF1628
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000005.00000002.1716486508.000000006CBF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 6CBF0000, based on PE: true
                                                                                                                                                                                  • Associated: 00000005.00000002.1716468666.000000006CBF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000005.00000002.1716486508.000000006CBFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_5_2_6cbf0000_rundll32.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: StringUnicode$FreeUpcase
                                                                                                                                                                                  • String ID: N;U
                                                                                                                                                                                  • API String ID: 941810394-3665909347
                                                                                                                                                                                  • Opcode ID: 695164c84c50c73660de2ab6641bf5705345b23967e03a015f90dae7595d5a1a
                                                                                                                                                                                  • Instruction ID: 04db9d4d0059404eb37b95737045e883904a8c4d1c567b8457c62cb36d00d5ec
                                                                                                                                                                                  • Opcode Fuzzy Hash: 695164c84c50c73660de2ab6641bf5705345b23967e03a015f90dae7595d5a1a
                                                                                                                                                                                  • Instruction Fuzzy Hash: A111D071A01385BADF109A21D84079E73A9EB09714F288D25E871D7FA0DB31E94ECB92
                                                                                                                                                                                  Function 6CBF272F Relevance: 5.1, APIs: 4, Instructions: 110COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • memset.NTDLL ref: 6CBF2755
                                                                                                                                                                                  • memcpy.NTDLL ref: 6CBF277D
                                                                                                                                                                                    • Part of subcall function 6CBF2E32: NtAllocateVirtualMemory.NTDLL(6CBF28CF,00000000,00000000,6CBF28CF,00003000,00000040), ref: 6CBF2E63
                                                                                                                                                                                    • Part of subcall function 6CBF2E32: RtlNtStatusToDosError.NTDLL ref: 6CBF2E6A
                                                                                                                                                                                    • Part of subcall function 6CBF2E32: SetLastError.KERNEL32(00000000), ref: 6CBF2E71
                                                                                                                                                                                  • GetLastError.KERNEL32(00000010,00000218,6CBF4BEC,00000100,?,00000318,00000008), ref: 6CBF2794
                                                                                                                                                                                  • GetLastError.KERNEL32(00000010,?,00000000,00000318,?,?,?,?,?,?,?,?,00000010,00000218,6CBF4BEC,00000100), ref: 6CBF2877
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000005.00000002.1716486508.000000006CBF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 6CBF0000, based on PE: true
                                                                                                                                                                                  • Associated: 00000005.00000002.1716468666.000000006CBF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000005.00000002.1716486508.000000006CBFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_5_2_6cbf0000_rundll32.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: Error$Last$AllocateMemoryStatusVirtualmemcpymemset
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 685050087-0
                                                                                                                                                                                  • Opcode ID: 914ff4eeb014556cb12cd194d23102ba3f1fe404812df7a10e0d1ccb786377b5
                                                                                                                                                                                  • Instruction ID: 79cf99de8b29e72afb6cc3e27418fca29fd778fab988e2b27339a1c4fcd54735
                                                                                                                                                                                  • Opcode Fuzzy Hash: 914ff4eeb014556cb12cd194d23102ba3f1fe404812df7a10e0d1ccb786377b5
                                                                                                                                                                                  • Instruction Fuzzy Hash: 2E419FB1504381AFD720CF65C945B9BBBF8EB48314F004A29F5A8C6751E730D91A8B63
                                                                                                                                                                                  Function 6CBF137F Relevance: 4.5, APIs: 2, Strings: 1, Instructions: 40memoryCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • memset.NTDLL ref: 6CBF1386
                                                                                                                                                                                    • Part of subcall function 6CBF379A: memcpy.NTDLL(00000000,?,?,?,00000000,00000000,?,?,?,?,6CBF13A4,?,?), ref: 6CBF384F
                                                                                                                                                                                  • HeapFree.KERNEL32(00000000,?,?,?,00000008,EE553B4E,?,?,00000000,EE553B4E), ref: 6CBF13D8
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000005.00000002.1716486508.000000006CBF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 6CBF0000, based on PE: true
                                                                                                                                                                                  • Associated: 00000005.00000002.1716468666.000000006CBF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000005.00000002.1716486508.000000006CBFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_5_2_6cbf0000_rundll32.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: FreeHeapmemcpymemset
                                                                                                                                                                                  • String ID: N;U
                                                                                                                                                                                  • API String ID: 2272576838-3665909347
                                                                                                                                                                                  • Opcode ID: e1b53ea86470dc1dc37a52fc579b615847ec6d0941bd605bcf93c11d8bbdd21a
                                                                                                                                                                                  • Instruction ID: f846aa8a4bedd2feff064d35cf0f8959c5c9789584d21487d1336933b26f5269
                                                                                                                                                                                  • Opcode Fuzzy Hash: e1b53ea86470dc1dc37a52fc579b615847ec6d0941bd605bcf93c11d8bbdd21a
                                                                                                                                                                                  • Instruction Fuzzy Hash: 51F06DB12022806ADB61CA76AC48E9736BCEBC2348F040925B861C3B40DB61D50E8B61
                                                                                                                                                                                  Function 6CBF112F Relevance: 3.0, APIs: 2, Instructions: 5COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                    • Part of subcall function 6CBF16B2: GetCursorInfo.USER32 ref: 6CBF16FE
                                                                                                                                                                                    • Part of subcall function 6CBF16B2: GetLongPathNameW.KERNELBASE(?,00000000,00000000), ref: 6CBF177B
                                                                                                                                                                                    • Part of subcall function 6CBF16B2: GetLongPathNameW.KERNELBASE(?,00000000,00000000), ref: 6CBF179C
                                                                                                                                                                                    • Part of subcall function 6CBF16B2: CreateFileA.KERNELBASE(c:\321.txt,80000000,00000001,00000000,00000003,00000080,00000000,00000000,?), ref: 6CBF17CD
                                                                                                                                                                                  • ExitProcess.KERNEL32 ref: 6CBF113B
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000005.00000002.1716486508.000000006CBF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 6CBF0000, based on PE: true
                                                                                                                                                                                  • Associated: 00000005.00000002.1716468666.000000006CBF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000005.00000002.1716486508.000000006CBFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_5_2_6cbf0000_rundll32.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: LongNamePath$CreateCursorExitFileInfoProcess
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 1773960417-0
                                                                                                                                                                                  • Opcode ID: e3b4764ad7365777045b98ff9f1e3b29a9cd6f7917c4f96b04e820c8539f6bad
                                                                                                                                                                                  • Instruction ID: d67f01e87a2cb07e2a617664e22e2f7a955f37f86d688e3fd11fc16db191311b
                                                                                                                                                                                  • Opcode Fuzzy Hash: e3b4764ad7365777045b98ff9f1e3b29a9cd6f7917c4f96b04e820c8539f6bad
                                                                                                                                                                                  • Instruction Fuzzy Hash: A8A002F09102C077CD20A7F2981C99E256EAB0320D78CCD097471E3B10CF39D44E5669
                                                                                                                                                                                  Function 6CBF2B4B Relevance: 2.6, APIs: 2, Instructions: 69memoryCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                    • Part of subcall function 6CBF2A18: VirtualAlloc.KERNELBASE(00000000,00000000,00003000,00000004), ref: 6CBF2A51
                                                                                                                                                                                    • Part of subcall function 6CBF2A18: VirtualFree.KERNEL32(00000000,00000000,00008000,?,00000000,00000000,00000000), ref: 6CBF2A87
                                                                                                                                                                                    • Part of subcall function 6CBF2A18: VirtualAlloc.KERNEL32(00000000,00000000,00003000,00000004), ref: 6CBF2A93
                                                                                                                                                                                    • Part of subcall function 6CBF2A18: lstrcmpiA.KERNEL32(?,NTDLL.DLL), ref: 6CBF2ACA
                                                                                                                                                                                    • Part of subcall function 6CBF2A18: StrChrA.SHLWAPI(?,0000002E), ref: 6CBF2AD3
                                                                                                                                                                                    • Part of subcall function 6CBF2A18: lstrcmpiA.KERNEL32(?,NTDLL.DLL), ref: 6CBF2AE6
                                                                                                                                                                                    • Part of subcall function 6CBF2A18: VirtualFree.KERNELBASE(00000000,00000000,00008000), ref: 6CBF2B37
                                                                                                                                                                                  • VirtualAlloc.KERNELBASE(00000000,?,00003000,00000004,00000010,?,?,6CBF8410,00000030,6CBF26CC,ZwGetContextThread,?,6CBF2762,?,00000318,00000008), ref: 6CBF2B87
                                                                                                                                                                                    • Part of subcall function 6CBF241D: GetProcAddress.KERNEL32(ZwWow64ReadVirtualMemory64,00000000), ref: 6CBF243F
                                                                                                                                                                                    • Part of subcall function 6CBF241D: NtWow64ReadVirtualMemory64.NTDLL(00000100,?,?,00000028,00000000,00000000,00000100,00000000,?,?,?,6CBF250D,00000000,00000000,00000028,00000100), ref: 6CBF2461
                                                                                                                                                                                  • VirtualFree.KERNELBASE(?,00000000,00008000,00000010,?,?,6CBF8410,00000030,6CBF26CC,ZwGetContextThread,?,6CBF2762,?,00000318,00000008), ref: 6CBF2C12
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000005.00000002.1716486508.000000006CBF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 6CBF0000, based on PE: true
                                                                                                                                                                                  • Associated: 00000005.00000002.1716468666.000000006CBF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000005.00000002.1716486508.000000006CBFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_5_2_6cbf0000_rundll32.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: Virtual$AllocFree$lstrcmpi$AddressMemory64ProcReadWow64
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 4138075514-0
                                                                                                                                                                                  • Opcode ID: 461a0d5f64f94fdcb38babb22293be19be242b49ce4518d4d1cbdd14bd51cd1e
                                                                                                                                                                                  • Instruction ID: 349b2e1dac7b352ec203c28e6d01593987971f3df7588759c45d7327db196996
                                                                                                                                                                                  • Opcode Fuzzy Hash: 461a0d5f64f94fdcb38babb22293be19be242b49ce4518d4d1cbdd14bd51cd1e
                                                                                                                                                                                  • Instruction Fuzzy Hash: EA21C471D01268ABCF11CFE5DC84ACEBBB4FF09714F20412AE924B2650C3749A0ACF91
                                                                                                                                                                                  Function 6CBF11B2 Relevance: 1.5, APIs: 1, Instructions: 5memoryCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • RtlAllocateHeap.NTDLL(00000000,6CBF0000,6CBF1B4C,6CBF0000), ref: 6CBF11BE
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000005.00000002.1716486508.000000006CBF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 6CBF0000, based on PE: true
                                                                                                                                                                                  • Associated: 00000005.00000002.1716468666.000000006CBF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000005.00000002.1716486508.000000006CBFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_5_2_6cbf0000_rundll32.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: AllocateHeap
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 1279760036-0
                                                                                                                                                                                  • Opcode ID: 23977dcb478b552ebb45a1d426bcfa155fb3a10993af1e104911ee3f834ff5dc
                                                                                                                                                                                  • Instruction ID: b8ce547b5503943abe1f2380b6df63760ba07a9de63245981ce5e6f619c5a836
                                                                                                                                                                                  • Opcode Fuzzy Hash: 23977dcb478b552ebb45a1d426bcfa155fb3a10993af1e104911ee3f834ff5dc
                                                                                                                                                                                  • Instruction Fuzzy Hash: BCB01231610100FFCF014B20DD09F057B71B752700F01C021B3140136082320420EF14
                                                                                                                                                                                  Function 6CBF11C7 Relevance: 1.5, APIs: 1, Instructions: 5memoryCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • RtlFreeHeap.NTDLL(00000000,00000000,6CBF1B7B,00000000), ref: 6CBF11D3
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000005.00000002.1716486508.000000006CBF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 6CBF0000, based on PE: true
                                                                                                                                                                                  • Associated: 00000005.00000002.1716468666.000000006CBF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000005.00000002.1716486508.000000006CBFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_5_2_6cbf0000_rundll32.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: FreeHeap
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 3298025750-0
                                                                                                                                                                                  • Opcode ID: 284e62c275f0e935d674ad9e9211603806e6477f363f4826ec41c9b06cb38cf8
                                                                                                                                                                                  • Instruction ID: 82c2d1d36811edfd1c03c23f412d2c1185ad7d48691b39041a0e41481a5e6262
                                                                                                                                                                                  • Opcode Fuzzy Hash: 284e62c275f0e935d674ad9e9211603806e6477f363f4826ec41c9b06cb38cf8
                                                                                                                                                                                  • Instruction Fuzzy Hash: B7B01231200100AFCE014B20DD09F057B71B752700F118021B3180226082324420EF08
                                                                                                                                                                                  Function 6CBF3260 Relevance: 1.3, APIs: 1, Instructions: 57memoryCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                    • Part of subcall function 6CBF2344: GetProcAddress.KERNEL32(Wow64EnableWow64FsRedirection,6CBF3278), ref: 6CBF2358
                                                                                                                                                                                    • Part of subcall function 6CBF2FCE: HeapAlloc.KERNEL32(00000000,EE553B4E,00000000,6CBFAA50,00000001), ref: 6CBF2FF9
                                                                                                                                                                                    • Part of subcall function 6CBF2FCE: HeapAlloc.KERNEL32(00000000,EE553B4E), ref: 6CBF301B
                                                                                                                                                                                    • Part of subcall function 6CBF2FCE: memset.NTDLL ref: 6CBF3035
                                                                                                                                                                                    • Part of subcall function 6CBF2FCE: CreateFileA.KERNELBASE(00000000,80000000,00000001,00000000,00000003,00000080,00000000,%systemroot%\system32\c_1252.nls), ref: 6CBF306C
                                                                                                                                                                                    • Part of subcall function 6CBF2FCE: GetFileTime.KERNEL32(00000000,?,00000000,00000000), ref: 6CBF3080
                                                                                                                                                                                    • Part of subcall function 6CBF2FCE: CloseHandle.KERNEL32(?), ref: 6CBF3097
                                                                                                                                                                                    • Part of subcall function 6CBF2FCE: StrRChrA.KERNELBASE(6CBF11FC,00000000,0000005C), ref: 6CBF30A3
                                                                                                                                                                                    • Part of subcall function 6CBF2FCE: lstrcatA.KERNEL32(6CBF11FC,\*.dll), ref: 6CBF30DD
                                                                                                                                                                                    • Part of subcall function 6CBF2FCE: FindFirstFileA.KERNELBASE(6CBF11FC,?), ref: 6CBF30F3
                                                                                                                                                                                    • Part of subcall function 6CBF2FCE: CompareFileTime.KERNEL32(?,?), ref: 6CBF3111
                                                                                                                                                                                    • Part of subcall function 6CBF361F: lstrlenA.KERNEL32(6CBF11FC,00000000,6CBFAA50,00000001,6CBF3293,00000000,00000000,00000000,6CBF0000,00000000,00000000,?,?,?,6CBF11FC,?), ref: 6CBF3628
                                                                                                                                                                                    • Part of subcall function 6CBF361F: mbstowcs.NTDLL ref: 6CBF364F
                                                                                                                                                                                    • Part of subcall function 6CBF361F: memset.NTDLL ref: 6CBF3661
                                                                                                                                                                                  • HeapFree.KERNEL32(00000000,00000000,00000000,00000000,00000000,6CBF0000,00000000,00000000,?,?,?,6CBF11FC,?,6CBF0000,00000000,?), ref: 6CBF32AF
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000005.00000002.1716486508.000000006CBF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 6CBF0000, based on PE: true
                                                                                                                                                                                  • Associated: 00000005.00000002.1716468666.000000006CBF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000005.00000002.1716486508.000000006CBFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_5_2_6cbf0000_rundll32.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: File$Heap$AllocTimememset$AddressCloseCompareCreateFindFirstFreeHandleProclstrcatlstrlenmbstowcs
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 1861520213-0
                                                                                                                                                                                  • Opcode ID: 632c0a7c1917480f9722b3c4b5c66ef441b6baff53464fb0fa8255fc2ce78c89
                                                                                                                                                                                  • Instruction ID: ebcfe3817d436e011c8e8b27472f73346dde29b45614a4c710ced3c922e8d06a
                                                                                                                                                                                  • Opcode Fuzzy Hash: 632c0a7c1917480f9722b3c4b5c66ef441b6baff53464fb0fa8255fc2ce78c89
                                                                                                                                                                                  • Instruction Fuzzy Hash: 3401F5313002C47EEF005EE6CC85BAA76A8FB46218F600035E974D7750D661CD8F9767
                                                                                                                                                                                  Function 6CBF29AA Relevance: 1.3, APIs: 1, Instructions: 46COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                    • Part of subcall function 6CBF11B2: RtlAllocateHeap.NTDLL(00000000,6CBF0000,6CBF1B4C,6CBF0000), ref: 6CBF11BE
                                                                                                                                                                                  • memset.NTDLL ref: 6CBF29C9
                                                                                                                                                                                    • Part of subcall function 6CBF272F: memset.NTDLL ref: 6CBF2755
                                                                                                                                                                                    • Part of subcall function 6CBF272F: memcpy.NTDLL ref: 6CBF277D
                                                                                                                                                                                    • Part of subcall function 6CBF272F: GetLastError.KERNEL32(00000010,00000218,6CBF4BEC,00000100,?,00000318,00000008), ref: 6CBF2794
                                                                                                                                                                                    • Part of subcall function 6CBF272F: GetLastError.KERNEL32(00000010,?,00000000,00000318,?,?,?,?,?,?,?,?,00000010,00000218,6CBF4BEC,00000100), ref: 6CBF2877
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000005.00000002.1716486508.000000006CBF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 6CBF0000, based on PE: true
                                                                                                                                                                                  • Associated: 00000005.00000002.1716468666.000000006CBF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000005.00000002.1716486508.000000006CBFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_5_2_6cbf0000_rundll32.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: ErrorLastmemset$AllocateHeapmemcpy
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 4290293647-0
                                                                                                                                                                                  • Opcode ID: 5ce2d39bcb20866ebbd57dce7cee95c78a89a614e1bba70ba642c17971872cf7
                                                                                                                                                                                  • Instruction ID: e20a20b4ffe397072f3337a5f6c6b14e1848c08153cef7b13dc2852d9c751d95
                                                                                                                                                                                  • Opcode Fuzzy Hash: 5ce2d39bcb20866ebbd57dce7cee95c78a89a614e1bba70ba642c17971872cf7
                                                                                                                                                                                  • Instruction Fuzzy Hash: E801D6715013C86BD321CF29DC44B8B3BE8EF45718F10862AF86497B41D774E90E87A2
                                                                                                                                                                                  Function 6CBF2BF8 Relevance: 1.3, APIs: 1, Instructions: 14COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • VirtualFree.KERNELBASE(?,00000000,00008000,00000010,?,?,6CBF8410,00000030,6CBF26CC,ZwGetContextThread,?,6CBF2762,?,00000318,00000008), ref: 6CBF2C12
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000005.00000002.1716486508.000000006CBF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 6CBF0000, based on PE: true
                                                                                                                                                                                  • Associated: 00000005.00000002.1716468666.000000006CBF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000005.00000002.1716486508.000000006CBFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_5_2_6cbf0000_rundll32.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: FreeVirtual
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 1263568516-0
                                                                                                                                                                                  • Opcode ID: 589042aa51d45c6921daadf7d904c4c7d04190ad83041130710503daa941447a
                                                                                                                                                                                  • Instruction ID: 543552ed40ee6eae6b20bfc3490eeef5b903297026812cac47cae92350035e03
                                                                                                                                                                                  • Opcode Fuzzy Hash: 589042aa51d45c6921daadf7d904c4c7d04190ad83041130710503daa941447a
                                                                                                                                                                                  • Instruction Fuzzy Hash: 11D01730E01659ABCF10DB95D84A99EFB71BF09720F608220E87077690C3301A5ACF91

                                                                                                                                                                                  Non-executed Functions

                                                                                                                                                                                  Function 6CBF2E82 Relevance: 10.5, APIs: 2, Strings: 4, Instructions: 46COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • GetModuleHandleA.KERNEL32(NTDLL.DLL,6CBF0000,00000000,?,00000000,?,6CBF1894,EE553B4E,00000001,00000000,6CBFA95C), ref: 6CBF2E98
                                                                                                                                                                                  • GetModuleHandleA.KERNEL32(KERNEL32.DLL,?,00000000,?,6CBF1894,EE553B4E,00000001,00000000,6CBFA95C), ref: 6CBF2EA8
                                                                                                                                                                                    • Part of subcall function 6CBF389C: lstrcmpA.KERNEL32(?,?,00000000,00000000), ref: 6CBF3950
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000005.00000002.1716486508.000000006CBF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 6CBF0000, based on PE: true
                                                                                                                                                                                  • Associated: 00000005.00000002.1716468666.000000006CBF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000005.00000002.1716486508.000000006CBFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_5_2_6cbf0000_rundll32.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: HandleModule$lstrcmp
                                                                                                                                                                                  • String ID: KERNEL32.DLL$N;U$NTDLL.DLL$~
                                                                                                                                                                                  • API String ID: 397996933-4041261047
                                                                                                                                                                                  • Opcode ID: c75f3fc916f4e1d08d367147cd98a7bead831588aa657aaf0338dd4b18985a79
                                                                                                                                                                                  • Instruction ID: 19f683aebdfabf4a7f57d7103aee2776fbd708fb934894f2d6cf2f36c3ea8b17
                                                                                                                                                                                  • Opcode Fuzzy Hash: c75f3fc916f4e1d08d367147cd98a7bead831588aa657aaf0338dd4b18985a79
                                                                                                                                                                                  • Instruction Fuzzy Hash: 5C01A772A073E59FE710CF59EC8451A7BE8EB4E294B22052AE83097740C771A90D4F93
                                                                                                                                                                                  Function 6CBF2885 Relevance: 6.1, APIs: 4, Instructions: 93COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • memset.NTDLL ref: 6CBF28A7
                                                                                                                                                                                  • GetLastError.KERNEL32(?,00000318,00000008), ref: 6CBF299A
                                                                                                                                                                                    • Part of subcall function 6CBF2E32: NtAllocateVirtualMemory.NTDLL(6CBF28CF,00000000,00000000,6CBF28CF,00003000,00000040), ref: 6CBF2E63
                                                                                                                                                                                    • Part of subcall function 6CBF2E32: RtlNtStatusToDosError.NTDLL ref: 6CBF2E6A
                                                                                                                                                                                    • Part of subcall function 6CBF2E32: SetLastError.KERNEL32(00000000), ref: 6CBF2E71
                                                                                                                                                                                    • Part of subcall function 6CBF2D8F: RtlNtStatusToDosError.NTDLL ref: 6CBF2DA7
                                                                                                                                                                                  • memcpy.NTDLL(00000218,6CBF4C11,00000100,?,00010003,?,?,00000318,00000008), ref: 6CBF2922
                                                                                                                                                                                  • RtlNtStatusToDosError.NTDLL ref: 6CBF297C
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000005.00000002.1716486508.000000006CBF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 6CBF0000, based on PE: true
                                                                                                                                                                                  • Associated: 00000005.00000002.1716468666.000000006CBF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000005.00000002.1716486508.000000006CBFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_5_2_6cbf0000_rundll32.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: Error$Status$Last$AllocateMemoryVirtualmemcpymemset
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 2966525677-0
                                                                                                                                                                                  • Opcode ID: 17528c22e1ccc223da11ebd04ec031f5d6751a80abf4e0853c70a829936daa3b
                                                                                                                                                                                  • Instruction ID: b074362c9688eb71973382dc2ea38a9388693c49841304976b1dd1f9fc47c78e
                                                                                                                                                                                  • Opcode Fuzzy Hash: 17528c22e1ccc223da11ebd04ec031f5d6751a80abf4e0853c70a829936daa3b
                                                                                                                                                                                  • Instruction Fuzzy Hash: F931C27190124AAFDB10CF64C998ADEB7B8EB04308F10857AE566D7B40D730EE4A8F52
                                                                                                                                                                                  Function 6CBF1DDB Relevance: 36.9, APIs: 13, Strings: 8, Instructions: 108stringCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • memset.NTDLL ref: 6CBF1DF9
                                                                                                                                                                                  • CoInitializeEx.OLE32(00000000,00000002,6CBF0000,00000000,00000000), ref: 6CBF1E04
                                                                                                                                                                                  • PathFindExtensionW.SHLWAPI(00000000,00000750), ref: 6CBF1E1F
                                                                                                                                                                                  • lstrcpyW.KERNEL32(00000000,.dll), ref: 6CBF1E34
                                                                                                                                                                                  • lstrlenW.KERNEL32(00000000), ref: 6CBF1E41
                                                                                                                                                                                  • lstrlenW.KERNEL32(?), ref: 6CBF1E4A
                                                                                                                                                                                  • lstrlenA.KERNEL32(?), ref: 6CBF1E51
                                                                                                                                                                                  • lstrcpyW.KERNEL32(00000000,.exe), ref: 6CBF1E82
                                                                                                                                                                                  • lstrlenW.KERNEL32(00000000), ref: 6CBF1E8F
                                                                                                                                                                                  • lstrlenW.KERNEL32(04B687C8), ref: 6CBF1E95
                                                                                                                                                                                  • wsprintfW.USER32 ref: 6CBF1EB9
                                                                                                                                                                                  • ShellExecuteExW.SHELL32(0000003C), ref: 6CBF1EEE
                                                                                                                                                                                  • CoUninitialize.OLE32(00000000), ref: 6CBF1F02
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000005.00000002.1716486508.000000006CBF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 6CBF0000, based on PE: true
                                                                                                                                                                                  • Associated: 00000005.00000002.1716468666.000000006CBF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000005.00000002.1716486508.000000006CBFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_5_2_6cbf0000_rundll32.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: lstrlen$lstrcpy$ExecuteExtensionFindInitializePathShellUninitializememsetwsprintf
                                                                                                                                                                                  • String ID: .dll$.exe$/C "copy "%s" "%s" /y && "%s" "%s""$/C "copy "%s" "%s" /y && rundll32 "%s",%S"$<$PDu$cmd.exe$runas
                                                                                                                                                                                  • API String ID: 1734841466-4037923481
                                                                                                                                                                                  • Opcode ID: 9e9647a51e4acdab2d58de727921fac9f03d9bb0f85fee244261edb201bdbe23
                                                                                                                                                                                  • Instruction ID: 92d29e734af3ffaaaf88026adfeb7d1a2061a2e86b4f72d9d148a6fcf97133ee
                                                                                                                                                                                  • Opcode Fuzzy Hash: 9e9647a51e4acdab2d58de727921fac9f03d9bb0f85fee244261edb201bdbe23
                                                                                                                                                                                  • Instruction Fuzzy Hash: 6131E6B2D01258ABCF119BA69C44D9F7ABCEF06748B084916F920A7701D734CE0ACBA1
                                                                                                                                                                                  Function 6CBF5810 Relevance: 19.4, APIs: 6, Strings: 5, Instructions: 128registryCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • RegisterClassExW.USER32(00000030), ref: 6CBF589A
                                                                                                                                                                                  • CreateWindowExW.USER32(00000000,WndClass1_56,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000), ref: 6CBF58D4
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000005.00000002.1716486508.000000006CBF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 6CBF0000, based on PE: true
                                                                                                                                                                                  • Associated: 00000005.00000002.1716468666.000000006CBF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000005.00000002.1716486508.000000006CBFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_5_2_6cbf0000_rundll32.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: ClassCreateRegisterWindow
                                                                                                                                                                                  • String ID: 0$WndClass1_56$WndClass1_56$WndClass2_56$WndClass2_56
                                                                                                                                                                                  • API String ID: 3469048531-2885991380
                                                                                                                                                                                  • Opcode ID: 3fc918456768c9c925a8391f982a81897f6227de3abe050279e10ff85aabba21
                                                                                                                                                                                  • Instruction ID: 1da1817ac81876e7fe78940ce27b6f698a9a8a0e4fe90b04bb89c4cb50f8de6e
                                                                                                                                                                                  • Opcode Fuzzy Hash: 3fc918456768c9c925a8391f982a81897f6227de3abe050279e10ff85aabba21
                                                                                                                                                                                  • Instruction Fuzzy Hash: 0B513AB0E40248EFDB08CF95C858B9EBBB4FB0A318F14C51AE5256B780D7755A4ACF94
                                                                                                                                                                                  Function 6CBF5500 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 137threadregistryinjectionCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • memcpy.NTDLL(?,0123456789ABCDEF,00000022), ref: 6CBF553B
                                                                                                                                                                                  • EnterCriticalSection.KERNEL32(-0000044C), ref: 6CBF5668
                                                                                                                                                                                  • SuspendThread.KERNEL32(?), ref: 6CBF567B
                                                                                                                                                                                  • RemoveFontResourceExW.GDI32(-0000000C,00000010,00000000), ref: 6CBF56B9
                                                                                                                                                                                  • RegisterClassExW.USER32(00000030), ref: 6CBF56C3
                                                                                                                                                                                  • ResumeThread.KERNEL32(?), ref: 6CBF572E
                                                                                                                                                                                  • LeaveCriticalSection.KERNEL32(-0000044C), ref: 6CBF5741
                                                                                                                                                                                  • SwitchToThread.KERNEL32 ref: 6CBF5747
                                                                                                                                                                                    • Part of subcall function 6CBF5240: UnregisterClassW.USER32(?,?), ref: 6CBF528B
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000005.00000002.1716486508.000000006CBF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 6CBF0000, based on PE: true
                                                                                                                                                                                  • Associated: 00000005.00000002.1716468666.000000006CBF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000005.00000002.1716486508.000000006CBFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_5_2_6cbf0000_rundll32.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: Thread$ClassCriticalSection$EnterFontLeaveRegisterRemoveResourceResumeSuspendSwitchUnregistermemcpy
                                                                                                                                                                                  • String ID: 0$0123456789ABCDEF
                                                                                                                                                                                  • API String ID: 196111645-1037189808
                                                                                                                                                                                  • Opcode ID: e3e7ff359721d26cf74c09781693cf8e9494aaee3b637eb2a86ea3c6dd347adb
                                                                                                                                                                                  • Instruction ID: ec8ae05ca656cbd865962590630f0c9e5ad1a008833ab2aeeebbd841a51fc812
                                                                                                                                                                                  • Opcode Fuzzy Hash: e3e7ff359721d26cf74c09781693cf8e9494aaee3b637eb2a86ea3c6dd347adb
                                                                                                                                                                                  • Instruction Fuzzy Hash: 5C6149B4A00248CFCB08CF94E594B9DBBB5FB49318F14C16AE9286BB51C735694ECF58
                                                                                                                                                                                  Function 6CBF667A Relevance: 13.6, APIs: 9, Instructions: 72threadsleepwindowCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • ResumeThread.KERNEL32(?), ref: 6CBF677E
                                                                                                                                                                                  • ResumeThread.KERNEL32(?), ref: 6CBF6791
                                                                                                                                                                                  • Sleep.KERNEL32(00000000), ref: 6CBF6799
                                                                                                                                                                                  • LeaveCriticalSection.KERNEL32(-0000044C), ref: 6CBF67D0
                                                                                                                                                                                  • memset.NTDLL ref: 6CBF67EE
                                                                                                                                                                                  • AddFontResourceExW.GDI32(-0000000C,00000010,00000000), ref: 6CBF6804
                                                                                                                                                                                  • EnterCriticalSection.KERNEL32(-0000044C), ref: 6CBF6815
                                                                                                                                                                                  • GetWindowLongW.USER32(?,000000F0), ref: 6CBF682A
                                                                                                                                                                                  • SetMenu.USER32(?,00000000), ref: 6CBF6863
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000005.00000002.1716486508.000000006CBF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 6CBF0000, based on PE: true
                                                                                                                                                                                  • Associated: 00000005.00000002.1716468666.000000006CBF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000005.00000002.1716486508.000000006CBFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_5_2_6cbf0000_rundll32.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: CriticalResumeSectionThread$EnterFontLeaveLongMenuResourceSleepWindowmemset
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 1405369809-0
                                                                                                                                                                                  • Opcode ID: 7f94438b8bd17f9050a9dea7b246f9eb85ee1498fe1288e9b50cf8e19cf6b4ae
                                                                                                                                                                                  • Instruction ID: 08df507158272cc273856123b5602cc3088f27b00d71314dcbc0f5dee1ae3187
                                                                                                                                                                                  • Opcode Fuzzy Hash: 7f94438b8bd17f9050a9dea7b246f9eb85ee1498fe1288e9b50cf8e19cf6b4ae
                                                                                                                                                                                  • Instruction Fuzzy Hash: 1E312A757402009FDB08DF14E998B527379E746319F14826AFE298BB92C732A88ACF55
                                                                                                                                                                                  Function 6CBF6645 Relevance: 13.6, APIs: 9, Instructions: 72threadsleepwindowCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • ResumeThread.KERNEL32(?), ref: 6CBF677E
                                                                                                                                                                                  • ResumeThread.KERNEL32(?), ref: 6CBF6791
                                                                                                                                                                                  • Sleep.KERNEL32(00000000), ref: 6CBF6799
                                                                                                                                                                                  • LeaveCriticalSection.KERNEL32(-0000044C), ref: 6CBF67D0
                                                                                                                                                                                  • memset.NTDLL ref: 6CBF67EE
                                                                                                                                                                                  • AddFontResourceExW.GDI32(-0000000C,00000010,00000000), ref: 6CBF6804
                                                                                                                                                                                  • EnterCriticalSection.KERNEL32(-0000044C), ref: 6CBF6815
                                                                                                                                                                                  • GetWindowLongW.USER32(?,000000F0), ref: 6CBF682A
                                                                                                                                                                                  • SetMenu.USER32(?,00000000), ref: 6CBF6863
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000005.00000002.1716486508.000000006CBF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 6CBF0000, based on PE: true
                                                                                                                                                                                  • Associated: 00000005.00000002.1716468666.000000006CBF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000005.00000002.1716486508.000000006CBFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_5_2_6cbf0000_rundll32.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: CriticalResumeSectionThread$EnterFontLeaveLongMenuResourceSleepWindowmemset
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 1405369809-0
                                                                                                                                                                                  • Opcode ID: 00dd64ca0e21d73653d67ea303f3724bdefa5fcafd8374b4fd996931f36af477
                                                                                                                                                                                  • Instruction ID: 08df507158272cc273856123b5602cc3088f27b00d71314dcbc0f5dee1ae3187
                                                                                                                                                                                  • Opcode Fuzzy Hash: 00dd64ca0e21d73653d67ea303f3724bdefa5fcafd8374b4fd996931f36af477
                                                                                                                                                                                  • Instruction Fuzzy Hash: 1E312A757402009FDB08DF14E998B527379E746319F14826AFE298BB92C732A88ACF55
                                                                                                                                                                                  Function 6CBF3B2B Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 45stringCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • GetTempPathA.KERNEL32(00000000,00000000,00000000,00000000,00000000,6CBF3BA2,?,04B687C8,00000000,6CBF1E14,00000750), ref: 6CBF3B38
                                                                                                                                                                                    • Part of subcall function 6CBF11B2: RtlAllocateHeap.NTDLL(00000000,6CBF0000,6CBF1B4C,6CBF0000), ref: 6CBF11BE
                                                                                                                                                                                  • GetTempPathA.KERNEL32(00000000,00000000,0000001D), ref: 6CBF3B51
                                                                                                                                                                                  • GetTickCount.KERNEL32 ref: 6CBF3B58
                                                                                                                                                                                  • GetTempFileNameA.KERNEL32(00000000,00000000,?), ref: 6CBF3B66
                                                                                                                                                                                  • PathFindExtensionA.SHLWAPI(00000000,.bin), ref: 6CBF3B76
                                                                                                                                                                                  • lstrcpyA.KERNEL32(00000000), ref: 6CBF3B7D
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000005.00000002.1716486508.000000006CBF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 6CBF0000, based on PE: true
                                                                                                                                                                                  • Associated: 00000005.00000002.1716468666.000000006CBF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000005.00000002.1716486508.000000006CBFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_5_2_6cbf0000_rundll32.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: PathTemp$AllocateCountExtensionFileFindHeapNameTicklstrcpy
                                                                                                                                                                                  • String ID: .bin
                                                                                                                                                                                  • API String ID: 1954728293-886015214
                                                                                                                                                                                  • Opcode ID: b47c474c7be8c3763d66592e43e6b9d4e67011f2490b85173f382be863f10d08
                                                                                                                                                                                  • Instruction ID: 3905d135d33b871c7896516b736e2a5dbd637fd96508635cecfa37c238bceb92
                                                                                                                                                                                  • Opcode Fuzzy Hash: b47c474c7be8c3763d66592e43e6b9d4e67011f2490b85173f382be863f10d08
                                                                                                                                                                                  • Instruction Fuzzy Hash: AAF0F6323429616786115AFB5C48D9F6A7CEF4B565B00021AF534D3700CB20C50F86F6
                                                                                                                                                                                  Function 6CBF1D2E Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 66stringCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                    • Part of subcall function 6CBF3AC5: CreateFileW.KERNEL32(?,C0000000,00000000,00000000,00000004,00000080,00000000,6CBF0000,00000000,?,6CBF1D64,00000000,?,?,00001FD1,00000000), ref: 6CBF3ADE
                                                                                                                                                                                    • Part of subcall function 6CBF3AC5: GetLastError.KERNEL32(?,6CBF1D64,00000000,?,?,00001FD1,00000000,00000000,?,?,6CBF18F2,?,?,?,EE553B4E,00000001), ref: 6CBF3AEB
                                                                                                                                                                                  • lstrlenW.KERNEL32(00000000,00000000,?,?,00001FD1,00000000,00000000,?,?,6CBF18F2,?,?,?,EE553B4E,00000001,00000000), ref: 6CBF1D69
                                                                                                                                                                                    • Part of subcall function 6CBF11B2: RtlAllocateHeap.NTDLL(00000000,6CBF0000,6CBF1B4C,6CBF0000), ref: 6CBF11BE
                                                                                                                                                                                  • PathFindFileNameW.SHLWAPI(00000000,6CBF0000,?,?,?,6CBF18F2,?,?,?,EE553B4E,00000001,00000000,6CBFA95C), ref: 6CBF1D81
                                                                                                                                                                                  • lstrcpyW.KERNEL32(00000000,00000000,?,?,6CBF18F2,?,?,?,EE553B4E,00000001,00000000,6CBFA95C), ref: 6CBF1D92
                                                                                                                                                                                  • lstrcpyW.KERNEL32(?,Low\,?,?,6CBF18F2,?,?,?,EE553B4E,00000001,00000000,6CBFA95C), ref: 6CBF1DA4
                                                                                                                                                                                  • lstrcatW.KERNEL32(00000000,?,?,?,6CBF18F2,?,?,?,EE553B4E,00000001,00000000,6CBFA95C), ref: 6CBF1DAA
                                                                                                                                                                                    • Part of subcall function 6CBF3AC5: WriteFile.KERNEL32(00000000,?,00001000,?,00000000,?,6CBF1D64,00000000,?,?,00001FD1,00000000,00000000,?,?,6CBF18F2), ref: 6CBF3B01
                                                                                                                                                                                    • Part of subcall function 6CBF3AC5: SetEndOfFile.KERNEL32(00000000,?,6CBF1D64,00000000,?,?,00001FD1,00000000,00000000,?,?,6CBF18F2,?,?,?,EE553B4E), ref: 6CBF3B0C
                                                                                                                                                                                    • Part of subcall function 6CBF3AC5: CloseHandle.KERNEL32(00000000,?,6CBF1D64,00000000,?,?,00001FD1,00000000,00000000,?,?,6CBF18F2,?,?,?,EE553B4E), ref: 6CBF3B1D
                                                                                                                                                                                    • Part of subcall function 6CBF11C7: RtlFreeHeap.NTDLL(00000000,00000000,6CBF1B7B,00000000), ref: 6CBF11D3
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000005.00000002.1716486508.000000006CBF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 6CBF0000, based on PE: true
                                                                                                                                                                                  • Associated: 00000005.00000002.1716468666.000000006CBF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000005.00000002.1716486508.000000006CBFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_5_2_6cbf0000_rundll32.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: File$Heaplstrcpy$AllocateCloseCreateErrorFindFreeHandleLastNamePathWritelstrcatlstrlen
                                                                                                                                                                                  • String ID: Low\
                                                                                                                                                                                  • API String ID: 3723596976-2980988522
                                                                                                                                                                                  • Opcode ID: 3b92a28ca632eda3a4e2fb5cfbaba16a0c9f7dee6ad5ab181ed83807a4a05414
                                                                                                                                                                                  • Instruction ID: 5e8701f11d77c39a025a0949a0e6b88ad5f1dc7e94c412a8fb6a500fcdbcd2cb
                                                                                                                                                                                  • Opcode Fuzzy Hash: 3b92a28ca632eda3a4e2fb5cfbaba16a0c9f7dee6ad5ab181ed83807a4a05414
                                                                                                                                                                                  • Instruction Fuzzy Hash: 321191BA501669BBDF015BB68C44CDF76BCEF067587084915F92097B00CB75CA0A8BF1
                                                                                                                                                                                  Function 6CBF3D87 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 52COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • GetModuleHandleA.KERNEL32(NTDLL.DLL,?,CCCCFEEB,6CBF406A,?,?,?,00000000), ref: 6CBF3DBA
                                                                                                                                                                                  • memcpy.NTDLL(?,6CBFA9C4,00000018,ZwProtectVirtualMemory,LdrGetProcedureAddress,LdrLoadDll), ref: 6CBF3E25
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000005.00000002.1716486508.000000006CBF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 6CBF0000, based on PE: true
                                                                                                                                                                                  • Associated: 00000005.00000002.1716468666.000000006CBF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000005.00000002.1716486508.000000006CBFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_5_2_6cbf0000_rundll32.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: HandleModulememcpy
                                                                                                                                                                                  • String ID: LdrGetProcedureAddress$LdrLoadDll$NTDLL.DLL$ZwProtectVirtualMemory
                                                                                                                                                                                  • API String ID: 1801490239-3173696408
                                                                                                                                                                                  • Opcode ID: a5ba9e34f1fc7414ccfd969a7f33db6b7387a18b50ad045d4e90e168e51874a6
                                                                                                                                                                                  • Instruction ID: ffeb380d8d970bc5294ced276848d6be44e6e33cb8b0d0530b48e838d2b55140
                                                                                                                                                                                  • Opcode Fuzzy Hash: a5ba9e34f1fc7414ccfd969a7f33db6b7387a18b50ad045d4e90e168e51874a6
                                                                                                                                                                                  • Instruction Fuzzy Hash: 530140B9B039819B9B09DA1AE945C573AB1F7C9318712C836E274D7B10D334944E8E73
                                                                                                                                                                                  Function 6CBF59F0 Relevance: 9.1, APIs: 6, Instructions: 115memoryCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • VirtualAlloc.KERNEL32(00000000,-00001000,00003000,00000004), ref: 6CBF5A8B
                                                                                                                                                                                    • Part of subcall function 6CBF5320: SetWindowLongW.USER32(?,?,6CBF5C0B), ref: 6CBF5386
                                                                                                                                                                                    • Part of subcall function 6CBF5320: GetAncestor.USER32(?,00000001,?,?,6CBF5C0B), ref: 6CBF539B
                                                                                                                                                                                    • Part of subcall function 6CBF5320: SetWindowLongW.USER32(?,?,?), ref: 6CBF53D9
                                                                                                                                                                                  • memset.NTDLL ref: 6CBF5AB1
                                                                                                                                                                                  • SetWindowLongW.USER32(?,?,00000000), ref: 6CBF5B2D
                                                                                                                                                                                  • SetClassLongW.USER32(?,00000000,00000000), ref: 6CBF5B47
                                                                                                                                                                                  • SetWindowLongW.USER32(?,?,-00000018), ref: 6CBF5B81
                                                                                                                                                                                  • VirtualFree.KERNEL32(00000000,-00001000,00010000), ref: 6CBF5B99
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000005.00000002.1716486508.000000006CBF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 6CBF0000, based on PE: true
                                                                                                                                                                                  • Associated: 00000005.00000002.1716468666.000000006CBF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000005.00000002.1716486508.000000006CBFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_5_2_6cbf0000_rundll32.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: Long$Window$Virtual$AllocAncestorClassFreememset
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 210331842-0
                                                                                                                                                                                  • Opcode ID: 099376858564f34e83fcb847505bcc84499464a5c3dd242894f273dca5dc400a
                                                                                                                                                                                  • Instruction ID: 4b866780d81807b53a4af51d80212cabb928143c0fb43d53a00e6ddbf7fe0d85
                                                                                                                                                                                  • Opcode Fuzzy Hash: 099376858564f34e83fcb847505bcc84499464a5c3dd242894f273dca5dc400a
                                                                                                                                                                                  • Instruction Fuzzy Hash: 83513AB5700104EFCB08CF98D594FAAB7B5FB89304F1082AAED299B755C731AA49CF54
                                                                                                                                                                                  Function 6CBF345B Relevance: 9.1, APIs: 1, Strings: 5, Instructions: 103stringCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • lstrcpynA.KERNEL32(?,.bss,00000008,?,00000000,00000000,?,?,?,?,?,?,?), ref: 6CBF3489
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000005.00000002.1716486508.000000006CBF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 6CBF0000, based on PE: true
                                                                                                                                                                                  • Associated: 00000005.00000002.1716468666.000000006CBF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000005.00000002.1716486508.000000006CBFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_5_2_6cbf0000_rundll32.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: lstrcpyn
                                                                                                                                                                                  • String ID: .bss$Apr 11 2017$N;U$N;U$version=%u&soft=1&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s
                                                                                                                                                                                  • API String ID: 97706510-2121357827
                                                                                                                                                                                  • Opcode ID: b06b3e2116854ffa93fee49613f331b886caa7b5254e56c7cd7ebd406dd6e688
                                                                                                                                                                                  • Instruction ID: bb5a7339562cc7116cf36ba3f756b68a3f4c171f1f3ff192e00d3cceaef4690d
                                                                                                                                                                                  • Opcode Fuzzy Hash: b06b3e2116854ffa93fee49613f331b886caa7b5254e56c7cd7ebd406dd6e688
                                                                                                                                                                                  • Instruction Fuzzy Hash: 20419F71A002599BDB05CF89C4C0AAEB7B2FF89318F258159DD206B705C374E94ACF92
                                                                                                                                                                                  Function 6CBF53F0 Relevance: 9.1, APIs: 6, Instructions: 71threadCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • RemoveFontResourceExW.GDI32(-0000000C,00000010,00000000), ref: 6CBF543C
                                                                                                                                                                                  • SetThreadAffinityMask.KERNEL32(?,-00000001), ref: 6CBF545C
                                                                                                                                                                                  • SetThreadAffinityMask.KERNEL32(?,-00000001), ref: 6CBF548C
                                                                                                                                                                                  • SetThreadPriority.KERNEL32(?,?), ref: 6CBF54AE
                                                                                                                                                                                  • ResumeThread.KERNEL32(?), ref: 6CBF54DF
                                                                                                                                                                                  • SwitchToThread.KERNEL32 ref: 6CBF54E5
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000005.00000002.1716486508.000000006CBF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 6CBF0000, based on PE: true
                                                                                                                                                                                  • Associated: 00000005.00000002.1716468666.000000006CBF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000005.00000002.1716486508.000000006CBFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_5_2_6cbf0000_rundll32.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: Thread$AffinityMask$FontPriorityRemoveResourceResumeSwitch
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 3293583530-0
                                                                                                                                                                                  • Opcode ID: b1cbd5d15f2183d7deff43962c4bafc23a7e855a09c05997bd67676b716ae4d0
                                                                                                                                                                                  • Instruction ID: 9c0a5c3a3cfb1f3b8c9d6fc981a2cf4cc05864e3cf2f8c6865b2b463514c51b8
                                                                                                                                                                                  • Opcode Fuzzy Hash: b1cbd5d15f2183d7deff43962c4bafc23a7e855a09c05997bd67676b716ae4d0
                                                                                                                                                                                  • Instruction Fuzzy Hash: 10219F71704200DFCB08CF25D888B9A73BAFB86305F54C169E9298BB55CB75998DDF04
                                                                                                                                                                                  Function 6CBF3AC5 Relevance: 9.0, APIs: 6, Instructions: 40fileCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • CreateFileW.KERNEL32(?,C0000000,00000000,00000000,00000004,00000080,00000000,6CBF0000,00000000,?,6CBF1D64,00000000,?,?,00001FD1,00000000), ref: 6CBF3ADE
                                                                                                                                                                                  • GetLastError.KERNEL32(?,6CBF1D64,00000000,?,?,00001FD1,00000000,00000000,?,?,6CBF18F2,?,?,?,EE553B4E,00000001), ref: 6CBF3AEB
                                                                                                                                                                                  • WriteFile.KERNEL32(00000000,?,00001000,?,00000000,?,6CBF1D64,00000000,?,?,00001FD1,00000000,00000000,?,?,6CBF18F2), ref: 6CBF3B01
                                                                                                                                                                                  • SetEndOfFile.KERNEL32(00000000,?,6CBF1D64,00000000,?,?,00001FD1,00000000,00000000,?,?,6CBF18F2,?,?,?,EE553B4E), ref: 6CBF3B0C
                                                                                                                                                                                  • CloseHandle.KERNEL32(00000000,?,6CBF1D64,00000000,?,?,00001FD1,00000000,00000000,?,?,6CBF18F2,?,?,?,EE553B4E), ref: 6CBF3B1D
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000005.00000002.1716486508.000000006CBF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 6CBF0000, based on PE: true
                                                                                                                                                                                  • Associated: 00000005.00000002.1716468666.000000006CBF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000005.00000002.1716486508.000000006CBFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_5_2_6cbf0000_rundll32.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: File$CloseCreateErrorHandleLastWrite
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 1150274393-0
                                                                                                                                                                                  • Opcode ID: 1fa98072f8eaf05507fa63ce1bc88c1eaf4cf7b32bb04cdbff0d4c69fa08c6ad
                                                                                                                                                                                  • Instruction ID: dec0df28a768cc174fd2adc2b05bf1900ad554e936af1e7c54224dd283fe291c
                                                                                                                                                                                  • Opcode Fuzzy Hash: 1fa98072f8eaf05507fa63ce1bc88c1eaf4cf7b32bb04cdbff0d4c69fa08c6ad
                                                                                                                                                                                  • Instruction Fuzzy Hash: AFF01D32341124BBDB111BA7AC4CEAB7F7DEB4B7B1F004216FA25D3690C632891196A2
                                                                                                                                                                                  Function 6CBF5090 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 73libraryloaderCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • LoadLibraryW.KERNEL32(USER32.dll,IsMenu,6CBF70E8), ref: 6CBF50A0
                                                                                                                                                                                  • GetProcAddress.KERNEL32(00000000), ref: 6CBF50A7
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000005.00000002.1716486508.000000006CBF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 6CBF0000, based on PE: true
                                                                                                                                                                                  • Associated: 00000005.00000002.1716468666.000000006CBF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000005.00000002.1716486508.000000006CBFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_5_2_6cbf0000_rundll32.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: AddressLibraryLoadProc
                                                                                                                                                                                  • String ID: 0$IsMenu$USER32.dll
                                                                                                                                                                                  • API String ID: 2574300362-703140235
                                                                                                                                                                                  • Opcode ID: cc9a0f938fa14f8b072fec4081c3d8e5c63c78e31e07a8a098205318f7b74d17
                                                                                                                                                                                  • Instruction ID: 26210d2a029d98420bfd28eefd953acc5f0aa6ab2bbcbc41a9e975770cd4b0bf
                                                                                                                                                                                  • Opcode Fuzzy Hash: cc9a0f938fa14f8b072fec4081c3d8e5c63c78e31e07a8a098205318f7b74d17
                                                                                                                                                                                  • Instruction Fuzzy Hash: FB311430A45148EFCB04CFA8D594B9CBBB6FF42309F24C299C42567745C7306B9AEB49
                                                                                                                                                                                  Function 6CBF32EE Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 32memorystringCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • lstrlenW.KERNEL32(00000000,00000000,?,6CBF207F,00000000,FF571A75), ref: 6CBF3301
                                                                                                                                                                                  • lstrlenA.KERNEL32(6CBF207F,?,6CBF207F,00000000,FF571A75), ref: 6CBF330C
                                                                                                                                                                                  • HeapAlloc.KERNEL32(00000000,00000022,?,6CBF207F,00000000,FF571A75), ref: 6CBF3321
                                                                                                                                                                                  • wsprintfW.USER32 ref: 6CBF3339
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000005.00000002.1716486508.000000006CBF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 6CBF0000, based on PE: true
                                                                                                                                                                                  • Associated: 00000005.00000002.1716468666.000000006CBF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000005.00000002.1716486508.000000006CBFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_5_2_6cbf0000_rundll32.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: lstrlen$AllocHeapwsprintf
                                                                                                                                                                                  • String ID: rundll32 "%s",%S
                                                                                                                                                                                  • API String ID: 458455750-2508549009
                                                                                                                                                                                  • Opcode ID: 5af5c74a5b491cc25dd7be06e68711dc9dbaa5a98aa34cbbcfee8b58046cc697
                                                                                                                                                                                  • Instruction ID: 03e81d6da2243d981d6fd24f2f93a5315b66ed2a564a357d18a82a0696aadbd9
                                                                                                                                                                                  • Opcode Fuzzy Hash: 5af5c74a5b491cc25dd7be06e68711dc9dbaa5a98aa34cbbcfee8b58046cc697
                                                                                                                                                                                  • Instruction Fuzzy Hash: 51F05E32942528FBCF125F65DC0899A7B78EB0AB55B40C122FD39A7710D632CA258BD1
                                                                                                                                                                                  Function 6CBF5760 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 56COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • CreateWindowExW.USER32(00000000,00008002,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000), ref: 6CBF5792
                                                                                                                                                                                  • SetWindowLongW.USER32(00000000,00000000,31323334), ref: 6CBF57C5
                                                                                                                                                                                  • DestroyWindow.USER32(00000000,00000000), ref: 6CBF57FE
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000005.00000002.1716486508.000000006CBF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 6CBF0000, based on PE: true
                                                                                                                                                                                  • Associated: 00000005.00000002.1716468666.000000006CBF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000005.00000002.1716486508.000000006CBFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_5_2_6cbf0000_rundll32.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: Window$CreateDestroyLong
                                                                                                                                                                                  • String ID: 4321
                                                                                                                                                                                  • API String ID: 409825929-3297689448
                                                                                                                                                                                  • Opcode ID: f3e5668419dce49ce9031371069b3d43b96762121ee3f97bc444d27e37a12afa
                                                                                                                                                                                  • Instruction ID: 1fe00eda46727468619b96eb3d1efaf5705df8dbaf8bad668acc8303ba3c5ac7
                                                                                                                                                                                  • Opcode Fuzzy Hash: f3e5668419dce49ce9031371069b3d43b96762121ee3f97bc444d27e37a12afa
                                                                                                                                                                                  • Instruction Fuzzy Hash: 76112A74E40288EFDB00DFA8CC49BAEB7B5FB05309F108599E5216B780C7746A49CF89
                                                                                                                                                                                  Function 6CBF236C Relevance: 6.1, APIs: 4, Instructions: 72fileCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                    • Part of subcall function 6CBF2C92: GetModuleFileNameW.KERNEL32(0000007F,00000000,00000104,00000208,00000000,00000000,?,?,6CBF2386,00000000), ref: 6CBF2CB8
                                                                                                                                                                                    • Part of subcall function 6CBF389C: lstrcmpA.KERNEL32(?,?,00000000,00000000), ref: 6CBF3950
                                                                                                                                                                                  • CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000,00000000,?,?,00000000,00000000,00000000,?,00000000,0000007F), ref: 6CBF23C0
                                                                                                                                                                                  • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,?,?,6CBF3DD0,LdrLoadDll), ref: 6CBF23D2
                                                                                                                                                                                  • ReadFile.KERNEL32(?,?,00000004,?,00000000,?,?,?,?,?,6CBF3DD0,LdrLoadDll), ref: 6CBF23EA
                                                                                                                                                                                  • CloseHandle.KERNEL32(?,?,?,?,?,?,6CBF3DD0,LdrLoadDll), ref: 6CBF2405
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000005.00000002.1716486508.000000006CBF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 6CBF0000, based on PE: true
                                                                                                                                                                                  • Associated: 00000005.00000002.1716468666.000000006CBF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000005.00000002.1716486508.000000006CBFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_5_2_6cbf0000_rundll32.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: File$CloseCreateHandleModuleNamePointerReadlstrcmp
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 3110218675-0
                                                                                                                                                                                  • Opcode ID: 905bf694174791799d3bf9d739f0a8b9a0c00a4c0e4b26336a5cb7e89f5f89f7
                                                                                                                                                                                  • Instruction ID: 42d5959779e206ba71a5bb1d240cd1dbc444fba2413c5b7adac5cfad64f60da8
                                                                                                                                                                                  • Opcode Fuzzy Hash: 905bf694174791799d3bf9d739f0a8b9a0c00a4c0e4b26336a5cb7e89f5f89f7
                                                                                                                                                                                  • Instruction Fuzzy Hash: 161181B1601158BBDB11DA66CC49EEF7E7DEF42758F104021F625E3650D371CA4AC6A2
                                                                                                                                                                                  Function 6CBF1A53 Relevance: 6.0, APIs: 4, Instructions: 40COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,?,6CBF16D8), ref: 6CBF1A62
                                                                                                                                                                                  • GetVersion.KERNEL32(?,6CBF16D8), ref: 6CBF1A71
                                                                                                                                                                                  • GetCurrentProcessId.KERNEL32(?,6CBF16D8), ref: 6CBF1A8D
                                                                                                                                                                                  • OpenProcess.KERNEL32(0000047A,00000000,00000000,?,6CBF16D8), ref: 6CBF1AA6
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000005.00000002.1716486508.000000006CBF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 6CBF0000, based on PE: true
                                                                                                                                                                                  • Associated: 00000005.00000002.1716468666.000000006CBF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000005.00000002.1716486508.000000006CBFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_5_2_6cbf0000_rundll32.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: Process$CreateCurrentEventOpenVersion
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 845504543-0
                                                                                                                                                                                  • Opcode ID: ab5e7f3a4ed1d2a6a77747dbfbb83043efea3962590a7fb60e60a03e6a8c6304
                                                                                                                                                                                  • Instruction ID: 03ed0ff2bfeded511f8297972549a02d162fba300a47181b58eb7df4853f71a8
                                                                                                                                                                                  • Opcode Fuzzy Hash: ab5e7f3a4ed1d2a6a77747dbfbb83043efea3962590a7fb60e60a03e6a8c6304
                                                                                                                                                                                  • Instruction Fuzzy Hash: 62F0DCB13827008BEF044B69B9197503BB8EB87B11F158626E231DB3C0D361C002CF15
                                                                                                                                                                                  Function 6CBF5070 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 10libraryloaderCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • LoadLibraryW.KERNEL32(ntdll.dll,6CBF51A0,?,6CBF51A0,NtAllocateVirtualMemory), ref: 6CBF507C
                                                                                                                                                                                  • GetProcAddress.KERNEL32(00000000), ref: 6CBF5083
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000005.00000002.1716486508.000000006CBF1000.00000040.00000001.01000000.00000003.sdmp, Offset: 6CBF0000, based on PE: true
                                                                                                                                                                                  • Associated: 00000005.00000002.1716468666.000000006CBF0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000005.00000002.1716486508.000000006CBFD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_5_2_6cbf0000_rundll32.jbxd
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: AddressLibraryLoadProc
                                                                                                                                                                                  • String ID: ntdll.dll
                                                                                                                                                                                  • API String ID: 2574300362-2227199552
                                                                                                                                                                                  • Opcode ID: e5078b9ffba2687853459310ebf7c7746a89487c93fe6f6b41bbfde43f9fbaa9
                                                                                                                                                                                  • Instruction ID: 556942d24cc67699f56b70155a36ee8af9bc5f9ffd6a01f0db05e7033bb3bd89
                                                                                                                                                                                  • Opcode Fuzzy Hash: e5078b9ffba2687853459310ebf7c7746a89487c93fe6f6b41bbfde43f9fbaa9
                                                                                                                                                                                  • Instruction Fuzzy Hash: 28C04C76600208AB8A005AF9AC08C9677AC965A6117404412B61983600C635A4588A65

                                                                                                                                                                                  Executed Functions

                                                                                                                                                                                  Function 00B71688 Relevance: 114.4, APIs: 53, Strings: 12, Instructions: 679memorythreadlibraryCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • InitializeCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000001), ref: 00B716B2
                                                                                                                                                                                  • HeapAlloc.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000001), ref: 00B716EC
                                                                                                                                                                                  • memset.NTDLL ref: 00B7170E
                                                                                                                                                                                  • InitializeCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000001), ref: 00B7171E
                                                                                                                                                                                    • Part of subcall function 00B780A4: lstrlenA.KERNEL32 ref: 00B780C2
                                                                                                                                                                                    • Part of subcall function 00B780A4: HeapAlloc.KERNEL32 ref: 00B780DC
                                                                                                                                                                                    • Part of subcall function 00B780A4: memcpy.NTDLL ref: 00B780F3
                                                                                                                                                                                    • Part of subcall function 00B780A4: memset.NTDLL ref: 00B78105
                                                                                                                                                                                  • CreateMutexExA.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000001), ref: 00B7177A
                                                                                                                                                                                  • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000001), ref: 00B71787
                                                                                                                                                                                  • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000001), ref: 00B717A0
                                                                                                                                                                                  • HeapAlloc.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000001), ref: 00B717ED
                                                                                                                                                                                  • InitializeCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000001), ref: 00B7180A
                                                                                                                                                                                  • InitializeCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000001), ref: 00B7182C
                                                                                                                                                                                  • GetVersion.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000001), ref: 00B71847
                                                                                                                                                                                  • GetModuleHandleA.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000001), ref: 00B7187F
                                                                                                                                                                                  • HeapAlloc.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000001), ref: 00B718E5
                                                                                                                                                                                  • GetUserNameA.ADVAPI32 ref: 00B719B2
                                                                                                                                                                                  • HeapAlloc.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000001), ref: 00B719D1
                                                                                                                                                                                  • GetUserNameA.ADVAPI32 ref: 00B719EE
                                                                                                                                                                                  • memcpy.NTDLL(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000001), ref: 00B71A2D
                                                                                                                                                                                  • GetModuleHandleA.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000001), ref: 00B71A51
                                                                                                                                                                                  • GetModuleHandleA.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000001), ref: 00B71A6A
                                                                                                                                                                                  • GetSystemTimeAsFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000001), ref: 00B71B34
                                                                                                                                                                                  • HeapFree.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000001), ref: 00B71BC9
                                                                                                                                                                                  • GetModuleHandleA.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000001), ref: 00B71C38
                                                                                                                                                                                  • HeapAlloc.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000001), ref: 00B71DCB
                                                                                                                                                                                  • CreateThread.KERNELBASE ref: 00B71E08
                                                                                                                                                                                  • CreateStreamOnHGlobal.COMBASE ref: 00B71E4C
                                                                                                                                                                                    • Part of subcall function 00B79640: HeapAlloc.KERNEL32 ref: 00B796E3
                                                                                                                                                                                    • Part of subcall function 00B79640: memcpy.NTDLL ref: 00B7971F
                                                                                                                                                                                    • Part of subcall function 00B79640: HeapFree.KERNEL32 ref: 00B79735
                                                                                                                                                                                  • CreateEventA.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000001), ref: 00B71F6F
                                                                                                                                                                                  • CreateThread.KERNEL32 ref: 00B71FA4
                                                                                                                                                                                  • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000001), ref: 00B71FB6
                                                                                                                                                                                  • LoadLibraryA.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000001), ref: 00B71FEC
                                                                                                                                                                                  • CreateNamedPipeA.KERNEL32 ref: 00B72050
                                                                                                                                                                                  • CreateThread.KERNEL32 ref: 00B7207C
                                                                                                                                                                                    • Part of subcall function 00B6A6D8: LoadLibraryA.KERNEL32 ref: 00B6A6E7
                                                                                                                                                                                    • Part of subcall function 00B6A6D8: TlsAlloc.KERNEL32 ref: 00B6A6F6
                                                                                                                                                                                    • Part of subcall function 00B6A6D8: LoadLibraryA.KERNEL32 ref: 00B6A71B
                                                                                                                                                                                    • Part of subcall function 00B6A6D8: LoadLibraryA.KERNEL32 ref: 00B6A728
                                                                                                                                                                                    • Part of subcall function 00B6A6D8: LoadLibraryA.KERNEL32 ref: 00B6A735
                                                                                                                                                                                    • Part of subcall function 00B6A6D8: LoadLibraryA.KERNEL32 ref: 00B6A742
                                                                                                                                                                                    • Part of subcall function 00B6A6D8: LoadLibraryA.KERNEL32 ref: 00B6A74F
                                                                                                                                                                                    • Part of subcall function 00B6A6D8: LoadLibraryA.KERNEL32 ref: 00B6A75C
                                                                                                                                                                                  • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000001), ref: 00B7208E
                                                                                                                                                                                  • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000001), ref: 00B72099
                                                                                                                                                                                  • StrChrA.SHLWAPI ref: 00B72173
                                                                                                                                                                                  • HeapFree.KERNEL32 ref: 00B721C9
                                                                                                                                                                                  • HeapAlloc.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000001), ref: 00B721F2
                                                                                                                                                                                  • wsprintfA.USER32 ref: 00B7222A
                                                                                                                                                                                  • CreateThread.KERNELBASE ref: 00B72254
                                                                                                                                                                                    • Part of subcall function 00B64DA8: RegQueryValueExA.ADVAPI32 ref: 00B64DFF
                                                                                                                                                                                    • Part of subcall function 00B64DA8: HeapAlloc.KERNEL32 ref: 00B64E17
                                                                                                                                                                                    • Part of subcall function 00B64DA8: RegQueryValueExA.ADVAPI32 ref: 00B64E3F
                                                                                                                                                                                    • Part of subcall function 00B64DA8: RegCloseKey.KERNELBASE ref: 00B64E6F
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000006.00000002.1794451873.0000000000B61000.00000020.80000000.00040000.00000000.sdmp, Offset: 00B60000, based on PE: true
                                                                                                                                                                                  • Associated: 00000006.00000002.1794420795.0000000000B60000.00000004.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794498490.0000000000B94000.00000002.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794521630.0000000000B9B000.00000004.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794551870.0000000000B9E000.00000002.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794583919.0000000000BA0000.00000004.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794610717.0000000000BA2000.00000002.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_6_2_b60000_svchost.jbxd
                                                                                                                                                                                  Yara matches
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: Heap$Alloc$CreateLibraryLoad$Handle$CriticalInitializeModuleSectionThread$CloseErrorFreeLastmemcpy$NameQueryTimeUserValuememset$EventFileGlobalMutexNamedPipeStreamSystemVersionlstrlenwsprintf
                                                                                                                                                                                  • String ID: 0123456789ABCDEF$; Win64; x64$ADVAPI32.DLL$Jw$Jw$KERNEL32.DLL$Mozilla/4.0 (compatible; MSIE 8.0; Windows NT %u.%u%s)$NTDLL.DLL$OPERA.EXE$OpHook$Scr$http://constitution.org/usdeclar.txt
                                                                                                                                                                                  • API String ID: 3886649994-625596255
                                                                                                                                                                                  • Opcode ID: bf07bb3769f7b1dc7a264cdde8079e0b0185302cb47549cc338b8c3d68993ad1
                                                                                                                                                                                  • Instruction ID: 05d6da9be6ca3ebeee0cf1dc27d0351f42f2d878846895e35ebe99615ec7964a
                                                                                                                                                                                  • Opcode Fuzzy Hash: bf07bb3769f7b1dc7a264cdde8079e0b0185302cb47549cc338b8c3d68993ad1
                                                                                                                                                                                  • Instruction Fuzzy Hash: 3B62BA31204B4186EB20DF2AF99476977A1F788B84F908966DB5E67730DF3CC98AC710
                                                                                                                                                                                  Function 00B7CB7C Relevance: 40.6, APIs: 18, Strings: 5, Instructions: 394memorynativeCOMMON
                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                  • Executed
                                                                                                                                                                                  • Not Executed
                                                                                                                                                                                  control_flow_graph 192 b7cb7c-b7cbd3 193 b7cbe6 192->193 194 b7cbd5-b7cbe4 192->194 195 b7cbea-b7cbed 193->195 194->195 196 b7cbef-b7cbf4 195->196 197 b7cbf9-b7ccb7 memset NtCreateSection 195->197 198 b7d1b6-b7d1cb 196->198 199 b7ccfa-b7cd02 RtlNtStatusToDosError 197->199 200 b7ccb9-b7ccd1 call b7ddcc 197->200 202 b7cd04-b7cd09 199->202 200->202 208 b7ccd3-b7ccf8 memset 200->208 204 b7cd0f-b7cd57 call b7ddcc 202->204 205 b7d189 202->205 207 b7d18c-b7d18f 204->207 212 b7cd5d-b7cd95 memcpy 204->212 205->207 210 b7d1a6-b7d1ae 207->210 211 b7d191-b7d1a0 NtUnmapViewOfSection RtlNtStatusToDosError 207->211 208->202 210->198 213 b7d1b0 CloseHandle 210->213 211->210 214 b7cd97-b7cda5 212->214 215 b7cde3-b7ce13 212->215 213->198 216 b7cda8-b7cdb3 214->216 217 b7ceb5-b7cebc 215->217 218 b7ce19-b7ce20 215->218 219 b7cdb5-b7cdc4 memcpy 216->219 220 b7cdc9-b7cdd1 216->220 221 b7cebe-b7cec8 memcpy 217->221 222 b7cecd-b7ced3 217->222 218->217 223 b7ce26-b7ce2a 218->223 219->220 220->216 224 b7cdd3-b7cddb 220->224 221->222 225 b7ced5-b7cede 222->225 226 b7cf03-b7cf2f memcpy 222->226 227 b7ce31 223->227 228 b7ce2c-b7ce2f 223->228 224->215 225->226 229 b7cee0 225->229 231 b7cf42-b7cf46 226->231 232 b7cf31-b7cf3e 226->232 230 b7ce35-b7ce48 227->230 228->230 235 b7cee4-b7cf01 229->235 230->217 236 b7ce4a-b7ce4f 230->236 233 b7cf5f-b7cf67 231->233 234 b7cf48-b7cf5b 231->234 232->231 237 b7d034-b7d03b 233->237 238 b7cf6d-b7cf7f 233->238 234->233 235->226 235->235 239 b7ce54-b7ce6a 236->239 242 b7d04f-b7d067 GetModuleHandleA 237->242 243 b7d03d-b7d044 237->243 244 b7cf97-b7cfbf call b776c4 238->244 245 b7cf81-b7cf88 238->245 240 b7cea6-b7ceb3 239->240 241 b7ce6c-b7ce6e 239->241 240->217 240->239 241->240 246 b7ce70-b7ce74 241->246 248 b7d0db 242->248 249 b7d069-b7d085 call b770ec 242->249 243->242 247 b7d046-b7d04d 243->247 252 b7d0e3-b7d0e6 244->252 262 b7cfc5-b7cfe8 call b776c4 244->262 245->244 250 b7cf8a-b7cf91 245->250 253 b7ce77-b7ce80 246->253 247->242 254 b7d0c6-b7d0d6 memcpy 247->254 248->252 249->248 267 b7d087-b7d0a3 call b770ec 249->267 250->244 256 b7d01a-b7d02f memcpy 250->256 252->207 258 b7d0ec-b7d127 memcpy HeapAlloc 252->258 259 b7ce93-b7ce99 253->259 260 b7ce82-b7ce85 253->260 254->248 256->252 263 b7d16a-b7d170 258->263 264 b7d129-b7d150 memset call b77540 258->264 266 b7ce9d-b7cea4 259->266 265 b7ce87-b7ce91 260->265 260->266 262->252 276 b7cfee-b7d011 call b776c4 262->276 263->207 270 b7d172-b7d17d 263->270 273 b7d155-b7d164 HeapFree 264->273 265->266 266->240 266->253 267->248 277 b7d0a5-b7d0c1 call b770ec 267->277 270->207 274 b7d17f-b7d187 270->274 273->263 274->207 276->252 282 b7d017 276->282 277->248 283 b7d0c3 277->283 282->256 283->254
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • memset.NTDLL ref: 00B7CC31
                                                                                                                                                                                  • NtCreateSection.NTDLL ref: 00B7CCAE
                                                                                                                                                                                  • memset.NTDLL ref: 00B7CCDF
                                                                                                                                                                                  • RtlNtStatusToDosError.NTDLL ref: 00B7CCFC
                                                                                                                                                                                  • memcpy.NTDLL ref: 00B7CD8D
                                                                                                                                                                                  • memcpy.NTDLL ref: 00B7CDC4
                                                                                                                                                                                    • Part of subcall function 00B7DDCC: NtMapViewOfSection.NTDLL ref: 00B7DE0C
                                                                                                                                                                                    • Part of subcall function 00B7DDCC: RtlNtStatusToDosError.NTDLL ref: 00B7DE14
                                                                                                                                                                                  • memcpy.NTDLL ref: 00B7CEC8
                                                                                                                                                                                  • memcpy.NTDLL ref: 00B7CF26
                                                                                                                                                                                  • memcpy.NTDLL ref: 00B7D02A
                                                                                                                                                                                  • memcpy.NTDLL ref: 00B7D0FB
                                                                                                                                                                                  • HeapAlloc.KERNEL32 ref: 00B7D11B
                                                                                                                                                                                  • memset.NTDLL ref: 00B7D131
                                                                                                                                                                                    • Part of subcall function 00B77540: memset.NTDLL ref: 00B77571
                                                                                                                                                                                    • Part of subcall function 00B77540: RtlNtStatusToDosError.NTDLL ref: 00B775D7
                                                                                                                                                                                    • Part of subcall function 00B77540: memcpy.NTDLL ref: 00B7762C
                                                                                                                                                                                    • Part of subcall function 00B77540: NtSetContextThread.NTDLL ref: 00B77682
                                                                                                                                                                                    • Part of subcall function 00B77540: RtlNtStatusToDosError.NTDLL ref: 00B77686
                                                                                                                                                                                    • Part of subcall function 00B77540: GetLastError.KERNEL32 ref: 00B776A2
                                                                                                                                                                                  • HeapFree.KERNEL32 ref: 00B7D164
                                                                                                                                                                                  • NtUnmapViewOfSection.NTDLL ref: 00B7D198
                                                                                                                                                                                  • RtlNtStatusToDosError.NTDLL ref: 00B7D1A0
                                                                                                                                                                                  • CloseHandle.KERNEL32 ref: 00B7D1B0
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000006.00000002.1794451873.0000000000B61000.00000020.80000000.00040000.00000000.sdmp, Offset: 00B60000, based on PE: true
                                                                                                                                                                                  • Associated: 00000006.00000002.1794420795.0000000000B60000.00000004.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794498490.0000000000B94000.00000002.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794521630.0000000000B9B000.00000004.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794551870.0000000000B9E000.00000002.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794583919.0000000000BA0000.00000004.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794610717.0000000000BA2000.00000002.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_6_2_b60000_svchost.jbxd
                                                                                                                                                                                  Yara matches
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: memcpy$Error$Status$memset$Section$HeapView$AllocCloseContextCreateFreeHandleLastThreadUnmap
                                                                                                                                                                                  • String ID: 0$LdrGetProcedureAddress$LdrLoadDll$NTDLL.DLL$ZwProtectVirtualMemory
                                                                                                                                                                                  • API String ID: 1633951974-3034875462
                                                                                                                                                                                  • Opcode ID: 2b6025ac17adb076bd25fab8cfcbd5944291990cb652eff4360a96f0a4573b71
                                                                                                                                                                                  • Instruction ID: 18488ac3489ef010fbca592163234b3bdc33e7dc262887446e2d974b9dcf2aee
                                                                                                                                                                                  • Opcode Fuzzy Hash: 2b6025ac17adb076bd25fab8cfcbd5944291990cb652eff4360a96f0a4573b71
                                                                                                                                                                                  • Instruction Fuzzy Hash: 83F1A876304B8086DB20DF25E99076A7BF1F788B84F44892ADB6E47B58DF38D885C700
                                                                                                                                                                                  Function 00B613E4 Relevance: 21.1, APIs: 8, Strings: 4, Instructions: 141memorystringCOMMON
                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                  • Executed
                                                                                                                                                                                  • Not Executed
                                                                                                                                                                                  control_flow_graph 284 b613e4-b6141c HeapCreate 285 b61426-b61451 GetTickCount CreateEventA 284->285 286 b6141e-b61421 284->286 288 b614b2-b614b8 GetLastError 285->288 289 b61453-b6145b GetVersion 285->289 287 b615df-b615f9 286->287 292 b614ba-b614bc 288->292 290 b6145d-b61466 289->290 291 b6146a 289->291 294 b6146c-b614a9 GetCurrentProcessId OpenProcess 290->294 295 b61468 290->295 291->294 296 b614ab-b614b0 291->296 292->287 293 b614c2-b61500 lstrcpynA call b79378 292->293 299 b61506-b61509 293->299 300 b6158f 293->300 294->292 295->291 296->292 301 b6150b-b6150e 299->301 302 b61588-b6158d 299->302 303 b61594-b61598 300->303 301->302 304 b61510-b6156a call b8aa7c 301->304 302->303 303->287 305 b6159a-b615b4 call b779fc 303->305 304->303 311 b6156c-b61586 call b8aa30 304->311 305->287 310 b615b6-b615d8 call b77044 call b72534 305->310 317 b615dd 310->317 311->303 317->287
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • HeapCreate.KERNELBASE(?,?,?,?,?,00B6166F), ref: 00B6140C
                                                                                                                                                                                  • GetTickCount.KERNEL32 ref: 00B61426
                                                                                                                                                                                  • CreateEventA.KERNEL32(?,?,?,?,?,00B6166F), ref: 00B61441
                                                                                                                                                                                  • GetVersion.KERNEL32(?,?,?,?,?,00B6166F), ref: 00B61453
                                                                                                                                                                                  • GetCurrentProcessId.KERNEL32(?,?,?,?,?,00B6166F), ref: 00B61472
                                                                                                                                                                                  • OpenProcess.KERNEL32(?,?,?,?,?,00B6166F), ref: 00B6148F
                                                                                                                                                                                  • lstrcpynA.KERNEL32(?,?,?,?,?,00B6166F), ref: 00B614E7
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000006.00000002.1794451873.0000000000B61000.00000020.80000000.00040000.00000000.sdmp, Offset: 00B60000, based on PE: true
                                                                                                                                                                                  • Associated: 00000006.00000002.1794420795.0000000000B60000.00000004.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794498490.0000000000B94000.00000002.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794521630.0000000000B9B000.00000004.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794551870.0000000000B9E000.00000002.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794583919.0000000000BA0000.00000004.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794610717.0000000000BA2000.00000002.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_6_2_b60000_svchost.jbxd
                                                                                                                                                                                  Yara matches
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: CreateProcess$CountCurrentEventHeapOpenTickVersionlstrcpyn
                                                                                                                                                                                  • String ID: .bss$Apr 11 2017$N;U$version=%u&soft=1&user=%08x%08x%08x%08x&server=%u&id=%u&type=%u&name=%s
                                                                                                                                                                                  • API String ID: 1468320662-1589204589
                                                                                                                                                                                  • Opcode ID: bb262326a0f9ea5345169aa7735c8ac6c6989bb46798797f3271d0e56f48b3a3
                                                                                                                                                                                  • Instruction ID: cfae0b96541edbc3b24eb85feda2734eb045a47873739a793813f218762712ff
                                                                                                                                                                                  • Opcode Fuzzy Hash: bb262326a0f9ea5345169aa7735c8ac6c6989bb46798797f3271d0e56f48b3a3
                                                                                                                                                                                  • Instruction Fuzzy Hash: A251BD3230479187EB18DF2AE4A0B2A77E1FB89754F54856ADB5A43764EF3CD846CB00
                                                                                                                                                                                  Function 00B78BF4 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 75nativememoryCOMMON
                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                  APIs
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000006.00000002.1794451873.0000000000B61000.00000020.80000000.00040000.00000000.sdmp, Offset: 00B60000, based on PE: true
                                                                                                                                                                                  • Associated: 00000006.00000002.1794420795.0000000000B60000.00000004.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794498490.0000000000B94000.00000002.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794521630.0000000000B9B000.00000004.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794551870.0000000000B9E000.00000002.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794583919.0000000000BA0000.00000004.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794610717.0000000000BA2000.00000002.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_6_2_b60000_svchost.jbxd
                                                                                                                                                                                  Yara matches
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: Token$CloseHeapInformationOpenProcessQuery$AllocFreememset
                                                                                                                                                                                  • String ID: 0
                                                                                                                                                                                  • API String ID: 1069212663-4108050209
                                                                                                                                                                                  • Opcode ID: ddfd43d60e369ed84a7661b05cf85c21dc2985717b2d2492c025bcbec0a531ff
                                                                                                                                                                                  • Instruction ID: d769f81e235957f4059e810e039a12505db386b6c0abdac313e2a90d1dc0c16c
                                                                                                                                                                                  • Opcode Fuzzy Hash: ddfd43d60e369ed84a7661b05cf85c21dc2985717b2d2492c025bcbec0a531ff
                                                                                                                                                                                  • Instruction Fuzzy Hash: 49312B32204BC58ADB20DF61F88479AB361F7C9B98F948025DB8D87B58DF38C54ACB40
                                                                                                                                                                                  Function 00B7D1CC Relevance: 13.6, APIs: 9, Instructions: 132threadsynchronizationinjectionCOMMON
                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                  • Executed
                                                                                                                                                                                  • Not Executed
                                                                                                                                                                                  control_flow_graph 422 b7d1cc-b7d239 memset call b77044 425 b7d23b-b7d247 call b7c994 422->425 426 b7d24a-b7d272 call b77e6c 422->426 425->426 431 b7d3a4-b7d3aa GetLastError 426->431 432 b7d278-b7d27d 426->432 433 b7d3ac-b7d3af 431->433 432->431 434 b7d283-b7d2a5 VirtualProtectEx 432->434 435 b7d3b1-b7d3b5 ResumeThread 433->435 436 b7d3bb-b7d3d7 433->436 437 b7d2a7-b7d2c2 call b7c920 434->437 438 b7d2c4 434->438 435->436 440 b7d2c6-b7d2c8 437->440 438->440 440->431 442 b7d2ce-b7d2d3 440->442 443 b7d2d9-b7d313 ResumeThread WaitForSingleObject SuspendThread 442->443 444 b7d315-b7d322 RtlNtStatusToDosError 443->444 445 b7d328-b7d32a 443->445 444->445 446 b7d336-b7d33e 445->446 447 b7d32c-b7d334 445->447 449 b7d347-b7d353 call b7cb7c 446->449 450 b7d340-b7d345 446->450 447->443 447->446 455 b7d358 449->455 451 b7d35a-b7d382 VirtualProtectEx 450->451 453 b7d384-b7d39a call b7c920 451->453 454 b7d39f-b7d3a2 451->454 453->454 454->431 454->433 455->451
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • memset.NTDLL ref: 00B7D202
                                                                                                                                                                                    • Part of subcall function 00B77044: GetModuleHandleA.KERNEL32 ref: 00B7706B
                                                                                                                                                                                    • Part of subcall function 00B77044: GetProcAddress.KERNEL32 ref: 00B77082
                                                                                                                                                                                    • Part of subcall function 00B77044: OpenProcess.KERNEL32 ref: 00B770A2
                                                                                                                                                                                    • Part of subcall function 00B77044: CloseHandle.KERNELBASE ref: 00B770D4
                                                                                                                                                                                  • VirtualProtectEx.KERNEL32 ref: 00B7D29D
                                                                                                                                                                                  • ResumeThread.KERNELBASE ref: 00B7D2DD
                                                                                                                                                                                  • WaitForSingleObject.KERNEL32 ref: 00B7D2ED
                                                                                                                                                                                  • SuspendThread.KERNELBASE ref: 00B7D300
                                                                                                                                                                                  • RtlNtStatusToDosError.NTDLL ref: 00B7D322
                                                                                                                                                                                  • VirtualProtectEx.KERNEL32 ref: 00B7D37A
                                                                                                                                                                                  • GetLastError.KERNEL32 ref: 00B7D3A4
                                                                                                                                                                                  • ResumeThread.KERNELBASE ref: 00B7D3B5
                                                                                                                                                                                    • Part of subcall function 00B7C994: HeapAlloc.KERNEL32 ref: 00B7C9BF
                                                                                                                                                                                    • Part of subcall function 00B7C994: memset.NTDLL ref: 00B7C9E9
                                                                                                                                                                                    • Part of subcall function 00B7C994: ZwQueryInformationProcess.NTDLL ref: 00B7CA09
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000006.00000002.1794451873.0000000000B61000.00000020.80000000.00040000.00000000.sdmp, Offset: 00B60000, based on PE: true
                                                                                                                                                                                  • Associated: 00000006.00000002.1794420795.0000000000B60000.00000004.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794498490.0000000000B94000.00000002.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794521630.0000000000B9B000.00000004.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794551870.0000000000B9E000.00000002.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794583919.0000000000BA0000.00000004.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794610717.0000000000BA2000.00000002.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_6_2_b60000_svchost.jbxd
                                                                                                                                                                                  Yara matches
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: Thread$ErrorHandleProcessProtectResumeVirtualmemset$AddressAllocCloseHeapInformationLastModuleObjectOpenProcQuerySingleStatusSuspendWait
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 1643139815-0
                                                                                                                                                                                  • Opcode ID: b48f10e0b9b68ffa781f0b09ce6b62903caa05e4598b69dfb192aa92ef98fa74
                                                                                                                                                                                  • Instruction ID: ca7a9ee8659f0a3f6241e3a739d099e64d96777ab7930910f2b86566b2940f76
                                                                                                                                                                                  • Opcode Fuzzy Hash: b48f10e0b9b68ffa781f0b09ce6b62903caa05e4598b69dfb192aa92ef98fa74
                                                                                                                                                                                  • Instruction Fuzzy Hash: 3D415E72304B8096EB60DB22E95479BB7A4FB84BD5F408126EF5E87B98DF38C546C704
                                                                                                                                                                                  Function 00B7B590 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 133memoryCOMMON
                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                  • Executed
                                                                                                                                                                                  • Not Executed
                                                                                                                                                                                  control_flow_graph 457 b7b590-b7b5c2 call b781b4 460 b7b77a-b7b780 GetLastError 457->460 461 b7b5c8-b7b5d4 GetVersion 457->461 462 b7b782-b7b796 460->462 463 b7b5d6 461->463 464 b7b5e8-b7b5eb 461->464 465 b7b5e0-b7b5e6 463->465 466 b7b5d8-b7b5de 463->466 467 b7b5ef-b7b5f8 464->467 465->467 466->464 466->465 468 b7b602-b7b61c HeapFree 467->468 468->460 469 b7b622-b7b632 call b781b4 468->469 469->460 472 b7b638-b7b67a HeapFree 469->472 472->460 474 b7b680-b7b6a9 call b781b4 472->474 474->460 477 b7b6af-b7b702 HeapFree 474->477 477->460 479 b7b704-b7b722 477->479 481 b7b724-b7b736 479->481 482 b7b73e-b7b75a 479->482 481->482 482->460 484 b7b75c-b7b778 482->484 484->460 484->462
                                                                                                                                                                                  APIs
                                                                                                                                                                                    • Part of subcall function 00B781B4: lstrlenA.KERNEL32 ref: 00B781CD
                                                                                                                                                                                    • Part of subcall function 00B781B4: HeapAlloc.KERNEL32 ref: 00B781E8
                                                                                                                                                                                    • Part of subcall function 00B781B4: memset.NTDLL ref: 00B78214
                                                                                                                                                                                  • GetVersion.KERNEL32(00000000,00000000,000000D8,00B7BA89,?,00B64FAE), ref: 00B7B5C8
                                                                                                                                                                                  • HeapFree.KERNEL32(?,00B64FAE), ref: 00B7B612
                                                                                                                                                                                  • HeapFree.KERNEL32(?,00B64FAE), ref: 00B7B670
                                                                                                                                                                                  • HeapFree.KERNEL32(?,00B64FAE), ref: 00B7B6F5
                                                                                                                                                                                  • GetLastError.KERNEL32(00000000,00000000,000000D8,00B7BA89,?,00B64FAE), ref: 00B7B77A
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000006.00000002.1794451873.0000000000B61000.00000020.80000000.00040000.00000000.sdmp, Offset: 00B60000, based on PE: true
                                                                                                                                                                                  • Associated: 00000006.00000002.1794420795.0000000000B60000.00000004.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794498490.0000000000B94000.00000002.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794521630.0000000000B9B000.00000004.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794551870.0000000000B9E000.00000002.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794583919.0000000000BA0000.00000004.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794610717.0000000000BA2000.00000002.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_6_2_b60000_svchost.jbxd
                                                                                                                                                                                  Yara matches
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: Heap$Free$AllocErrorLastVersionlstrlenmemset
                                                                                                                                                                                  • String ID: GET$POST
                                                                                                                                                                                  • API String ID: 471482158-3192705859
                                                                                                                                                                                  • Opcode ID: 6fe0b43789469c875a841ef7651e9ce1d90b56b0710a2afcdde46b23e94acae2
                                                                                                                                                                                  • Instruction ID: 7502994de47fbc83d3707f024244cd60bb3ce50411db0e422938d4e1c88c045e
                                                                                                                                                                                  • Opcode Fuzzy Hash: 6fe0b43789469c875a841ef7651e9ce1d90b56b0710a2afcdde46b23e94acae2
                                                                                                                                                                                  • Instruction Fuzzy Hash: 8F513D32704A8597EB24DF66E95475A77A1F7C9B80F948125DB8E83F18DF38C866CB00
                                                                                                                                                                                  Function 00B77540 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 94nativethreadCOMMON
                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                  • Executed
                                                                                                                                                                                  • Not Executed
                                                                                                                                                                                  control_flow_graph 486 b77540-b77581 memset 487 b77587-b775b3 call b77f04 486->487 488 b77690-b77699 486->488 492 b776a2-b776a8 GetLastError 487->492 494 b775b9-b775c8 487->494 488->492 493 b7769b 488->493 498 b776aa-b776c3 492->498 495 b7769d-b776a0 493->495 496 b775df-b775e1 494->496 497 b775ca-b775dd RtlNtStatusToDosError 494->497 495->492 495->498 496->495 499 b775e7-b77639 memcpy 496->499 497->496 501 b77643-b77666 call b77eb8 499->501 502 b7763b-b7763f 499->502 501->498 505 b77668-b77677 501->505 502->501 505->495 506 b77679-b7768e NtSetContextThread RtlNtStatusToDosError 505->506 506->495
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • memset.NTDLL ref: 00B77571
                                                                                                                                                                                  • GetLastError.KERNEL32 ref: 00B776A2
                                                                                                                                                                                    • Part of subcall function 00B77F04: RtlNtStatusToDosError.NTDLL ref: 00B77F49
                                                                                                                                                                                    • Part of subcall function 00B77F04: SetLastError.KERNEL32 ref: 00B77F51
                                                                                                                                                                                  • RtlNtStatusToDosError.NTDLL ref: 00B775D7
                                                                                                                                                                                  • memcpy.NTDLL ref: 00B7762C
                                                                                                                                                                                  • NtSetContextThread.NTDLL ref: 00B77682
                                                                                                                                                                                  • RtlNtStatusToDosError.NTDLL ref: 00B77686
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000006.00000002.1794451873.0000000000B61000.00000020.80000000.00040000.00000000.sdmp, Offset: 00B60000, based on PE: true
                                                                                                                                                                                  • Associated: 00000006.00000002.1794420795.0000000000B60000.00000004.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794498490.0000000000B94000.00000002.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794521630.0000000000B9B000.00000004.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794551870.0000000000B9E000.00000002.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794583919.0000000000BA0000.00000004.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794610717.0000000000BA2000.00000002.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_6_2_b60000_svchost.jbxd
                                                                                                                                                                                  Yara matches
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: Error$Status$Last$ContextThreadmemcpymemset
                                                                                                                                                                                  • String ID: @
                                                                                                                                                                                  • API String ID: 2245679996-2766056989
                                                                                                                                                                                  • Opcode ID: 3d69c08051759f0242cc7e37addfca680feda7b8c4284f332d0e2d57139221a3
                                                                                                                                                                                  • Instruction ID: ee5cf5efaecc62548af91a417873c92507760f28afece844080aea7572bf5771
                                                                                                                                                                                  • Opcode Fuzzy Hash: 3d69c08051759f0242cc7e37addfca680feda7b8c4284f332d0e2d57139221a3
                                                                                                                                                                                  • Instruction Fuzzy Hash: 25419032319F4186EB609F22E48479A73A4F788784F048539DFAD477A8EF78C554C740
                                                                                                                                                                                  Function 00B7DDCC Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 20nativeCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000006.00000002.1794451873.0000000000B61000.00000020.80000000.00040000.00000000.sdmp, Offset: 00B60000, based on PE: true
                                                                                                                                                                                  • Associated: 00000006.00000002.1794420795.0000000000B60000.00000004.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794498490.0000000000B94000.00000002.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794521630.0000000000B9B000.00000004.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794551870.0000000000B9E000.00000002.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794583919.0000000000BA0000.00000004.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794610717.0000000000BA2000.00000002.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_6_2_b60000_svchost.jbxd
                                                                                                                                                                                  Yara matches
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: ErrorSectionStatusView
                                                                                                                                                                                  • String ID: @
                                                                                                                                                                                  • API String ID: 1313840181-2766056989
                                                                                                                                                                                  • Opcode ID: 8718c4de9c28ffe477f1c90b75f996ef4d8fe5fb591510c12c07d6a2920dfa7f
                                                                                                                                                                                  • Instruction ID: 16ad059d1d17c1e24de8af3f96a68c54d524c2a80f7f23929c44e37920fa276c
                                                                                                                                                                                  • Opcode Fuzzy Hash: 8718c4de9c28ffe477f1c90b75f996ef4d8fe5fb591510c12c07d6a2920dfa7f
                                                                                                                                                                                  • Instruction Fuzzy Hash: F8F0AC76A14B40C6D7509F60E48EB8D36F8F754354F620239C79D43710DF368965CB54
                                                                                                                                                                                  Function 00B77EB8 Relevance: 4.5, APIs: 3, Instructions: 22nativeCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000006.00000002.1794451873.0000000000B61000.00000020.80000000.00040000.00000000.sdmp, Offset: 00B60000, based on PE: true
                                                                                                                                                                                  • Associated: 00000006.00000002.1794420795.0000000000B60000.00000004.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794498490.0000000000B94000.00000002.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794521630.0000000000B9B000.00000004.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794551870.0000000000B9E000.00000002.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794583919.0000000000BA0000.00000004.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794610717.0000000000BA2000.00000002.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_6_2_b60000_svchost.jbxd
                                                                                                                                                                                  Yara matches
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: Error$LastMemoryStatusVirtualWrite
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 1089604434-0
                                                                                                                                                                                  • Opcode ID: 898b73df3b0c5b8ac7c725c41f8552847c91321d0e8106bfb196c14f9414e820
                                                                                                                                                                                  • Instruction ID: f71d17913fb3c83ecf4ec36661252790c6b6986d86745861ef97b2a3c49fce11
                                                                                                                                                                                  • Opcode Fuzzy Hash: 898b73df3b0c5b8ac7c725c41f8552847c91321d0e8106bfb196c14f9414e820
                                                                                                                                                                                  • Instruction Fuzzy Hash: E2E0862475474587EB108FB1B48872963D4B749708F4408B5DF5D87750CF6CCC89C700
                                                                                                                                                                                  Function 00B7724C Relevance: 1.5, APIs: 1, Instructions: 32nativeCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • NtQueryInformationProcess.NTDLL ref: 00B77272
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000006.00000002.1794451873.0000000000B61000.00000020.80000000.00040000.00000000.sdmp, Offset: 00B60000, based on PE: true
                                                                                                                                                                                  • Associated: 00000006.00000002.1794420795.0000000000B60000.00000004.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794498490.0000000000B94000.00000002.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794521630.0000000000B9B000.00000004.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794551870.0000000000B9E000.00000002.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794583919.0000000000BA0000.00000004.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794610717.0000000000BA2000.00000002.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_6_2_b60000_svchost.jbxd
                                                                                                                                                                                  Yara matches
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: InformationProcessQuery
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 1778838933-0
                                                                                                                                                                                  • Opcode ID: b08f904ae82cec2f01180ed19f1c4a83ae4f932debc803e0418085158dba806c
                                                                                                                                                                                  • Instruction ID: 8880fdd85e01d1d605b75e355578b364cdc1f77d2ba9b13c9f6b3e4f532e26f9
                                                                                                                                                                                  • Opcode Fuzzy Hash: b08f904ae82cec2f01180ed19f1c4a83ae4f932debc803e0418085158dba806c
                                                                                                                                                                                  • Instruction Fuzzy Hash: 83F0122275CA8582DF149F66E48076963A1F7C8F8CF598025AF6E47715DF38C496C704
                                                                                                                                                                                  Function 00B89D18 Relevance: 17.7, APIs: 9, Strings: 1, Instructions: 200libraryCOMMON
                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                  • Executed
                                                                                                                                                                                  • Not Executed
                                                                                                                                                                                  control_flow_graph 318 b89d18-b89d95 319 b89dbc-b89de8 318->319 320 b89d97-b89db7 RaiseException 318->320 322 b89dea-b89dfc 319->322 323 b89dfe-b89e02 319->323 321 b89fee-b8a005 320->321 324 b89e06-b89e12 322->324 323->324 325 b89e30-b89e33 324->325 326 b89e14-b89e23 324->326 327 b89e39-b89e3c 325->327 328 b89f07-b89f0f 325->328 338 b89e29 326->338 339 b89fc4-b89fce 326->339 330 b89e3e-b89e4e 327->330 331 b89e50-b89e61 LoadLibraryA 327->331 332 b89f20-b89f23 328->332 333 b89f11-b89f1d 328->333 330->331 334 b89ebb-b89ec5 330->334 331->334 335 b89e63-b89e77 GetLastError 331->335 336 b89f29-b89f2c 332->336 337 b89fc0 332->337 333->332 348 b89ef7-b89efa FreeLibrary 334->348 349 b89ec7-b89ecb 334->349 344 b89e79-b89e89 335->344 345 b89e8b-b89eb6 RaiseException 335->345 346 b89f2e-b89f31 336->346 347 b89f57-b89f6b GetProcAddress 336->347 337->339 338->325 342 b89feb 339->342 343 b89fd0-b89fe4 339->343 342->321 343->342 344->334 344->345 345->321 346->347 350 b89f33-b89f3e 346->350 347->337 351 b89f6d-b89f81 GetLastError 347->351 353 b89f00 348->353 352 b89ecd-b89ede LocalAlloc 349->352 349->353 350->347 355 b89f40-b89f45 350->355 356 b89f90-b89f93 351->356 357 b89f83-b89f8d 351->357 352->353 358 b89ee0-b89ef5 352->358 353->328 355->347 359 b89f47-b89f4c 355->359 356->337 360 b89f95-b89fbb RaiseException 356->360 357->356 358->353 359->347 361 b89f4e-b89f55 359->361 360->337 361->337 361->347
                                                                                                                                                                                  APIs
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000006.00000002.1794451873.0000000000B61000.00000020.80000000.00040000.00000000.sdmp, Offset: 00B60000, based on PE: true
                                                                                                                                                                                  • Associated: 00000006.00000002.1794420795.0000000000B60000.00000004.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794498490.0000000000B94000.00000002.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794521630.0000000000B9B000.00000004.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794551870.0000000000B9E000.00000002.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794583919.0000000000BA0000.00000004.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794610717.0000000000BA2000.00000002.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_6_2_b60000_svchost.jbxd
                                                                                                                                                                                  Yara matches
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: ExceptionRaise$ErrorLastLibraryLoad
                                                                                                                                                                                  • String ID: H
                                                                                                                                                                                  • API String ID: 948315288-2852464175
                                                                                                                                                                                  • Opcode ID: eb4a216c289ee461ff8c43e10669488913ddd98265460afe9caf8862b99d3029
                                                                                                                                                                                  • Instruction ID: 19ef44b70ee46456463334a57c7fce3c65654497073c73bf8b6044e4db9672cf
                                                                                                                                                                                  • Opcode Fuzzy Hash: eb4a216c289ee461ff8c43e10669488913ddd98265460afe9caf8862b99d3029
                                                                                                                                                                                  • Instruction Fuzzy Hash: 86816A32205B858ADF29DF15E444769B7E5FB88B89F084129DB8D47B68EF3CE946C700
                                                                                                                                                                                  Function 00B72534 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 108stringCOMMON
                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                  • Executed
                                                                                                                                                                                  • Not Executed
                                                                                                                                                                                  control_flow_graph 363 b72534-b72575 364 b72577 363->364 365 b7257e-b7258f ConvertStringSecurityDescriptorToSecurityDescriptorA 363->365 364->365 366 b725d3-b7260c call b78bf4 365->366 367 b72591-b725a3 StrRChrA 365->367 374 b72632-b7263a 366->374 375 b7260e-b72614 366->375 368 b725a5-b725a8 367->368 369 b725aa 367->369 371 b725b1-b725cd _strupr lstrlenA call b8ab10 368->371 369->371 371->366 377 b7263c-b72646 374->377 378 b72648-b7266e CreateEventA 374->378 375->374 376 b72616-b7261e 375->376 376->374 380 b72620-b72625 376->380 377->378 381 b726b3-b726bd 377->381 382 b726a7-b726ad GetLastError 378->382 383 b72670-b72677 call b71358 378->383 386 b72627-b72630 380->386 384 b726bf-b726c5 RemoveVectoredExceptionHandler 381->384 385 b726cd-b726de 381->385 388 b726af-b726b1 382->388 383->382 390 b72679-b72680 383->390 384->385 386->374 386->386 388->381 388->385 391 b72682-b72691 AddVectoredExceptionHandler 390->391 392 b72698-b7269b call b71688 390->392 391->392 394 b726a0-b726a5 392->394 394->382 394->388
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • ConvertStringSecurityDescriptorToSecurityDescriptorA.ADVAPI32 ref: 00B7257E
                                                                                                                                                                                  • StrRChrA.KERNELBASE(?,?,?,?,?,?,00000000,00B615DD,?,?,?,?,?,00B6166F), ref: 00B72597
                                                                                                                                                                                  • _strupr.NTDLL(?,?,?,?,?,?,00000000,00B615DD,?,?,?,?,?,00B6166F), ref: 00B725B4
                                                                                                                                                                                  • lstrlenA.KERNEL32(?,?,?,?,?,?,00000000,00B615DD,?,?,?,?,?,00B6166F), ref: 00B725BD
                                                                                                                                                                                  • CreateEventA.KERNEL32(?,?,?,?,?,?,00000000,00B615DD,?,?,?,?,?,00B6166F), ref: 00B7265E
                                                                                                                                                                                  • AddVectoredExceptionHandler.KERNEL32(?,?,?,?,?,?,00000000,00B615DD,?,?,?,?,?,00B6166F), ref: 00B7268B
                                                                                                                                                                                  • GetLastError.KERNEL32(?,?,?,?,?,?,00000000,00B615DD,?,?,?,?,?,00B6166F), ref: 00B726A7
                                                                                                                                                                                  • RemoveVectoredExceptionHandler.KERNEL32(?,?,?,?,?,?,00000000,00B615DD,?,?,?,?,?,00B6166F), ref: 00B726BF
                                                                                                                                                                                  Strings
                                                                                                                                                                                  • S:(ML;;NW;;;LW)D:(A;;0x1fffff;;;WD)(A;;0x1fffff;;;S-1-15-2-1), xrefs: 00B72577
                                                                                                                                                                                  • D:(D;OICI;GA;;;BG)(D;OICI;GA;;;AN)(A;OICI;GA;;;AU)(A;OICI;GA;;;BA), xrefs: 00B7256C
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000006.00000002.1794451873.0000000000B61000.00000020.80000000.00040000.00000000.sdmp, Offset: 00B60000, based on PE: true
                                                                                                                                                                                  • Associated: 00000006.00000002.1794420795.0000000000B60000.00000004.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794498490.0000000000B94000.00000002.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794521630.0000000000B9B000.00000004.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794551870.0000000000B9E000.00000002.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794583919.0000000000BA0000.00000004.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794610717.0000000000BA2000.00000002.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_6_2_b60000_svchost.jbxd
                                                                                                                                                                                  Yara matches
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: DescriptorExceptionHandlerSecurityVectored$ConvertCreateErrorEventLastRemoveString_struprlstrlen
                                                                                                                                                                                  • String ID: D:(D;OICI;GA;;;BG)(D;OICI;GA;;;AN)(A;OICI;GA;;;AU)(A;OICI;GA;;;BA)$S:(ML;;NW;;;LW)D:(A;;0x1fffff;;;WD)(A;;0x1fffff;;;S-1-15-2-1)
                                                                                                                                                                                  • API String ID: 1098824789-3923912226
                                                                                                                                                                                  • Opcode ID: bfd8205c5d269aae210b034db50cb37ca962554caff0395354212ee5f43ceb74
                                                                                                                                                                                  • Instruction ID: a2404130b914aedad87ebddbd6e20f9fcd2a583649327d9478c0b5f84c87f2d1
                                                                                                                                                                                  • Opcode Fuzzy Hash: bfd8205c5d269aae210b034db50cb37ca962554caff0395354212ee5f43ceb74
                                                                                                                                                                                  • Instruction Fuzzy Hash: 2341A132709B4086FB20DF26B96172A77E2FB98744F54856ADA6E43764DF3CC546CB00
                                                                                                                                                                                  Function 00B7D3D8 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 73libraryloaderthreadCOMMON
                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                  • Executed
                                                                                                                                                                                  • Not Executed
                                                                                                                                                                                  control_flow_graph 406 b7d3d8-b7d41f call b77044 OpenProcess 409 b7d425-b7d427 406->409 410 b7d4d8-b7d4de GetLastError 406->410 411 b7d4c6 409->411 412 b7d42d-b7d45b GetProcAddress * 2 409->412 413 b7d4e0-b7d4f1 410->413 416 b7d4cb-b7d4d6 CloseHandle 411->416 414 b7d4bf-b7d4c4 412->414 415 b7d45d-b7d460 412->415 414->416 415->414 417 b7d462-b7d491 CreateRemoteThread 415->417 416->413 418 b7d4b5-b7d4bd GetLastError 417->418 419 b7d493-b7d4a1 call b7d1cc 417->419 418->416 421 b7d4a6-b7d4b3 CloseHandle 419->421 421->416
                                                                                                                                                                                  APIs
                                                                                                                                                                                    • Part of subcall function 00B77044: GetModuleHandleA.KERNEL32 ref: 00B7706B
                                                                                                                                                                                    • Part of subcall function 00B77044: GetProcAddress.KERNEL32 ref: 00B77082
                                                                                                                                                                                    • Part of subcall function 00B77044: OpenProcess.KERNEL32 ref: 00B770A2
                                                                                                                                                                                    • Part of subcall function 00B77044: CloseHandle.KERNELBASE ref: 00B770D4
                                                                                                                                                                                  • OpenProcess.KERNEL32(00000000,00B615DD), ref: 00B7D411
                                                                                                                                                                                  • GetProcAddress.KERNEL32 ref: 00B7D43B
                                                                                                                                                                                  • GetProcAddress.KERNEL32 ref: 00B7D452
                                                                                                                                                                                  • CreateRemoteThread.KERNELBASE ref: 00B7D487
                                                                                                                                                                                  • GetLastError.KERNEL32 ref: 00B7D4B5
                                                                                                                                                                                    • Part of subcall function 00B7D1CC: memset.NTDLL ref: 00B7D202
                                                                                                                                                                                    • Part of subcall function 00B7D1CC: VirtualProtectEx.KERNEL32 ref: 00B7D29D
                                                                                                                                                                                    • Part of subcall function 00B7D1CC: ResumeThread.KERNELBASE ref: 00B7D2DD
                                                                                                                                                                                    • Part of subcall function 00B7D1CC: WaitForSingleObject.KERNEL32 ref: 00B7D2ED
                                                                                                                                                                                    • Part of subcall function 00B7D1CC: SuspendThread.KERNELBASE ref: 00B7D300
                                                                                                                                                                                    • Part of subcall function 00B7D1CC: RtlNtStatusToDosError.NTDLL ref: 00B7D322
                                                                                                                                                                                    • Part of subcall function 00B7D1CC: VirtualProtectEx.KERNEL32 ref: 00B7D37A
                                                                                                                                                                                  • CloseHandle.KERNEL32 ref: 00B7D4AD
                                                                                                                                                                                  • CloseHandle.KERNEL32 ref: 00B7D4D0
                                                                                                                                                                                  • GetLastError.KERNEL32 ref: 00B7D4D8
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000006.00000002.1794451873.0000000000B61000.00000020.80000000.00040000.00000000.sdmp, Offset: 00B60000, based on PE: true
                                                                                                                                                                                  • Associated: 00000006.00000002.1794420795.0000000000B60000.00000004.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794498490.0000000000B94000.00000002.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794521630.0000000000B9B000.00000004.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794551870.0000000000B9E000.00000002.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794583919.0000000000BA0000.00000004.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794610717.0000000000BA2000.00000002.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_6_2_b60000_svchost.jbxd
                                                                                                                                                                                  Yara matches
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: Handle$AddressCloseErrorProcThread$LastOpenProcessProtectVirtual$CreateModuleObjectRemoteResumeSingleStatusSuspendWaitmemset
                                                                                                                                                                                  • String ID: CreateRemoteThread$RtlExitUserThread
                                                                                                                                                                                  • API String ID: 129944681-3466022969
                                                                                                                                                                                  • Opcode ID: 62d4fa91be6d2cb216e8e19073bfb6bb7d06a8aa3563813a4facace8a55c6977
                                                                                                                                                                                  • Instruction ID: a9a069be85e3491b110a4b3c97637e3f09656606a5cea4d1a6192122e695f530
                                                                                                                                                                                  • Opcode Fuzzy Hash: 62d4fa91be6d2cb216e8e19073bfb6bb7d06a8aa3563813a4facace8a55c6977
                                                                                                                                                                                  • Instruction Fuzzy Hash: 9A312822318B5083EB10CF66E88472A72F1FB89BC4F558579EB5D47764EF39D9498700
                                                                                                                                                                                  Function 00B7BAF0 Relevance: 10.6, APIs: 7, Instructions: 106memorysynchronizationCOMMON
                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                  • Executed
                                                                                                                                                                                  • Not Executed
                                                                                                                                                                                  control_flow_graph 507 b7baf0-b7bb12 509 b7bc4b-b7bc58 GetLastError 507->509 510 b7bb18-b7bb1c 507->510 513 b7bc60-b7bc69 509->513 514 b7bc5a-b7bc5e 509->514 511 b7bc46-b7bc49 510->511 512 b7bb22-b7bb34 CreateStreamOnHGlobal 510->512 511->513 515 b7bc3f-b7bc44 512->515 516 b7bb3a-b7bb55 HeapAlloc 512->516 514->513 515->513 517 b7bc2d 516->517 518 b7bb5b 516->518 519 b7bc32-b7bc3d 517->519 520 b7bb5f-b7bb74 518->520 519->513 521 b7bb7e-b7bb80 520->521 523 b7bb82-b7bba4 521->523 524 b7bba8-b7bbae GetLastError 521->524 525 b7bbb0-b7bbc4 WaitForSingleObject 523->525 530 b7bba6 523->530 524->525 527 b7bbc6-b7bbd7 525->527 528 b7bc01 525->528 534 b7bbf4 527->534 535 b7bbd9-b7bbe6 GetLastError 527->535 529 b7bc06-b7bc1a HeapFree 528->529 529->519 531 b7bc1c-b7bc2b call b7b1ec 529->531 530->520 531->519 538 b7bbf8-b7bbfa 534->538 535->529 537 b7bbe8-b7bbee 535->537 537->529 540 b7bbf0-b7bbf2 537->540 538->529 539 b7bbfc 538->539 539->520 540->538
                                                                                                                                                                                  APIs
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000006.00000002.1794451873.0000000000B61000.00000020.80000000.00040000.00000000.sdmp, Offset: 00B60000, based on PE: true
                                                                                                                                                                                  • Associated: 00000006.00000002.1794420795.0000000000B60000.00000004.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794498490.0000000000B94000.00000002.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794521630.0000000000B9B000.00000004.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794551870.0000000000B9E000.00000002.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794583919.0000000000BA0000.00000004.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794610717.0000000000BA2000.00000002.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_6_2_b60000_svchost.jbxd
                                                                                                                                                                                  Yara matches
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: ErrorLast$Heap$AllocCreateFreeGlobalObjectSingleStreamWait
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 965836088-0
                                                                                                                                                                                  • Opcode ID: 04d1ef11a8eb620922c88d1c5482b408ff871260a02d7907ef91e1b490254031
                                                                                                                                                                                  • Instruction ID: 72808c37359e512e44c8bad0a8e244c5d9e81cb5d5a9c0d2673f08bd55cf0cb7
                                                                                                                                                                                  • Opcode Fuzzy Hash: 04d1ef11a8eb620922c88d1c5482b408ff871260a02d7907ef91e1b490254031
                                                                                                                                                                                  • Instruction Fuzzy Hash: 11419D3230864487EB148F66E8C4B2A77B1FB89B91F50C069DB5E87B58DF78C849CB00
                                                                                                                                                                                  Function 00B779FC Relevance: 10.6, APIs: 7, Instructions: 74memoryCOMMON
                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                  • Executed
                                                                                                                                                                                  • Not Executed
                                                                                                                                                                                  control_flow_graph 541 b779fc-b77a45 HeapAlloc 542 b77a4b 541->542 543 b77ad8 541->543 545 b77a4e-b77a5a 542->545 544 b77add-b77afb 543->544 546 b77a64 GetModuleFileNameA 545->546 547 b77a5c-b77a62 GetModuleFileNameW 545->547 548 b77a6a-b77a6e 546->548 547->548 549 b77a70-b77a72 548->549 550 b77aad-b77ab0 548->550 549->550 551 b77a74-b77aab HeapFree HeapAlloc 549->551 550->543 552 b77ab2-b77ab4 550->552 551->545 551->550 553 b77ab6-b77aba 552->553 554 b77abc-b77ad6 GetLastError HeapFree 552->554 553->544 554->544
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • HeapAlloc.KERNEL32(?,?,00000000,00B615AB,?,?,?,?,?,00B6166F), ref: 00B77A37
                                                                                                                                                                                  • GetModuleFileNameW.KERNEL32(?,?,00000000,00B615AB,?,?,?,?,?,00B6166F), ref: 00B77A5C
                                                                                                                                                                                  • GetModuleFileNameA.KERNEL32(?,?,00000000,00B615AB,?,?,?,?,?,00B6166F), ref: 00B77A64
                                                                                                                                                                                  • HeapFree.KERNEL32(?,?,00000000,00B615AB,?,?,?,?,?,00B6166F), ref: 00B77A8D
                                                                                                                                                                                  • HeapAlloc.KERNEL32(?,?,00000000,00B615AB,?,?,?,?,?,00B6166F), ref: 00B77A9F
                                                                                                                                                                                  • GetLastError.KERNEL32(?,?,00000000,00B615AB,?,?,?,?,?,00B6166F), ref: 00B77ABC
                                                                                                                                                                                  • HeapFree.KERNEL32(?,?,00000000,00B615AB,?,?,?,?,?,00B6166F), ref: 00B77AD0
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000006.00000002.1794451873.0000000000B61000.00000020.80000000.00040000.00000000.sdmp, Offset: 00B60000, based on PE: true
                                                                                                                                                                                  • Associated: 00000006.00000002.1794420795.0000000000B60000.00000004.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794498490.0000000000B94000.00000002.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794521630.0000000000B9B000.00000004.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794551870.0000000000B9E000.00000002.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794583919.0000000000BA0000.00000004.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794610717.0000000000BA2000.00000002.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_6_2_b60000_svchost.jbxd
                                                                                                                                                                                  Yara matches
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: Heap$AllocFileFreeModuleName$ErrorLast
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 2435679475-0
                                                                                                                                                                                  • Opcode ID: 75d9ec09c72fb7177617e44d1b9628b29b7a0ca858e5f2e9477612076e5633ec
                                                                                                                                                                                  • Instruction ID: 9ab0b8d7ddc29e69a6d1cb339939989b97e26b605f92acd48255938589dc19f0
                                                                                                                                                                                  • Opcode Fuzzy Hash: 75d9ec09c72fb7177617e44d1b9628b29b7a0ca858e5f2e9477612076e5633ec
                                                                                                                                                                                  • Instruction Fuzzy Hash: 6E21622160875486F7109F97BC8872A76A1F788BD0F4584759F6D53B54DF78C5898300
                                                                                                                                                                                  Function 00B77044 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44libraryloaderCOMMON
                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                  • Executed
                                                                                                                                                                                  • Not Executed
                                                                                                                                                                                  control_flow_graph 555 b77044-b77062 556 b77094-b77096 555->556 557 b77064-b77092 GetModuleHandleA GetProcAddress 555->557 559 b770b2-b770b5 556->559 560 b77098-b770ab OpenProcess 556->560 557->556 558 b770da-b770e8 557->558 559->558 561 b770b7-b770cf 559->561 560->559 561->558 563 b770d1-b770d4 CloseHandle 561->563 563->558
                                                                                                                                                                                  APIs
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000006.00000002.1794451873.0000000000B61000.00000020.80000000.00040000.00000000.sdmp, Offset: 00B60000, based on PE: true
                                                                                                                                                                                  • Associated: 00000006.00000002.1794420795.0000000000B60000.00000004.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794498490.0000000000B94000.00000002.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794521630.0000000000B9B000.00000004.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794551870.0000000000B9E000.00000002.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794583919.0000000000BA0000.00000004.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794610717.0000000000BA2000.00000002.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_6_2_b60000_svchost.jbxd
                                                                                                                                                                                  Yara matches
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: Handle$AddressCloseModuleOpenProcProcess
                                                                                                                                                                                  • String ID: IsWow64Process$KERNEL32.DLL
                                                                                                                                                                                  • API String ID: 4274107956-1193389583
                                                                                                                                                                                  • Opcode ID: 68f7f312c4afbcb16e81a0c17ec00d6944c226a7de76f4643cf8fd38de293261
                                                                                                                                                                                  • Instruction ID: 09f87698c9249249f644646f0fce61573582870be62a83691081f2e1b360d971
                                                                                                                                                                                  • Opcode Fuzzy Hash: 68f7f312c4afbcb16e81a0c17ec00d6944c226a7de76f4643cf8fd38de293261
                                                                                                                                                                                  • Instruction Fuzzy Hash: B5112976255B4192EF18CB1AF85072673B1FB89B80F18902ADF5E47764EF3DC8958B00
                                                                                                                                                                                  Function 00B770EC Relevance: 7.6, APIs: 5, Instructions: 91filememoryCOMMON
                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                  • Executed
                                                                                                                                                                                  • Not Executed
                                                                                                                                                                                  control_flow_graph 564 b770ec-b77116 call b779fc 567 b77231-b77248 564->567 568 b7711c-b77133 call b79220 564->568 571 b7721d-b7722b HeapFree 568->571 572 b77139-b7714d 568->572 571->567 573 b77152-b77156 572->573 574 b77174-b77181 573->574 575 b77158-b77172 573->575 574->571 577 b77187 574->577 575->574 576 b77189-b77194 575->576 576->571 578 b7719a-b771cd CreateFileA 576->578 577->573 578->571 579 b771cf-b771e2 SetFilePointer 578->579 580 b77214-b77217 CloseHandle 579->580 581 b771e4-b77204 ReadFile 579->581 580->571 581->580 582 b77206-b7720b 581->582 582->580 583 b7720d-b77211 582->583 583->580
                                                                                                                                                                                  APIs
                                                                                                                                                                                    • Part of subcall function 00B779FC: HeapAlloc.KERNEL32(?,?,00000000,00B615AB,?,?,?,?,?,00B6166F), ref: 00B77A37
                                                                                                                                                                                    • Part of subcall function 00B779FC: GetModuleFileNameW.KERNEL32(?,?,00000000,00B615AB,?,?,?,?,?,00B6166F), ref: 00B77A5C
                                                                                                                                                                                    • Part of subcall function 00B779FC: HeapFree.KERNEL32(?,?,00000000,00B615AB,?,?,?,?,?,00B6166F), ref: 00B77A8D
                                                                                                                                                                                    • Part of subcall function 00B779FC: HeapAlloc.KERNEL32(?,?,00000000,00B615AB,?,?,?,?,?,00B6166F), ref: 00B77A9F
                                                                                                                                                                                  • CreateFileA.KERNELBASE ref: 00B771C0
                                                                                                                                                                                  • SetFilePointer.KERNELBASE ref: 00B771DA
                                                                                                                                                                                  • ReadFile.KERNELBASE ref: 00B771FC
                                                                                                                                                                                  • CloseHandle.KERNELBASE ref: 00B77217
                                                                                                                                                                                  • HeapFree.KERNEL32 ref: 00B7722B
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000006.00000002.1794451873.0000000000B61000.00000020.80000000.00040000.00000000.sdmp, Offset: 00B60000, based on PE: true
                                                                                                                                                                                  • Associated: 00000006.00000002.1794420795.0000000000B60000.00000004.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794498490.0000000000B94000.00000002.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794521630.0000000000B9B000.00000004.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794551870.0000000000B9E000.00000002.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794583919.0000000000BA0000.00000004.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794610717.0000000000BA2000.00000002.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_6_2_b60000_svchost.jbxd
                                                                                                                                                                                  Yara matches
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: FileHeap$AllocFree$CloseCreateHandleModuleNamePointerRead
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 2171202588-0
                                                                                                                                                                                  • Opcode ID: fd365c57cc6ddec02e825497848c5f50b5b8f7f630f8f125c3d7a40c884a208c
                                                                                                                                                                                  • Instruction ID: 504c3a9e21ea1a86e39c7aff2947ef02ec17a2f7dea3db0574c1b78b239b1a64
                                                                                                                                                                                  • Opcode Fuzzy Hash: fd365c57cc6ddec02e825497848c5f50b5b8f7f630f8f125c3d7a40c884a208c
                                                                                                                                                                                  • Instruction Fuzzy Hash: 5F31F23335468187DB10CF69E880B5977A1F785B94F648662EB6D07B54CF38D55ACB00
                                                                                                                                                                                  Function 00B64DA8 Relevance: 7.6, APIs: 5, Instructions: 63registrymemoryCOMMON
                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                  • Executed
                                                                                                                                                                                  • Not Executed
                                                                                                                                                                                  control_flow_graph 584 b64da8-b64dde call b64d14 587 b64de4-b64e09 RegQueryValueExA 584->587 588 b64e75-b64e89 584->588 589 b64e6a-b64e6f RegCloseKey 587->589 590 b64e0b-b64e23 HeapAlloc 587->590 589->588 591 b64e65 590->591 592 b64e25-b64e49 RegQueryValueExA 590->592 591->589 593 b64e51-b64e63 HeapFree 592->593 594 b64e4b-b64e4f 592->594 593->589 594->589
                                                                                                                                                                                  APIs
                                                                                                                                                                                    • Part of subcall function 00B64D14: RegCreateKeyA.ADVAPI32 ref: 00B64D37
                                                                                                                                                                                    • Part of subcall function 00B64D14: lstrlenA.KERNEL32 ref: 00B64D62
                                                                                                                                                                                  • RegQueryValueExA.ADVAPI32 ref: 00B64DFF
                                                                                                                                                                                  • HeapAlloc.KERNEL32 ref: 00B64E17
                                                                                                                                                                                  • RegQueryValueExA.ADVAPI32 ref: 00B64E3F
                                                                                                                                                                                  • HeapFree.KERNEL32 ref: 00B64E5D
                                                                                                                                                                                  • RegCloseKey.KERNELBASE ref: 00B64E6F
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000006.00000002.1794451873.0000000000B61000.00000020.80000000.00040000.00000000.sdmp, Offset: 00B60000, based on PE: true
                                                                                                                                                                                  • Associated: 00000006.00000002.1794420795.0000000000B60000.00000004.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794498490.0000000000B94000.00000002.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794521630.0000000000B9B000.00000004.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794551870.0000000000B9E000.00000002.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794583919.0000000000BA0000.00000004.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794610717.0000000000BA2000.00000002.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_6_2_b60000_svchost.jbxd
                                                                                                                                                                                  Yara matches
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: HeapQueryValue$AllocCloseCreateFreelstrlen
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 3542618315-0
                                                                                                                                                                                  • Opcode ID: ee689f7fb5b6ed51e9b3993e6ea2ad5f180f6ba4d38a2272da82fe761645846a
                                                                                                                                                                                  • Instruction ID: 8aaddefd5110fad05fb0f2d32d13aa9ec53e9c2f21d45cf75d3fe416a5c2d505
                                                                                                                                                                                  • Opcode Fuzzy Hash: ee689f7fb5b6ed51e9b3993e6ea2ad5f180f6ba4d38a2272da82fe761645846a
                                                                                                                                                                                  • Instruction Fuzzy Hash: 83214426714B5182EB208F26E894B5A7AA0FBC8BE4F458021EF8987B14DF3CC446CB00
                                                                                                                                                                                  Function 00B77908 Relevance: 6.3, APIs: 5, Instructions: 70memoryCOMMON
                                                                                                                                                                                  Download Yara Rule

                                                                                                                                                                                  Control-flow Graph

                                                                                                                                                                                  • Executed
                                                                                                                                                                                  • Not Executed
                                                                                                                                                                                  control_flow_graph 595 b77908-b77952 HeapAlloc 596 b779e1-b779f9 595->596 597 b77958-b77966 call b8c0ff 595->597 599 b7796b-b7796f 597->599 600 b77971-b77977 599->600 601 b779ab 599->601 602 b779af-b779b2 600->602 603 b77979-b779a9 HeapFree HeapAlloc 600->603 601->602 602->596 604 b779b4-b779b6 602->604 603->597 603->601 605 b779c7-b779db GetLastError HeapFree 604->605 606 b779b8-b779c5 604->606 605->596 606->596
                                                                                                                                                                                  APIs
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000006.00000002.1794451873.0000000000B61000.00000020.80000000.00040000.00000000.sdmp, Offset: 00B60000, based on PE: true
                                                                                                                                                                                  • Associated: 00000006.00000002.1794420795.0000000000B60000.00000004.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794498490.0000000000B94000.00000002.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794521630.0000000000B9B000.00000004.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794551870.0000000000B9E000.00000002.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794583919.0000000000BA0000.00000004.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794610717.0000000000BA2000.00000002.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_6_2_b60000_svchost.jbxd
                                                                                                                                                                                  Yara matches
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: Heap$AllocFree$ErrorLast
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 2239058048-0
                                                                                                                                                                                  • Opcode ID: 1baafa31d55a5bad28f8b763bb98228b138a566b572e622a1bfd054958c72d94
                                                                                                                                                                                  • Instruction ID: 80d66c4f605c76465a250315ee5d0ff23bf3a75b9284c133689f062f473a0e06
                                                                                                                                                                                  • Opcode Fuzzy Hash: 1baafa31d55a5bad28f8b763bb98228b138a566b572e622a1bfd054958c72d94
                                                                                                                                                                                  • Instruction Fuzzy Hash: 3421AE32349B4496EB01DF67A854756BAA2FBC8BD0F0A8065EF5C83754EF78C48AC740
                                                                                                                                                                                  Function 00B7BDF8 Relevance: 5.0, APIs: 4, Instructions: 42memoryCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000006.00000002.1794451873.0000000000B61000.00000020.80000000.00040000.00000000.sdmp, Offset: 00B60000, based on PE: true
                                                                                                                                                                                  • Associated: 00000006.00000002.1794420795.0000000000B60000.00000004.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794498490.0000000000B94000.00000002.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794521630.0000000000B9B000.00000004.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794551870.0000000000B9E000.00000002.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794583919.0000000000BA0000.00000004.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794610717.0000000000BA2000.00000002.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_6_2_b60000_svchost.jbxd
                                                                                                                                                                                  Yara matches
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: FreeHeap
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 3298025750-0
                                                                                                                                                                                  • Opcode ID: 69e539fd5791c4f655f6846dcab33539b3719587ab3a20945ffc1b9cbc04c600
                                                                                                                                                                                  • Instruction ID: 255c869125eb3c0eb01c149d16f6c3f6f24c581f54b9b2078b6e7dc6c9de23cd
                                                                                                                                                                                  • Opcode Fuzzy Hash: 69e539fd5791c4f655f6846dcab33539b3719587ab3a20945ffc1b9cbc04c600
                                                                                                                                                                                  • Instruction Fuzzy Hash: 670100A5201B8486EB18CFB2D895BA837A1EF88F94F4998558F1E97315CF38C4C98740
                                                                                                                                                                                  Function 00B64D14 Relevance: 4.5, APIs: 3, Instructions: 39registrystringCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000006.00000002.1794451873.0000000000B61000.00000020.80000000.00040000.00000000.sdmp, Offset: 00B60000, based on PE: true
                                                                                                                                                                                  • Associated: 00000006.00000002.1794420795.0000000000B60000.00000004.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794498490.0000000000B94000.00000002.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794521630.0000000000B9B000.00000004.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794551870.0000000000B9E000.00000002.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794583919.0000000000BA0000.00000004.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794610717.0000000000BA2000.00000002.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_6_2_b60000_svchost.jbxd
                                                                                                                                                                                  Yara matches
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: CreateOpenlstrlen
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 2865187142-0
                                                                                                                                                                                  • Opcode ID: e118cc8370a371d6816fcfb6d479da56ebc7daf93a3c07289e1aac70c7ec4e6e
                                                                                                                                                                                  • Instruction ID: 5a60016585505f64a650f63bdd26202b6dd3da26da658d1b7f127161261be6e1
                                                                                                                                                                                  • Opcode Fuzzy Hash: e118cc8370a371d6816fcfb6d479da56ebc7daf93a3c07289e1aac70c7ec4e6e
                                                                                                                                                                                  • Instruction Fuzzy Hash: 01018436618A8182DB008F66F44435AB7B1F798BD0F544561EF5987768DF3CC888C700
                                                                                                                                                                                  Function 00B64E8C Relevance: 3.0, APIs: 2, Instructions: 40registryCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                    • Part of subcall function 00B64D14: RegCreateKeyA.ADVAPI32 ref: 00B64D37
                                                                                                                                                                                    • Part of subcall function 00B64D14: lstrlenA.KERNEL32 ref: 00B64D62
                                                                                                                                                                                  • RegSetValueExA.KERNELBASE(00000000,?,?,00B64FAE), ref: 00B64EE9
                                                                                                                                                                                  • RegCloseKey.ADVAPI32(?,?,00B64FAE), ref: 00B64EFE
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000006.00000002.1794451873.0000000000B61000.00000020.80000000.00040000.00000000.sdmp, Offset: 00B60000, based on PE: true
                                                                                                                                                                                  • Associated: 00000006.00000002.1794420795.0000000000B60000.00000004.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794498490.0000000000B94000.00000002.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794521630.0000000000B9B000.00000004.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794551870.0000000000B9E000.00000002.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794583919.0000000000BA0000.00000004.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794610717.0000000000BA2000.00000002.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_6_2_b60000_svchost.jbxd
                                                                                                                                                                                  Yara matches
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: CloseCreateValuelstrlen
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 1356686001-0
                                                                                                                                                                                  • Opcode ID: 973e237293b32d5713408fdb4d57a551d8024bb379483f7a13ef2550db7e7034
                                                                                                                                                                                  • Instruction ID: f0d8d31a7f53ee83bec72ee2e2a3e6dcb00368eed4818ac3432b2aedec762d0a
                                                                                                                                                                                  • Opcode Fuzzy Hash: 973e237293b32d5713408fdb4d57a551d8024bb379483f7a13ef2550db7e7034
                                                                                                                                                                                  • Instruction Fuzzy Hash: D801127A714B8082EB109B56E94571ABBA4F398FD0F194061EF8A83F19DF78D891CB00
                                                                                                                                                                                  Function 00B79220 Relevance: 2.6, APIs: 2, Instructions: 102stringCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • lstrcmpA.KERNEL32(00B76B7C), ref: 00B79314
                                                                                                                                                                                  • lstrlenA.KERNEL32(00B76B7C), ref: 00B7931E
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000006.00000002.1794451873.0000000000B61000.00000020.80000000.00040000.00000000.sdmp, Offset: 00B60000, based on PE: true
                                                                                                                                                                                  • Associated: 00000006.00000002.1794420795.0000000000B60000.00000004.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794498490.0000000000B94000.00000002.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794521630.0000000000B9B000.00000004.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794551870.0000000000B9E000.00000002.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794583919.0000000000BA0000.00000004.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794610717.0000000000BA2000.00000002.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_6_2_b60000_svchost.jbxd
                                                                                                                                                                                  Yara matches
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: lstrcmplstrlen
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 898299967-0
                                                                                                                                                                                  • Opcode ID: 20cb9fe7701defa3eb8feb77c64fd45e7896d5a635a2733a33e02ac578e8d869
                                                                                                                                                                                  • Instruction ID: 0ffc2c7c53cfe362218b46d16a1ec5c1b8b9cc089a09f9796d1287502571c182
                                                                                                                                                                                  • Opcode Fuzzy Hash: 20cb9fe7701defa3eb8feb77c64fd45e7896d5a635a2733a33e02ac578e8d869
                                                                                                                                                                                  • Instruction Fuzzy Hash: 4C319073701250EBDA28CF26A58072977E8FB04788F15C925DF5E47B54EB38D9A2CB14
                                                                                                                                                                                  Function 00B799DC Relevance: 2.6, APIs: 2, Instructions: 91memoryCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000006.00000002.1794451873.0000000000B61000.00000020.80000000.00040000.00000000.sdmp, Offset: 00B60000, based on PE: true
                                                                                                                                                                                  • Associated: 00000006.00000002.1794420795.0000000000B60000.00000004.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794498490.0000000000B94000.00000002.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794521630.0000000000B9B000.00000004.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794551870.0000000000B9E000.00000002.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794583919.0000000000BA0000.00000004.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794610717.0000000000BA2000.00000002.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_6_2_b60000_svchost.jbxd
                                                                                                                                                                                  Yara matches
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: AllocHeap
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 4292702814-0
                                                                                                                                                                                  • Opcode ID: 470afae851679274540b5743c741cbf90475ece2d4f5da2eaa43a7c1426210ba
                                                                                                                                                                                  • Instruction ID: 1eaf8467e22cedffd2ae07cb51a4424239124946e4746439654288910ff55edb
                                                                                                                                                                                  • Opcode Fuzzy Hash: 470afae851679274540b5743c741cbf90475ece2d4f5da2eaa43a7c1426210ba
                                                                                                                                                                                  • Instruction Fuzzy Hash: 0C21E732606B9489EB228F26A8403567BD4F385F98F49D051CEAD43719EF78C883C741
                                                                                                                                                                                  Function 00B7B798 Relevance: 2.6, APIs: 2, Instructions: 65COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • GetLastError.KERNEL32(?,00B64FAE), ref: 00B7B7E4
                                                                                                                                                                                  • GetLastError.KERNEL32 ref: 00B7B840
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000006.00000002.1794451873.0000000000B61000.00000020.80000000.00040000.00000000.sdmp, Offset: 00B60000, based on PE: true
                                                                                                                                                                                  • Associated: 00000006.00000002.1794420795.0000000000B60000.00000004.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794498490.0000000000B94000.00000002.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794521630.0000000000B9B000.00000004.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794551870.0000000000B9E000.00000002.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794583919.0000000000BA0000.00000004.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794610717.0000000000BA2000.00000002.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_6_2_b60000_svchost.jbxd
                                                                                                                                                                                  Yara matches
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: ErrorLast
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 1452528299-0
                                                                                                                                                                                  • Opcode ID: 8b6624b4a83af8e7a50f643d086a235bd265af61c36ba97d2a18007023f04a5c
                                                                                                                                                                                  • Instruction ID: 82c8bc47bd4ff023db58dfa713dc486029f57b6d509fda065d47b81cbf77b013
                                                                                                                                                                                  • Opcode Fuzzy Hash: 8b6624b4a83af8e7a50f643d086a235bd265af61c36ba97d2a18007023f04a5c
                                                                                                                                                                                  • Instruction Fuzzy Hash: 6A11B2337047458BE7148F62A884F9AB6A8F348BD4F658179DF2D83B14DB38C986CB01
                                                                                                                                                                                  Function 00BA3001 Relevance: 1.8, APIs: 1, Instructions: 255libraryloaderCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000006.00000002.1794641096.0000000000BA3000.00000040.80000000.00040000.00000000.sdmp, Offset: 00BA3000, based on PE: false
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_6_2_ba3000_svchost.jbxd
                                                                                                                                                                                  Yara matches
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: Load
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 2234796835-0
                                                                                                                                                                                  • Opcode ID: 764a3ae3d2f84ff3c8ac80092de25afb16fd054836a3943cc4e89c6bc47590c3
                                                                                                                                                                                  • Instruction ID: 110b1b904cf02b90c3c55d155aa6390c5c19799996eb9107ba3e45b4edd72012
                                                                                                                                                                                  • Opcode Fuzzy Hash: 764a3ae3d2f84ff3c8ac80092de25afb16fd054836a3943cc4e89c6bc47590c3
                                                                                                                                                                                  • Instruction Fuzzy Hash: 0B81E63120CB494FDB69DB28D8917A677E0FF57710F0445EEE48AC7242EB34D50A8742

                                                                                                                                                                                  Non-executed Functions

                                                                                                                                                                                  Function 00B6BFA4 Relevance: 77.4, APIs: 36, Strings: 8, Instructions: 409memorystringtimeCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000006.00000002.1794451873.0000000000B61000.00000020.80000000.00040000.00000000.sdmp, Offset: 00B60000, based on PE: true
                                                                                                                                                                                  • Associated: 00000006.00000002.1794420795.0000000000B60000.00000004.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794498490.0000000000B94000.00000002.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794521630.0000000000B9B000.00000004.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794551870.0000000000B9E000.00000002.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794583919.0000000000BA0000.00000004.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794610717.0000000000BA2000.00000002.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_6_2_b60000_svchost.jbxd
                                                                                                                                                                                  Yara matches
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: Heap$Freememcpy$Alloclstrlen$CriticalSectionTimeTrimlstrcmpi$EnterFileLeaveSystemwsprintf
                                                                                                                                                                                  • String ID: @CONFIG=*@$@GROUP@$@ID@$@RANDSTR@$@URL=*@$@VIDEO=*@$Main$W
                                                                                                                                                                                  • API String ID: 2178606756-1989307888
                                                                                                                                                                                  • Opcode ID: e826a9ff9ccabc7b3ad1388cba55e344f7433c27a2135fc94cac4212118e3e20
                                                                                                                                                                                  • Instruction ID: 7da61b32022a06debda43aecddb40ce8141d224a915f53e40d9d57eec1a71aac
                                                                                                                                                                                  • Opcode Fuzzy Hash: e826a9ff9ccabc7b3ad1388cba55e344f7433c27a2135fc94cac4212118e3e20
                                                                                                                                                                                  • Instruction Fuzzy Hash: 3CF1B522314A8586DB20DF66E8947BA7BE1F788B84F494462DF4E87B24DF7CD54AC700
                                                                                                                                                                                  Function 00B70B28 Relevance: 63.4, APIs: 21, Strings: 15, Instructions: 418memorystringCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000006.00000002.1794451873.0000000000B61000.00000020.80000000.00040000.00000000.sdmp, Offset: 00B60000, based on PE: true
                                                                                                                                                                                  • Associated: 00000006.00000002.1794420795.0000000000B60000.00000004.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794498490.0000000000B94000.00000002.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794521630.0000000000B9B000.00000004.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794551870.0000000000B9E000.00000002.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794583919.0000000000BA0000.00000004.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794610717.0000000000BA2000.00000002.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_6_2_b60000_svchost.jbxd
                                                                                                                                                                                  Yara matches
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: Heap$memcpy$AllocFree$lstrlen$lstrcpyn
                                                                                                                                                                                  • String ID: $ gzip, deflate$Accept-Encoding:$Content-Type:$GET $GET $Host:$OPTI$OPTI$POST$PUT $User-Agent:$http://$https://$ocsp
                                                                                                                                                                                  • API String ID: 1311285321-4239336915
                                                                                                                                                                                  • Opcode ID: 19236f1fa99bdc997aacd35a3dbdaac8e1efa32c2bc6ef9606a379a0cdf13370
                                                                                                                                                                                  • Instruction ID: f751cfcc31971888ed6059d37b341a0980377ec46643275b06d0394feb0e924b
                                                                                                                                                                                  • Opcode Fuzzy Hash: 19236f1fa99bdc997aacd35a3dbdaac8e1efa32c2bc6ef9606a379a0cdf13370
                                                                                                                                                                                  • Instruction Fuzzy Hash: E0028876314B81C6DB21EF2AE4847AA77A1FB89B84F058462DF9E47B14EF38D445CB00
                                                                                                                                                                                  Function 00B61FFC Relevance: 63.2, APIs: 26, Strings: 10, Instructions: 226stringmemoryfileCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • lstrlenA.KERNEL32 ref: 00B6202F
                                                                                                                                                                                    • Part of subcall function 00B75668: HeapAlloc.KERNEL32(?,?,?,?,?,?,?,?,00000000,00000000,00000000,00000000,00B69957), ref: 00B756A3
                                                                                                                                                                                    • Part of subcall function 00B75668: lstrlenW.KERNEL32(?,?,?,?,?,?,?,?,00000000,00000000,00000000,00000000,00B69957), ref: 00B756D8
                                                                                                                                                                                    • Part of subcall function 00B75668: lstrlenW.KERNEL32(?,?,?,?,?,?,?,?,00000000,00000000,00000000,00000000,00B69957), ref: 00B756E5
                                                                                                                                                                                    • Part of subcall function 00B75668: HeapAlloc.KERNEL32(?,?,?,?,?,?,?,?,00000000,00000000,00000000,00000000,00B69957), ref: 00B75738
                                                                                                                                                                                    • Part of subcall function 00B75668: memset.NTDLL ref: 00B7575C
                                                                                                                                                                                    • Part of subcall function 00B75668: FindFirstFileW.KERNEL32(?,?,?,?,?,?,?,?,00000000,00000000,00000000,00000000,00B69957), ref: 00B7577B
                                                                                                                                                                                    • Part of subcall function 00B75668: lstrlenW.KERNEL32(?,?,?,?,?,?,?,?,00000000,00000000,00000000,00000000,00B69957), ref: 00B757C1
                                                                                                                                                                                    • Part of subcall function 00B75668: lstrlenW.KERNEL32(?,?,?,?,?,?,?,?,00000000,00000000,00000000,00000000,00B69957), ref: 00B757D1
                                                                                                                                                                                    • Part of subcall function 00B75668: HeapAlloc.KERNEL32(?,?,?,?,?,?,?,?,00000000,00000000,00000000,00000000,00B69957), ref: 00B757F9
                                                                                                                                                                                    • Part of subcall function 00B75668: memset.NTDLL ref: 00B7581B
                                                                                                                                                                                    • Part of subcall function 00B75668: wcscpy.NTDLL ref: 00B7582E
                                                                                                                                                                                    • Part of subcall function 00B75668: EnterCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,00000000,00000000,00000000,00000000,00B69957), ref: 00B758B0
                                                                                                                                                                                    • Part of subcall function 00B75668: LeaveCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,00000000,00000000,00000000,00000000,00B69957), ref: 00B758DF
                                                                                                                                                                                    • Part of subcall function 00B75668: FindNextFileW.KERNEL32(?,?,?,?,?,?,?,?,00000000,00000000,00000000,00000000,00B69957), ref: 00B758F2
                                                                                                                                                                                    • Part of subcall function 00B75668: WaitForSingleObject.KERNEL32(?,?,?,?,?,?,?,?,00000000,00000000,00000000,00000000,00B69957), ref: 00B75907
                                                                                                                                                                                    • Part of subcall function 00B75668: FindClose.KERNEL32(?,?,?,?,?,?,?,?,00000000,00000000,00000000,00000000,00B69957), ref: 00B7591F
                                                                                                                                                                                    • Part of subcall function 00B75668: FindFirstFileW.KERNEL32(?,?,?,?,?,?,?,?,00000000,00000000,00000000,00000000,00B69957), ref: 00B7594F
                                                                                                                                                                                    • Part of subcall function 00B75668: lstrlenW.KERNEL32(?,?,?,?,?,?,?,?,00000000,00000000,00000000,00000000,00B69957), ref: 00B7597E
                                                                                                                                                                                    • Part of subcall function 00B75668: HeapFree.KERNEL32(?,?,?,?,?,?,?,?,00000000,00000000,00000000,00000000,00B69957), ref: 00B7599E
                                                                                                                                                                                  • HeapAlloc.KERNEL32 ref: 00B62096
                                                                                                                                                                                  • mbstowcs.NTDLL ref: 00B620B2
                                                                                                                                                                                  • lstrcatW.KERNEL32 ref: 00B620C2
                                                                                                                                                                                    • Part of subcall function 00B75668: HeapAlloc.KERNEL32(?,?,?,?,?,?,?,?,00000000,00000000,00000000,00000000,00B69957), ref: 00B759C5
                                                                                                                                                                                    • Part of subcall function 00B75668: FindNextFileW.KERNEL32(?,?,?,?,?,?,?,?,00000000,00000000,00000000,00000000,00B69957), ref: 00B75A30
                                                                                                                                                                                    • Part of subcall function 00B75668: WaitForSingleObject.KERNEL32(?,?,?,?,?,?,?,?,00000000,00000000,00000000,00000000,00B69957), ref: 00B75A45
                                                                                                                                                                                    • Part of subcall function 00B75668: FindClose.KERNEL32(?,?,?,?,?,?,?,?,00000000,00000000,00000000,00000000,00B69957), ref: 00B75A5F
                                                                                                                                                                                    • Part of subcall function 00B75668: HeapFree.KERNEL32(?,?,?,?,?,?,?,?,00000000,00000000,00000000,00000000,00B69957), ref: 00B75A79
                                                                                                                                                                                    • Part of subcall function 00B75668: HeapFree.KERNEL32(?,?,?,?,?,?,?,?,00000000,00000000,00000000,00000000,00B69957), ref: 00B75A94
                                                                                                                                                                                    • Part of subcall function 00B75668: HeapFree.KERNEL32(?,?,?,?,?,?,?,?,00000000,00000000,00000000,00000000,00B69957), ref: 00B75AA6
                                                                                                                                                                                  • HeapFree.KERNEL32 ref: 00B620F9
                                                                                                                                                                                  • HeapAlloc.KERNEL32 ref: 00B6210E
                                                                                                                                                                                  • lstrcatW.KERNEL32 ref: 00B62141
                                                                                                                                                                                  • HeapFree.KERNEL32 ref: 00B62178
                                                                                                                                                                                  • CreateDirectoryW.KERNEL32 ref: 00B621A4
                                                                                                                                                                                  • lstrlenW.KERNEL32 ref: 00B6220D
                                                                                                                                                                                  • lstrlenW.KERNEL32 ref: 00B62222
                                                                                                                                                                                  • lstrlenW.KERNEL32 ref: 00B6222D
                                                                                                                                                                                  • HeapAlloc.KERNEL32 ref: 00B6224B
                                                                                                                                                                                  • lstrcpyW.KERNEL32 ref: 00B62263
                                                                                                                                                                                  • lstrcatW.KERNEL32 ref: 00B62274
                                                                                                                                                                                  • CreateDirectoryW.KERNEL32 ref: 00B6227F
                                                                                                                                                                                  • lstrcatW.KERNEL32 ref: 00B6228F
                                                                                                                                                                                  • lstrcatW.KERNEL32 ref: 00B622BA
                                                                                                                                                                                  • CreateDirectoryW.KERNEL32 ref: 00B622C5
                                                                                                                                                                                  • lstrcatW.KERNEL32 ref: 00B622D5
                                                                                                                                                                                  • lstrcatW.KERNEL32 ref: 00B62302
                                                                                                                                                                                  • CopyFileW.KERNEL32 ref: 00B62311
                                                                                                                                                                                  • HeapFree.KERNEL32 ref: 00B62323
                                                                                                                                                                                  • DeleteFileW.KERNEL32 ref: 00B6232E
                                                                                                                                                                                  • HeapFree.KERNEL32 ref: 00B62340
                                                                                                                                                                                  • HeapFree.KERNEL32 ref: 00B62365
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000006.00000002.1794451873.0000000000B61000.00000020.80000000.00040000.00000000.sdmp, Offset: 00B60000, based on PE: true
                                                                                                                                                                                  • Associated: 00000006.00000002.1794420795.0000000000B60000.00000004.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794498490.0000000000B94000.00000002.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794521630.0000000000B9B000.00000004.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794551870.0000000000B9E000.00000002.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794583919.0000000000BA0000.00000004.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794610717.0000000000BA2000.00000002.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_6_2_b60000_svchost.jbxd
                                                                                                                                                                                  Yara matches
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: Heap$Freelstrlen$Alloclstrcat$FileFind$CreateDirectory$CloseCriticalFirstNextObjectSectionSingleWaitmemset$CopyDeleteEnterLeavelstrcpymbstowcswcscpy
                                                                                                                                                                                  • String ID: %APPDATA%$%APPDATA%\Mozilla\Firefox\Profiles$*.sol$*.txt$\Macromedia\Flash Player\$\cookie.ff$\cookie.ie$\sols$cookies.sqlite$cookies.sqlite-journal
                                                                                                                                                                                  • API String ID: 822342563-1988282036
                                                                                                                                                                                  • Opcode ID: 6d0b5fd9203c8337829c3a9cdb17d1f2d14d3dfc24edd50753661eaf23eae754
                                                                                                                                                                                  • Instruction ID: 83c0924f1aa2c1631c44a224667f4af3b5112bfc7bb3a76d1660ff1896b7e1f1
                                                                                                                                                                                  • Opcode Fuzzy Hash: 6d0b5fd9203c8337829c3a9cdb17d1f2d14d3dfc24edd50753661eaf23eae754
                                                                                                                                                                                  • Instruction Fuzzy Hash: 11A17832714A5586EB10DF66E898B5937A2FB89BD4F854122DF4E53B24DF3CC98AC700
                                                                                                                                                                                  Function 00B73FF4 Relevance: 52.7, APIs: 19, Strings: 11, Instructions: 217memorystringCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000006.00000002.1794451873.0000000000B61000.00000020.80000000.00040000.00000000.sdmp, Offset: 00B60000, based on PE: true
                                                                                                                                                                                  • Associated: 00000006.00000002.1794420795.0000000000B60000.00000004.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794498490.0000000000B94000.00000002.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794521630.0000000000B9B000.00000004.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794551870.0000000000B9E000.00000002.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794583919.0000000000BA0000.00000004.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794610717.0000000000BA2000.00000002.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_6_2_b60000_svchost.jbxd
                                                                                                                                                                                  Yara matches
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: Free$Heap$String$Alloclstrlen$Locallstrcatlstrcpymemcpymemset
                                                                                                                                                                                  • String ID: HTTPMail$IMAP$P$POP3$Password2$Port$SMTP$Secure_Connection$Server$User_Name$W
                                                                                                                                                                                  • API String ID: 1137011002-867940824
                                                                                                                                                                                  • Opcode ID: 6015e9a86d60928933d16e6dc0320400c22ccbadbdc9d9c3e63cce0b95195404
                                                                                                                                                                                  • Instruction ID: 0231a0106c0737d946626812019301a3089d7f67fe6c035618608abdfa756e18
                                                                                                                                                                                  • Opcode Fuzzy Hash: 6015e9a86d60928933d16e6dc0320400c22ccbadbdc9d9c3e63cce0b95195404
                                                                                                                                                                                  • Instruction Fuzzy Hash: 90918F25214B8586EB10DF26F8883A9B7A1F789BD1F858461DF5E53B24DF3CC58ACB01
                                                                                                                                                                                  Function 00B65D9C Relevance: 47.6, APIs: 23, Strings: 4, Instructions: 393memorysleepthreadCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000006.00000002.1794451873.0000000000B61000.00000020.80000000.00040000.00000000.sdmp, Offset: 00B60000, based on PE: true
                                                                                                                                                                                  • Associated: 00000006.00000002.1794420795.0000000000B60000.00000004.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794498490.0000000000B94000.00000002.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794521630.0000000000B9B000.00000004.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794551870.0000000000B9E000.00000002.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794583919.0000000000BA0000.00000004.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794610717.0000000000BA2000.00000002.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_6_2_b60000_svchost.jbxd
                                                                                                                                                                                  Yara matches
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: Heap$Free$CriticalSection$AllocCloseCreateEnterErrorHandleLastLeaveSleepThreadlstrlenmbstowcs
                                                                                                                                                                                  • String ID: 0123456789ABCDEF$Keys$Scr$B{
                                                                                                                                                                                  • API String ID: 2781421929-1574167404
                                                                                                                                                                                  • Opcode ID: 7f76b19611318ac11a355a5b67eb265fd1063be38ea9f2439c25bbf435c67af6
                                                                                                                                                                                  • Instruction ID: c9ad70235984804faf6a3a80ca41ad59752936a6ce6821d01079d4a0f2bcab96
                                                                                                                                                                                  • Opcode Fuzzy Hash: 7f76b19611318ac11a355a5b67eb265fd1063be38ea9f2439c25bbf435c67af6
                                                                                                                                                                                  • Instruction Fuzzy Hash: C1029E7430578186EF28DB67A9587AA77E2EBC9B90F4480798E1E43769DF3CD844CB10
                                                                                                                                                                                  Function 00B78234 Relevance: 47.4, APIs: 22, Strings: 5, Instructions: 181memoryfiletimeCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • HeapAlloc.KERNEL32 ref: 00B7826D
                                                                                                                                                                                  • HeapAlloc.KERNEL32 ref: 00B78297
                                                                                                                                                                                  • memset.NTDLL ref: 00B782B8
                                                                                                                                                                                    • Part of subcall function 00B77FBC: ExpandEnvironmentStringsA.KERNEL32(?,?,EE553B43,00B782C9), ref: 00B77FD4
                                                                                                                                                                                    • Part of subcall function 00B77FBC: HeapAlloc.KERNEL32(?,?,EE553B43,00B782C9), ref: 00B77FEC
                                                                                                                                                                                    • Part of subcall function 00B77FBC: ExpandEnvironmentStringsA.KERNEL32(?,?,EE553B43,00B782C9), ref: 00B78007
                                                                                                                                                                                    • Part of subcall function 00B77FBC: HeapFree.KERNEL32(?,?,EE553B43,00B782C9), ref: 00B7801D
                                                                                                                                                                                  • CreateFileA.KERNEL32 ref: 00B7830A
                                                                                                                                                                                  • GetFileTime.KERNEL32 ref: 00B7832A
                                                                                                                                                                                  • CloseHandle.KERNEL32 ref: 00B78345
                                                                                                                                                                                  • StrRChrA.SHLWAPI ref: 00B78354
                                                                                                                                                                                  • lstrcatA.KERNEL32 ref: 00B78391
                                                                                                                                                                                  • FindFirstFileA.KERNEL32 ref: 00B7839F
                                                                                                                                                                                  • HeapFree.KERNEL32 ref: 00B783BE
                                                                                                                                                                                  • HeapFree.KERNEL32 ref: 00B783D0
                                                                                                                                                                                  • FindNextFileA.KERNEL32 ref: 00B783FB
                                                                                                                                                                                  • FindClose.KERNEL32 ref: 00B78408
                                                                                                                                                                                  • FindFirstFileA.KERNEL32 ref: 00B78416
                                                                                                                                                                                  • CompareFileTime.KERNEL32 ref: 00B78442
                                                                                                                                                                                  • StrChrA.SHLWAPI ref: 00B7846E
                                                                                                                                                                                  • memcpy.NTDLL ref: 00B784A5
                                                                                                                                                                                  • FindNextFileA.KERNEL32 ref: 00B784BC
                                                                                                                                                                                  • FindClose.KERNEL32 ref: 00B784C9
                                                                                                                                                                                  • FindFirstFileA.KERNEL32 ref: 00B784D7
                                                                                                                                                                                  • CompareFileTime.KERNEL32 ref: 00B784ED
                                                                                                                                                                                  • FindClose.KERNEL32 ref: 00B78511
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000006.00000002.1794451873.0000000000B61000.00000020.80000000.00040000.00000000.sdmp, Offset: 00B60000, based on PE: true
                                                                                                                                                                                  • Associated: 00000006.00000002.1794420795.0000000000B60000.00000004.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794498490.0000000000B94000.00000002.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794521630.0000000000B9B000.00000004.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794551870.0000000000B9E000.00000002.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794583919.0000000000BA0000.00000004.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794610717.0000000000BA2000.00000002.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_6_2_b60000_svchost.jbxd
                                                                                                                                                                                  Yara matches
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: File$Find$Heap$Close$AllocFirstFreeTime$CompareEnvironmentExpandNextStrings$CreateHandlelstrcatmemcpymemset
                                                                                                                                                                                  • String ID: %systemroot%\system32\c_1252.nls$.dll$C;U$J:U$\*.dll
                                                                                                                                                                                  • API String ID: 2943865858-1509517075
                                                                                                                                                                                  • Opcode ID: f2992e046a7eb02c725860877c0ede824b8a528bcf2d5bb21eb68763041c296b
                                                                                                                                                                                  • Instruction ID: 6e90d45d387d10252080aa172e67edba7513d01068d8b0c51c32418724a01c39
                                                                                                                                                                                  • Opcode Fuzzy Hash: f2992e046a7eb02c725860877c0ede824b8a528bcf2d5bb21eb68763041c296b
                                                                                                                                                                                  • Instruction Fuzzy Hash: 1271A3723046418AEB20DF2AF89875A77A2F789B94F458521DF6E47B54DF7CC849C700
                                                                                                                                                                                  Function 00B7006C Relevance: 40.8, APIs: 9, Strings: 18, Instructions: 326memorystringCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • memcpy.NTDLL(?,?,00000000,?,?,00B70A71,?,?,?,00B68501), ref: 00B7013B
                                                                                                                                                                                  • HeapAlloc.KERNEL32(?,?,00000000,?,?,00B70A71,?,?,?,00B68501), ref: 00B70211
                                                                                                                                                                                  • HeapAlloc.KERNEL32(?,?,00000000,?,?,00B70A71,?,?,?,00B68501), ref: 00B703ED
                                                                                                                                                                                  • HeapFree.KERNEL32(?,?,00000000,?,?,00B70A71,?,?,?,00B68501), ref: 00B70475
                                                                                                                                                                                    • Part of subcall function 00B7BC6C: HeapAlloc.KERNEL32(?,00B64FAE), ref: 00B7BD2D
                                                                                                                                                                                    • Part of subcall function 00B7BC6C: HeapAlloc.KERNEL32(?,00B64FAE), ref: 00B7BD89
                                                                                                                                                                                    • Part of subcall function 00B7BC6C: wcstombs.NTDLL ref: 00B7BDA5
                                                                                                                                                                                    • Part of subcall function 00B7BC6C: HeapFree.KERNEL32(?,00B64FAE), ref: 00B7BDCC
                                                                                                                                                                                  • lstrlenA.KERNEL32(?,?,00000000,?,?,00B70A71,?,?,?,00B68501), ref: 00B7040F
                                                                                                                                                                                  • lstrlenA.KERNEL32(?,?,00000000,?,?,00B70A71,?,?,?,00B68501), ref: 00B7041F
                                                                                                                                                                                  • memcpy.NTDLL(?,?,00000000,?,?,00B70A71,?,?,?,00B68501), ref: 00B70436
                                                                                                                                                                                  • HeapFree.KERNEL32(?,?,00000000,?,?,00B70A71,?,?,?,00B68501), ref: 00B70449
                                                                                                                                                                                  • lstrlenA.KERNEL32(?,?,00000000,?,?,00B70A71,?,?,?,00B68501), ref: 00B704DA
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000006.00000002.1794451873.0000000000B61000.00000020.80000000.00040000.00000000.sdmp, Offset: 00B60000, based on PE: true
                                                                                                                                                                                  • Associated: 00000006.00000002.1794420795.0000000000B60000.00000004.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794498490.0000000000B94000.00000002.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794521630.0000000000B9B000.00000004.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794551870.0000000000B9E000.00000002.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794583919.0000000000BA0000.00000004.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794610717.0000000000BA2000.00000002.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_6_2_b60000_svchost.jbxd
                                                                                                                                                                                  Yara matches
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: Heap$Alloc$Freelstrlen$memcpy$wcstombs
                                                                                                                                                                                  • String ID: chunked$1.2.3$Access-Control-Allow-Origin:$Cache-Control:$Content-Encoding:$Content-Length:$Content-Security-Policy-Report-Only:$Content-Security-Policy:$Content-Type:$Etag:$HTTP$HTTP/1.1 404 Not Found$Last-Modified:$POST$Transfer-Encoding:$X-Frame-Options$gzip$no-cache, no-store, must-revalidate
                                                                                                                                                                                  • API String ID: 927677702-3005951570
                                                                                                                                                                                  • Opcode ID: daa2d2b7ba9d6336878acf4c351f35f039e0e45fb6683755cd0d0a6ce89c96a9
                                                                                                                                                                                  • Instruction ID: 8e72f4a8cc60d5343af37303e6e4f79e614192d3925a9579ca60fc0d3eeda30d
                                                                                                                                                                                  • Opcode Fuzzy Hash: daa2d2b7ba9d6336878acf4c351f35f039e0e45fb6683755cd0d0a6ce89c96a9
                                                                                                                                                                                  • Instruction Fuzzy Hash: 15E15772320A14D7EB10EF2AE594B5E3BA0F789B94F419456EB1D47B24DF38D455CB00
                                                                                                                                                                                  Function 00B75668 Relevance: 39.3, APIs: 26, Instructions: 266memorystringfileCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • HeapAlloc.KERNEL32(?,?,?,?,?,?,?,?,00000000,00000000,00000000,00000000,00B69957), ref: 00B756A3
                                                                                                                                                                                    • Part of subcall function 00B75224: ExpandEnvironmentStringsW.KERNEL32(?,?,00000000,00B752FD,?,?,00000000,00B75454,?,?,00000000,00B64CAE), ref: 00B75242
                                                                                                                                                                                    • Part of subcall function 00B75224: HeapAlloc.KERNEL32(?,?,00000000,00B752FD,?,?,00000000,00B75454,?,?,00000000,00B64CAE), ref: 00B7525B
                                                                                                                                                                                    • Part of subcall function 00B75224: ExpandEnvironmentStringsW.KERNEL32(?,?,00000000,00B752FD,?,?,00000000,00B75454,?,?,00000000,00B64CAE), ref: 00B75272
                                                                                                                                                                                    • Part of subcall function 00B75224: HeapFree.KERNEL32(?,?,00000000,00B752FD,?,?,00000000,00B75454,?,?,00000000,00B64CAE), ref: 00B75288
                                                                                                                                                                                  • lstrlenW.KERNEL32(?,?,?,?,?,?,?,?,00000000,00000000,00000000,00000000,00B69957), ref: 00B756D8
                                                                                                                                                                                  • lstrlenW.KERNEL32(?,?,?,?,?,?,?,?,00000000,00000000,00000000,00000000,00B69957), ref: 00B756E5
                                                                                                                                                                                  • HeapAlloc.KERNEL32(?,?,?,?,?,?,?,?,00000000,00000000,00000000,00000000,00B69957), ref: 00B75738
                                                                                                                                                                                  • memset.NTDLL ref: 00B7575C
                                                                                                                                                                                  • FindFirstFileW.KERNEL32(?,?,?,?,?,?,?,?,00000000,00000000,00000000,00000000,00B69957), ref: 00B7577B
                                                                                                                                                                                  • lstrlenW.KERNEL32(?,?,?,?,?,?,?,?,00000000,00000000,00000000,00000000,00B69957), ref: 00B757C1
                                                                                                                                                                                  • lstrlenW.KERNEL32(?,?,?,?,?,?,?,?,00000000,00000000,00000000,00000000,00B69957), ref: 00B757D1
                                                                                                                                                                                  • HeapAlloc.KERNEL32(?,?,?,?,?,?,?,?,00000000,00000000,00000000,00000000,00B69957), ref: 00B757F9
                                                                                                                                                                                  • memset.NTDLL ref: 00B7581B
                                                                                                                                                                                  • wcscpy.NTDLL ref: 00B7582E
                                                                                                                                                                                  • EnterCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,00000000,00000000,00000000,00000000,00B69957), ref: 00B758B0
                                                                                                                                                                                  • LeaveCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,00000000,00000000,00000000,00000000,00B69957), ref: 00B758DF
                                                                                                                                                                                  • FindNextFileW.KERNEL32(?,?,?,?,?,?,?,?,00000000,00000000,00000000,00000000,00B69957), ref: 00B758F2
                                                                                                                                                                                  • WaitForSingleObject.KERNEL32(?,?,?,?,?,?,?,?,00000000,00000000,00000000,00000000,00B69957), ref: 00B75907
                                                                                                                                                                                  • FindClose.KERNEL32(?,?,?,?,?,?,?,?,00000000,00000000,00000000,00000000,00B69957), ref: 00B7591F
                                                                                                                                                                                  • FindFirstFileW.KERNEL32(?,?,?,?,?,?,?,?,00000000,00000000,00000000,00000000,00B69957), ref: 00B7594F
                                                                                                                                                                                  • lstrlenW.KERNEL32(?,?,?,?,?,?,?,?,00000000,00000000,00000000,00000000,00B69957), ref: 00B7597E
                                                                                                                                                                                  • HeapFree.KERNEL32(?,?,?,?,?,?,?,?,00000000,00000000,00000000,00000000,00B69957), ref: 00B7599E
                                                                                                                                                                                  • HeapAlloc.KERNEL32(?,?,?,?,?,?,?,?,00000000,00000000,00000000,00000000,00B69957), ref: 00B759C5
                                                                                                                                                                                  • FindNextFileW.KERNEL32(?,?,?,?,?,?,?,?,00000000,00000000,00000000,00000000,00B69957), ref: 00B75A30
                                                                                                                                                                                  • WaitForSingleObject.KERNEL32(?,?,?,?,?,?,?,?,00000000,00000000,00000000,00000000,00B69957), ref: 00B75A45
                                                                                                                                                                                  • FindClose.KERNEL32(?,?,?,?,?,?,?,?,00000000,00000000,00000000,00000000,00B69957), ref: 00B75A5F
                                                                                                                                                                                  • HeapFree.KERNEL32(?,?,?,?,?,?,?,?,00000000,00000000,00000000,00000000,00B69957), ref: 00B75A79
                                                                                                                                                                                  • HeapFree.KERNEL32(?,?,?,?,?,?,?,?,00000000,00000000,00000000,00000000,00B69957), ref: 00B75A94
                                                                                                                                                                                  • HeapFree.KERNEL32(?,?,?,?,?,?,?,?,00000000,00000000,00000000,00000000,00B69957), ref: 00B75AA6
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000006.00000002.1794451873.0000000000B61000.00000020.80000000.00040000.00000000.sdmp, Offset: 00B60000, based on PE: true
                                                                                                                                                                                  • Associated: 00000006.00000002.1794420795.0000000000B60000.00000004.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794498490.0000000000B94000.00000002.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794521630.0000000000B9B000.00000004.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794551870.0000000000B9E000.00000002.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794583919.0000000000BA0000.00000004.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794610717.0000000000BA2000.00000002.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_6_2_b60000_svchost.jbxd
                                                                                                                                                                                  Yara matches
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: Heap$Find$AllocFreelstrlen$File$CloseCriticalEnvironmentExpandFirstNextObjectSectionSingleStringsWaitmemset$EnterLeavewcscpy
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 3729366134-0
                                                                                                                                                                                  • Opcode ID: d1907ceaf52f27af3a01440b5713e7387a551ce8b6d8a1de1f313d43c8aaaac6
                                                                                                                                                                                  • Instruction ID: e383e65da5ffb5d47bfe5ede7f4676a7ba1d04a8f7ce3c09c432ac4436162ae8
                                                                                                                                                                                  • Opcode Fuzzy Hash: d1907ceaf52f27af3a01440b5713e7387a551ce8b6d8a1de1f313d43c8aaaac6
                                                                                                                                                                                  • Instruction Fuzzy Hash: 93C17E76214A808BDB24DF26E88476A77E1F7C8B94F498526DB5E83754DF3CC886CB00
                                                                                                                                                                                  Function 00B73ADC Relevance: 37.0, APIs: 19, Strings: 2, Instructions: 277memorystringregistryCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • RegOpenKeyA.ADVAPI32 ref: 00B73B32
                                                                                                                                                                                  • HeapAlloc.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000008), ref: 00B73B78
                                                                                                                                                                                  • LoadLibraryA.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000008), ref: 00B73BAC
                                                                                                                                                                                  • GetProcAddress.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000008), ref: 00B73BC4
                                                                                                                                                                                  • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000008), ref: 00B73BF0
                                                                                                                                                                                  • FreeLibrary.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000008), ref: 00B73C07
                                                                                                                                                                                  • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000008), ref: 00B73C0F
                                                                                                                                                                                  • HeapFree.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000008), ref: 00B73C23
                                                                                                                                                                                  • RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000008), ref: 00B73C35
                                                                                                                                                                                  • lstrlenW.KERNEL32 ref: 00B73D6F
                                                                                                                                                                                  • lstrlenW.KERNEL32 ref: 00B73D8F
                                                                                                                                                                                  • lstrlenA.KERNEL32 ref: 00B73DB3
                                                                                                                                                                                  • HeapAlloc.KERNEL32 ref: 00B73DC9
                                                                                                                                                                                  • mbstowcs.NTDLL ref: 00B73DE7
                                                                                                                                                                                  • lstrlenW.KERNEL32 ref: 00B73DFA
                                                                                                                                                                                  • lstrlenW.KERNEL32 ref: 00B73E1A
                                                                                                                                                                                  • HeapFree.KERNEL32 ref: 00B73E40
                                                                                                                                                                                  • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000008), ref: 00B73E9D
                                                                                                                                                                                  • FreeLibrary.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000008), ref: 00B73F23
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000006.00000002.1794451873.0000000000B61000.00000020.80000000.00040000.00000000.sdmp, Offset: 00B60000, based on PE: true
                                                                                                                                                                                  • Associated: 00000006.00000002.1794420795.0000000000B60000.00000004.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794498490.0000000000B94000.00000002.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794521630.0000000000B9B000.00000004.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794551870.0000000000B9E000.00000002.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794583919.0000000000BA0000.00000004.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794610717.0000000000BA2000.00000002.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_6_2_b60000_svchost.jbxd
                                                                                                                                                                                  Yara matches
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: lstrlen$FreeHeap$ErrorLastLibrary$Alloc$AddressCloseLoadOpenProcmbstowcs
                                                                                                                                                                                  • String ID: Software\Microsoft\WAB\DLLPath$WABOpen
                                                                                                                                                                                  • API String ID: 277176735-1249168598
                                                                                                                                                                                  • Opcode ID: 27d5bd8bbe2e984881b9ee18aaa631d555b82705a9699863c1aa68f6a8517f81
                                                                                                                                                                                  • Instruction ID: 932649fd44bb79c5d9e86d18b685a6bae3728f23e6b32c4f2b0b53b7e7c495e1
                                                                                                                                                                                  • Opcode Fuzzy Hash: 27d5bd8bbe2e984881b9ee18aaa631d555b82705a9699863c1aa68f6a8517f81
                                                                                                                                                                                  • Instruction Fuzzy Hash: 84C16E7A204A84C2DB20DF26E48876E77A1F788F98F558552DF5E47B28CF39C989D700
                                                                                                                                                                                  Function 00B63F38 Relevance: 31.9, APIs: 14, Strings: 4, Instructions: 421stringmemorytimeCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • lstrlenA.KERNEL32 ref: 00B64076
                                                                                                                                                                                  • SetWaitableTimer.KERNEL32 ref: 00B641D1
                                                                                                                                                                                  • GetLastError.KERNEL32 ref: 00B641E4
                                                                                                                                                                                  • CloseHandle.KERNEL32 ref: 00B641F4
                                                                                                                                                                                  • GetLastError.KERNEL32 ref: 00B64206
                                                                                                                                                                                  • lstrlenA.KERNEL32 ref: 00B6426B
                                                                                                                                                                                    • Part of subcall function 00B787EC: memset.NTDLL ref: 00B78818
                                                                                                                                                                                    • Part of subcall function 00B787EC: lstrlenA.KERNEL32 ref: 00B78829
                                                                                                                                                                                    • Part of subcall function 00B787EC: HeapAlloc.KERNEL32 ref: 00B78841
                                                                                                                                                                                    • Part of subcall function 00B787EC: StrChrA.SHLWAPI ref: 00B78864
                                                                                                                                                                                    • Part of subcall function 00B787EC: HeapFree.KERNEL32 ref: 00B788D6
                                                                                                                                                                                    • Part of subcall function 00B64BF8: HeapFree.KERNEL32(?,?,?,?,?,?,?,?,00000004,00000000,00000000,00B627B3), ref: 00B64CE0
                                                                                                                                                                                    • Part of subcall function 00B61CB0: RegOpenKeyA.ADVAPI32 ref: 00B61CD0
                                                                                                                                                                                    • Part of subcall function 00B61CB0: RegCloseKey.ADVAPI32(?,?,?,00B642DE), ref: 00B61D07
                                                                                                                                                                                  • HeapFree.KERNEL32 ref: 00B64687
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000006.00000002.1794451873.0000000000B61000.00000020.80000000.00040000.00000000.sdmp, Offset: 00B60000, based on PE: true
                                                                                                                                                                                  • Associated: 00000006.00000002.1794420795.0000000000B60000.00000004.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794498490.0000000000B94000.00000002.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794521630.0000000000B9B000.00000004.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794551870.0000000000B9E000.00000002.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794583919.0000000000BA0000.00000004.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794610717.0000000000BA2000.00000002.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_6_2_b60000_svchost.jbxd
                                                                                                                                                                                  Yara matches
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: Heap$Freelstrlen$CloseErrorLast$AllocHandleOpenTimerWaitablememset
                                                                                                                                                                                  • String ID: *p,1$EMPTY$keys$log
                                                                                                                                                                                  • API String ID: 2692914560-1835890708
                                                                                                                                                                                  • Opcode ID: 80fa45a883c09fdf73485bfb39e2b91ece6906ceeb51c2d6e7dff6292ea6a9b4
                                                                                                                                                                                  • Instruction ID: 750a31eb94ed3535a7b39935a84572ae864d467db0319d80a03ee9b5d05d17ee
                                                                                                                                                                                  • Opcode Fuzzy Hash: 80fa45a883c09fdf73485bfb39e2b91ece6906ceeb51c2d6e7dff6292ea6a9b4
                                                                                                                                                                                  • Instruction Fuzzy Hash: FEE12322324E9183EF389B25E4A4BBA62D1FB96784F5811BADF4747F54DF2DC8408B01
                                                                                                                                                                                  Function 00B69C68 Relevance: 31.7, APIs: 11, Strings: 7, Instructions: 164memorystringCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                    • Part of subcall function 00B75CF8: GetTempPathA.KERNEL32(?,?,00000001,00B654D7), ref: 00B75D0F
                                                                                                                                                                                    • Part of subcall function 00B75CF8: HeapAlloc.KERNEL32(?,?,00000001,00B654D7), ref: 00B75D28
                                                                                                                                                                                    • Part of subcall function 00B75CF8: GetTempPathA.KERNEL32(?,?,00000001,00B654D7), ref: 00B75D3B
                                                                                                                                                                                    • Part of subcall function 00B75CF8: GetTickCount.KERNEL32 ref: 00B75D45
                                                                                                                                                                                    • Part of subcall function 00B75CF8: GetTempFileNameA.KERNEL32(?,?,00000001,00B654D7), ref: 00B75D57
                                                                                                                                                                                    • Part of subcall function 00B75CF8: lstrcpyA.KERNEL32(?,?,00000001,00B654D7), ref: 00B75D74
                                                                                                                                                                                  • lstrlenA.KERNEL32(?,?,?,?,?,?,?,00B6253C), ref: 00B69D4D
                                                                                                                                                                                  • HeapAlloc.KERNEL32(?,?,?,?,?,?,?,00B6253C), ref: 00B69D66
                                                                                                                                                                                  • wsprintfA.USER32 ref: 00B69D8D
                                                                                                                                                                                  • HeapFree.KERNEL32(?,?,?,?,?,?,?,00B6253C), ref: 00B69DAB
                                                                                                                                                                                  • WideCharToMultiByte.KERNEL32 ref: 00B69E07
                                                                                                                                                                                  Strings
                                                                                                                                                                                  • reg.exe query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall" /s >, xrefs: 00B69D2D
                                                                                                                                                                                  • cmd /U /C "type %s1 > %s & del %s1", xrefs: 00B69D78
                                                                                                                                                                                  • systeminfo.exe , xrefs: 00B69C97
                                                                                                                                                                                  • nslookup 127.0.0.1 >, xrefs: 00B69CD6
                                                                                                                                                                                  • tasklist.exe /SVC >, xrefs: 00B69CF3
                                                                                                                                                                                  • net view >, xrefs: 00B69CB9
                                                                                                                                                                                  • driverquery.exe >, xrefs: 00B69D10
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000006.00000002.1794451873.0000000000B61000.00000020.80000000.00040000.00000000.sdmp, Offset: 00B60000, based on PE: true
                                                                                                                                                                                  • Associated: 00000006.00000002.1794420795.0000000000B60000.00000004.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794498490.0000000000B94000.00000002.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794521630.0000000000B9B000.00000004.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794551870.0000000000B9E000.00000002.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794583919.0000000000BA0000.00000004.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794610717.0000000000BA2000.00000002.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_6_2_b60000_svchost.jbxd
                                                                                                                                                                                  Yara matches
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: HeapTemp$AllocPath$ByteCharCountFileFreeMultiNameTickWidelstrcpylstrlenwsprintf
                                                                                                                                                                                  • String ID: cmd /U /C "type %s1 > %s & del %s1"$driverquery.exe >$net view >$nslookup 127.0.0.1 >$reg.exe query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall" /s >$systeminfo.exe $tasklist.exe /SVC >
                                                                                                                                                                                  • API String ID: 4088430538-556198761
                                                                                                                                                                                  • Opcode ID: 80b9b2632eb20dd8f68b1fa7192d0b1125bcf0820231a9524220d660b19e24d5
                                                                                                                                                                                  • Instruction ID: 0314c9096ff704f5ece776f08f570ef33bab86d977bf108ddb863b226b0d36b5
                                                                                                                                                                                  • Opcode Fuzzy Hash: 80b9b2632eb20dd8f68b1fa7192d0b1125bcf0820231a9524220d660b19e24d5
                                                                                                                                                                                  • Instruction Fuzzy Hash: 2451D166314B8182EB20DBA6A99437A77DAEB89BC0F484075DF4987765EF3DC44EC301
                                                                                                                                                                                  Function 00B7A028 Relevance: 31.6, APIs: 15, Strings: 3, Instructions: 139memorystringCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000006.00000002.1794451873.0000000000B61000.00000020.80000000.00040000.00000000.sdmp, Offset: 00B60000, based on PE: true
                                                                                                                                                                                  • Associated: 00000006.00000002.1794420795.0000000000B60000.00000004.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794498490.0000000000B94000.00000002.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794521630.0000000000B9B000.00000004.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794551870.0000000000B9E000.00000002.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794583919.0000000000BA0000.00000004.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794610717.0000000000BA2000.00000002.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_6_2_b60000_svchost.jbxd
                                                                                                                                                                                  Yara matches
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: Heap$Free$Alloclstrlen$Trimlstrcatsprintfstrcpy
                                                                                                                                                                                  • String ID: =$%s=%s&$form
                                                                                                                                                                                  • API String ID: 2842869570-1831671573
                                                                                                                                                                                  • Opcode ID: 0105e50d506bc20703566589c0325165ce7e4b72f05e9c69a3878f39b568eccd
                                                                                                                                                                                  • Instruction ID: 045e4620acaf9694240e05bb6e198c91a72de8c68acd40a71ec19a1d5dd08cbc
                                                                                                                                                                                  • Opcode Fuzzy Hash: 0105e50d506bc20703566589c0325165ce7e4b72f05e9c69a3878f39b568eccd
                                                                                                                                                                                  • Instruction Fuzzy Hash: F6419025701B4546EB08DF67AC5972A7792ABC9FD0F498025DE1E8BB69DF3CC44AC300
                                                                                                                                                                                  Function 00B646D0 Relevance: 28.7, APIs: 15, Strings: 4, Instructions: 224memorystringCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                    • Part of subcall function 00B64DA8: RegQueryValueExA.ADVAPI32 ref: 00B64DFF
                                                                                                                                                                                    • Part of subcall function 00B64DA8: HeapAlloc.KERNEL32 ref: 00B64E17
                                                                                                                                                                                    • Part of subcall function 00B64DA8: RegQueryValueExA.ADVAPI32 ref: 00B64E3F
                                                                                                                                                                                    • Part of subcall function 00B64DA8: RegCloseKey.KERNELBASE ref: 00B64E6F
                                                                                                                                                                                  • HeapFree.KERNEL32 ref: 00B64725
                                                                                                                                                                                  • HeapAlloc.KERNEL32 ref: 00B6474D
                                                                                                                                                                                  • HeapFree.KERNEL32 ref: 00B64795
                                                                                                                                                                                  • HeapAlloc.KERNEL32 ref: 00B647B6
                                                                                                                                                                                  • HeapFree.KERNEL32 ref: 00B64858
                                                                                                                                                                                  • HeapAlloc.KERNEL32 ref: 00B6495C
                                                                                                                                                                                  • wsprintfA.USER32 ref: 00B64976
                                                                                                                                                                                  • lstrlenA.KERNEL32 ref: 00B6497F
                                                                                                                                                                                  • HeapFree.KERNEL32 ref: 00B649A4
                                                                                                                                                                                  • HeapFree.KERNEL32 ref: 00B649CC
                                                                                                                                                                                  • HeapAlloc.KERNEL32 ref: 00B649E5
                                                                                                                                                                                  • wsprintfA.USER32 ref: 00B649FE
                                                                                                                                                                                  • lstrlenA.KERNEL32 ref: 00B64A07
                                                                                                                                                                                    • Part of subcall function 00B6F790: lstrlenA.KERNEL32(?,?,?,?,?,00B6166F), ref: 00B6F7DA
                                                                                                                                                                                    • Part of subcall function 00B6F790: HeapAlloc.KERNEL32(?,?,?,?,?,00B6166F), ref: 00B6F800
                                                                                                                                                                                    • Part of subcall function 00B6F790: memcpy.NTDLL(?,?,?,?,?,00B6166F), ref: 00B6F838
                                                                                                                                                                                    • Part of subcall function 00B6F790: memcpy.NTDLL(?,?,?,?,?,00B6166F), ref: 00B6F851
                                                                                                                                                                                    • Part of subcall function 00B6F790: CallNamedPipeA.KERNEL32 ref: 00B6F885
                                                                                                                                                                                    • Part of subcall function 00B6F790: GetLastError.KERNEL32 ref: 00B6F88F
                                                                                                                                                                                    • Part of subcall function 00B6F790: HeapFree.KERNEL32 ref: 00B6F8A7
                                                                                                                                                                                  • HeapFree.KERNEL32 ref: 00B64A2C
                                                                                                                                                                                  • HeapFree.KERNEL32 ref: 00B64A43
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000006.00000002.1794451873.0000000000B61000.00000020.80000000.00040000.00000000.sdmp, Offset: 00B60000, based on PE: true
                                                                                                                                                                                  • Associated: 00000006.00000002.1794420795.0000000000B60000.00000004.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794498490.0000000000B94000.00000002.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794521630.0000000000B9B000.00000004.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794551870.0000000000B9E000.00000002.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794583919.0000000000BA0000.00000004.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794610717.0000000000BA2000.00000002.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_6_2_b60000_svchost.jbxd
                                                                                                                                                                                  Yara matches
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: Heap$Free$Alloc$lstrlen$QueryValuememcpywsprintf$CallCloseErrorLastNamedPipe
                                                                                                                                                                                  • String ID: .gif$Cmd %s processed: %u$Cmd %u parsing: %u$LastTask
                                                                                                                                                                                  • API String ID: 1602191192-4059711938
                                                                                                                                                                                  • Opcode ID: 775cff78a0bbfe8577a7a0196dd2bf38c77c525b40fee6c06d0498969b61e490
                                                                                                                                                                                  • Instruction ID: d43336a74d6bc6fb1f1766dc4a398ac6d9a631bcbc8eafcc0dea677842684293
                                                                                                                                                                                  • Opcode Fuzzy Hash: 775cff78a0bbfe8577a7a0196dd2bf38c77c525b40fee6c06d0498969b61e490
                                                                                                                                                                                  • Instruction Fuzzy Hash: 2B918276704A8086EB20DF66E8847A97792F7C9BD4F858065CF8E57B14DF3CC88A8700
                                                                                                                                                                                  Function 00B61000 Relevance: 28.1, APIs: 14, Strings: 2, Instructions: 147memorystringfileCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000006.00000002.1794451873.0000000000B61000.00000020.80000000.00040000.00000000.sdmp, Offset: 00B60000, based on PE: true
                                                                                                                                                                                  • Associated: 00000006.00000002.1794420795.0000000000B60000.00000004.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794498490.0000000000B94000.00000002.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794521630.0000000000B9B000.00000004.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794551870.0000000000B9E000.00000002.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794583919.0000000000BA0000.00000004.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794610717.0000000000BA2000.00000002.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_6_2_b60000_svchost.jbxd
                                                                                                                                                                                  Yara matches
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: Heap$AllocFree$Filelstrcatlstrlen$CloseCreateHandleWritelstrcpy
                                                                                                                                                                                  • String ID: .pfx$ISFB
                                                                                                                                                                                  • API String ID: 968628757-2368466137
                                                                                                                                                                                  • Opcode ID: 41703a6dc0dba5a785dffb2d42ab70fd0dbfea9413c7eff4515288bce58510db
                                                                                                                                                                                  • Instruction ID: e54a56db01bf3abb1d3da7392c71ada376a9381b94109888852e8c91dd8d842e
                                                                                                                                                                                  • Opcode Fuzzy Hash: 41703a6dc0dba5a785dffb2d42ab70fd0dbfea9413c7eff4515288bce58510db
                                                                                                                                                                                  • Instruction Fuzzy Hash: 69518236204A8186EB10DF66F858B5A77A2F789BD4F498521DF9E43B24DF3CC54AC704
                                                                                                                                                                                  Function 00B75ABC Relevance: 28.1, APIs: 15, Strings: 1, Instructions: 125memoryfilestringCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000006.00000002.1794451873.0000000000B61000.00000020.80000000.00040000.00000000.sdmp, Offset: 00B60000, based on PE: true
                                                                                                                                                                                  • Associated: 00000006.00000002.1794420795.0000000000B60000.00000004.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794498490.0000000000B94000.00000002.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794521630.0000000000B9B000.00000004.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794551870.0000000000B9E000.00000002.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794583919.0000000000BA0000.00000004.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794610717.0000000000BA2000.00000002.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_6_2_b60000_svchost.jbxd
                                                                                                                                                                                  Yara matches
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: Heap$AllocFree$File$Findlstrlen$DeleteDirectoryFirstNextRemove
                                                                                                                                                                                  • String ID: *.*
                                                                                                                                                                                  • API String ID: 875268874-438819550
                                                                                                                                                                                  • Opcode ID: 11fcefd4f52fb7dbeaad99ef0fe9925a1c27d4a3aec941e234858e5fc6ee2213
                                                                                                                                                                                  • Instruction ID: d1f6c93b3fced5ace61a8aab0a205d4360dad6bc75219b9a8de524075c590ff3
                                                                                                                                                                                  • Opcode Fuzzy Hash: 11fcefd4f52fb7dbeaad99ef0fe9925a1c27d4a3aec941e234858e5fc6ee2213
                                                                                                                                                                                  • Instruction Fuzzy Hash: 01517C31204B448BEB219F26E88876A7BE1EB88BD4F458165CF5E43764DF7CC58ACB00
                                                                                                                                                                                  Function 00B6347C Relevance: 26.4, APIs: 11, Strings: 4, Instructions: 162memorystringCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • RtlImageNtHeader.NTDLL ref: 00B634AB
                                                                                                                                                                                  • HeapAlloc.KERNEL32 ref: 00B634D3
                                                                                                                                                                                    • Part of subcall function 00B752A4: lstrlenA.KERNEL32(?,?,00000000,00B75454,?,?,00000000,00B64CAE), ref: 00B752C2
                                                                                                                                                                                    • Part of subcall function 00B752A4: HeapAlloc.KERNEL32(?,?,00000000,00B75454,?,?,00000000,00B64CAE), ref: 00B752D8
                                                                                                                                                                                    • Part of subcall function 00B752A4: mbstowcs.NTDLL ref: 00B752F0
                                                                                                                                                                                    • Part of subcall function 00B752A4: HeapFree.KERNEL32(?,?,00000000,00B75454,?,?,00000000,00B64CAE), ref: 00B75311
                                                                                                                                                                                  • CreateDirectoryW.KERNEL32 ref: 00B63515
                                                                                                                                                                                  • lstrlenW.KERNEL32 ref: 00B6351E
                                                                                                                                                                                  • CloseHandle.KERNEL32 ref: 00B63550
                                                                                                                                                                                  • lstrlenA.KERNEL32 ref: 00B63633
                                                                                                                                                                                  • lstrlenW.KERNEL32 ref: 00B6363F
                                                                                                                                                                                  • HeapAlloc.KERNEL32 ref: 00B63659
                                                                                                                                                                                  • HeapFree.KERNEL32 ref: 00B636BE
                                                                                                                                                                                  • HeapFree.KERNEL32 ref: 00B636D0
                                                                                                                                                                                  • HeapFree.KERNEL32 ref: 00B636E2
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000006.00000002.1794451873.0000000000B61000.00000020.80000000.00040000.00000000.sdmp, Offset: 00B60000, based on PE: true
                                                                                                                                                                                  • Associated: 00000006.00000002.1794420795.0000000000B60000.00000004.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794498490.0000000000B94000.00000002.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794521630.0000000000B9B000.00000004.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794551870.0000000000B9E000.00000002.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794583919.0000000000BA0000.00000004.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794610717.0000000000BA2000.00000002.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_6_2_b60000_svchost.jbxd
                                                                                                                                                                                  Yara matches
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: Heap$Freelstrlen$Alloc$CloseCreateDirectoryHandleHeaderImagembstowcs
                                                                                                                                                                                  • String ID: %APPDATA%\Microsoft\$.dll$.exe$rundll32 "%s",%S
                                                                                                                                                                                  • API String ID: 1760868601-3949945093
                                                                                                                                                                                  • Opcode ID: 385df999faa45770000548868e710235421dca5431fc69be6fc42d2814a09e86
                                                                                                                                                                                  • Instruction ID: 0f203e404a643108f3fb5bd06017f94f835314df6fb8b0bf5fa7af59fe661340
                                                                                                                                                                                  • Opcode Fuzzy Hash: 385df999faa45770000548868e710235421dca5431fc69be6fc42d2814a09e86
                                                                                                                                                                                  • Instruction Fuzzy Hash: E4519E21309A5096EB10DF66E9587A977E1F788FD4F494422DE0E97760DF3CC68AC700
                                                                                                                                                                                  Function 00B6932C Relevance: 24.6, APIs: 13, Strings: 1, Instructions: 119memorystringsynchronizationCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • wcscpy.NTDLL ref: 00B69382
                                                                                                                                                                                  • GetLogicalDriveStringsW.KERNEL32 ref: 00B6938C
                                                                                                                                                                                  • HeapAlloc.KERNEL32 ref: 00B693A7
                                                                                                                                                                                  • memset.NTDLL ref: 00B693C1
                                                                                                                                                                                  • GetLogicalDriveStringsW.KERNEL32 ref: 00B693CC
                                                                                                                                                                                  • WaitForSingleObject.KERNEL32 ref: 00B693E3
                                                                                                                                                                                  • GetDriveTypeW.KERNEL32 ref: 00B693F3
                                                                                                                                                                                  • lstrlenW.KERNEL32 ref: 00B69401
                                                                                                                                                                                  • wcscpy.NTDLL ref: 00B6941C
                                                                                                                                                                                    • Part of subcall function 00B75668: HeapAlloc.KERNEL32(?,?,?,?,?,?,?,?,00000000,00000000,00000000,00000000,00B69957), ref: 00B756A3
                                                                                                                                                                                    • Part of subcall function 00B75668: lstrlenW.KERNEL32(?,?,?,?,?,?,?,?,00000000,00000000,00000000,00000000,00B69957), ref: 00B756D8
                                                                                                                                                                                    • Part of subcall function 00B75668: lstrlenW.KERNEL32(?,?,?,?,?,?,?,?,00000000,00000000,00000000,00000000,00B69957), ref: 00B756E5
                                                                                                                                                                                    • Part of subcall function 00B75668: HeapAlloc.KERNEL32(?,?,?,?,?,?,?,?,00000000,00000000,00000000,00000000,00B69957), ref: 00B75738
                                                                                                                                                                                    • Part of subcall function 00B75668: memset.NTDLL ref: 00B7575C
                                                                                                                                                                                    • Part of subcall function 00B75668: FindFirstFileW.KERNEL32(?,?,?,?,?,?,?,?,00000000,00000000,00000000,00000000,00B69957), ref: 00B7577B
                                                                                                                                                                                    • Part of subcall function 00B75668: lstrlenW.KERNEL32(?,?,?,?,?,?,?,?,00000000,00000000,00000000,00000000,00B69957), ref: 00B757C1
                                                                                                                                                                                    • Part of subcall function 00B75668: lstrlenW.KERNEL32(?,?,?,?,?,?,?,?,00000000,00000000,00000000,00000000,00B69957), ref: 00B757D1
                                                                                                                                                                                    • Part of subcall function 00B75668: HeapAlloc.KERNEL32(?,?,?,?,?,?,?,?,00000000,00000000,00000000,00000000,00B69957), ref: 00B757F9
                                                                                                                                                                                  • lstrlenW.KERNEL32 ref: 00B69444
                                                                                                                                                                                  • HeapFree.KERNEL32 ref: 00B69463
                                                                                                                                                                                  • HeapFree.KERNEL32 ref: 00B69498
                                                                                                                                                                                  • HeapFree.KERNEL32 ref: 00B694C0
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000006.00000002.1794451873.0000000000B61000.00000020.80000000.00040000.00000000.sdmp, Offset: 00B60000, based on PE: true
                                                                                                                                                                                  • Associated: 00000006.00000002.1794420795.0000000000B60000.00000004.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794498490.0000000000B94000.00000002.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794521630.0000000000B9B000.00000004.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794551870.0000000000B9E000.00000002.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794583919.0000000000BA0000.00000004.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794610717.0000000000BA2000.00000002.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_6_2_b60000_svchost.jbxd
                                                                                                                                                                                  Yara matches
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: Heap$lstrlen$Alloc$DriveFree$LogicalStringsmemsetwcscpy$FileFindFirstObjectSingleTypeWait
                                                                                                                                                                                  • String ID: \\?\
                                                                                                                                                                                  • API String ID: 270975014-4282027825
                                                                                                                                                                                  • Opcode ID: 6f44935d65b14f46831b5faf01a4c1579c77a2c653fa4bfc4364e7b501a7dddc
                                                                                                                                                                                  • Instruction ID: 4d8505017beb512f0ea1e124ad1996b155bf07c9ac77a7898cb34477ff69bfcf
                                                                                                                                                                                  • Opcode Fuzzy Hash: 6f44935d65b14f46831b5faf01a4c1579c77a2c653fa4bfc4364e7b501a7dddc
                                                                                                                                                                                  • Instruction Fuzzy Hash: C4416C36314B4482EB10DF62E84875E73A6F799B94F4A8166DB5E83714DF7DC98AC300
                                                                                                                                                                                  Function 00B74968 Relevance: 24.0, APIs: 19, Instructions: 286memoryCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000006.00000002.1794451873.0000000000B61000.00000020.80000000.00040000.00000000.sdmp, Offset: 00B60000, based on PE: true
                                                                                                                                                                                  • Associated: 00000006.00000002.1794420795.0000000000B60000.00000004.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794498490.0000000000B94000.00000002.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794521630.0000000000B9B000.00000004.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794551870.0000000000B9E000.00000002.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794583919.0000000000BA0000.00000004.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794610717.0000000000BA2000.00000002.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_6_2_b60000_svchost.jbxd
                                                                                                                                                                                  Yara matches
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: Heap$AllocFree
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 1379380650-0
                                                                                                                                                                                  • Opcode ID: 2b112201003aece03f5809a3913abae390239f73e7d781405d3795b2d9fd89b3
                                                                                                                                                                                  • Instruction ID: 297e5f5e327be01b8d87b6df4dadc4ddec2548dcf205d7c60ba03e284ee16c5f
                                                                                                                                                                                  • Opcode Fuzzy Hash: 2b112201003aece03f5809a3913abae390239f73e7d781405d3795b2d9fd89b3
                                                                                                                                                                                  • Instruction Fuzzy Hash: 4BD16E72604A84C6DB35CF21E8847AAB7E1F7C9B95F458121DB9D43B28DF78C989CB40
                                                                                                                                                                                  Function 00B667A0 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 166memorythreadstringCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                    • Part of subcall function 00B65978: HeapAlloc.KERNEL32(?,?,00000001,00000000,00000008,?,3C6EF35F,00B65D94), ref: 00B659D7
                                                                                                                                                                                    • Part of subcall function 00B65978: HeapAlloc.KERNEL32(?,?,00000001,00000000,00000008,?,3C6EF35F,00B65D94), ref: 00B659F7
                                                                                                                                                                                    • Part of subcall function 00B65978: HeapFree.KERNEL32 ref: 00B65A7F
                                                                                                                                                                                    • Part of subcall function 00B65978: HeapAlloc.KERNEL32 ref: 00B65A95
                                                                                                                                                                                    • Part of subcall function 00B65978: WaitForSingleObject.KERNEL32 ref: 00B65AFC
                                                                                                                                                                                    • Part of subcall function 00B65978: HeapFree.KERNEL32 ref: 00B65B24
                                                                                                                                                                                    • Part of subcall function 00B65978: HeapFree.KERNEL32(?,?,00000001,00000000,00000008,?,3C6EF35F,00B65D94), ref: 00B65B36
                                                                                                                                                                                    • Part of subcall function 00B65978: RegCloseKey.ADVAPI32(?,?,00000001,00000000,00000008,?,3C6EF35F,00B65D94), ref: 00B65B41
                                                                                                                                                                                  • HeapFree.KERNEL32(?,?,?,?,?,?,?,?,00000000,00000001,00000000,00B66EC7), ref: 00B66845
                                                                                                                                                                                  • GetCurrentThreadId.KERNEL32 ref: 00B66907
                                                                                                                                                                                  • GetCurrentThread.KERNEL32 ref: 00B6691D
                                                                                                                                                                                  • HeapFree.KERNEL32 ref: 00B66962
                                                                                                                                                                                  • HeapFree.KERNEL32 ref: 00B6697B
                                                                                                                                                                                  • HeapAlloc.KERNEL32 ref: 00B66990
                                                                                                                                                                                  • wsprintfA.USER32 ref: 00B669A6
                                                                                                                                                                                  • lstrlenA.KERNEL32 ref: 00B669AF
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000006.00000002.1794451873.0000000000B61000.00000020.80000000.00040000.00000000.sdmp, Offset: 00B60000, based on PE: true
                                                                                                                                                                                  • Associated: 00000006.00000002.1794420795.0000000000B60000.00000004.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794498490.0000000000B94000.00000002.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794521630.0000000000B9B000.00000004.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794551870.0000000000B9E000.00000002.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794583919.0000000000BA0000.00000004.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794610717.0000000000BA2000.00000002.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_6_2_b60000_svchost.jbxd
                                                                                                                                                                                  Yara matches
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: Heap$Free$Alloc$CurrentThread$CloseObjectSingleWaitlstrlenwsprintf
                                                                                                                                                                                  • String ID: DLL load status: %u
                                                                                                                                                                                  • API String ID: 4098891812-2598350583
                                                                                                                                                                                  • Opcode ID: aa13f9e85d92a8446c6e183a1d7752797be5ef1fc8c029e8fb67a2159f6fca2e
                                                                                                                                                                                  • Instruction ID: 9e86e15b9e7eec3041fe2f338637b59ded6cb0fb4501b9623d46d0c534997365
                                                                                                                                                                                  • Opcode Fuzzy Hash: aa13f9e85d92a8446c6e183a1d7752797be5ef1fc8c029e8fb67a2159f6fca2e
                                                                                                                                                                                  • Instruction Fuzzy Hash: 14714936214B4586DB10DF26E98475A77A1F789BD4F454066DF4E87B28EF38C88AC740
                                                                                                                                                                                  Function 00B6EB00 Relevance: 22.8, APIs: 11, Strings: 2, Instructions: 60threadprocesslibraryCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000006.00000002.1794451873.0000000000B61000.00000020.80000000.00040000.00000000.sdmp, Offset: 00B60000, based on PE: true
                                                                                                                                                                                  • Associated: 00000006.00000002.1794420795.0000000000B60000.00000004.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794498490.0000000000B94000.00000002.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794521630.0000000000B9B000.00000004.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794551870.0000000000B9E000.00000002.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794583919.0000000000BA0000.00000004.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794610717.0000000000BA2000.00000002.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_6_2_b60000_svchost.jbxd
                                                                                                                                                                                  Yara matches
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: Handle$Close$Thread32$AddressCreateFirstModuleNextOpenProcQueueSnapshotThreadToolhelp32Usermemset
                                                                                                                                                                                  • String ID: ExitProcess$KERNEL32.DLL
                                                                                                                                                                                  • API String ID: 1939944301-108369947
                                                                                                                                                                                  • Opcode ID: 1fd79e86830867a59a74b6f47ef158224f7020fb9fa12bb94a5696bdc9875584
                                                                                                                                                                                  • Instruction ID: f7130b13581424320bfd37c3829159166bc6f069ff2f7e2424ccfe10c7d9cad1
                                                                                                                                                                                  • Opcode Fuzzy Hash: 1fd79e86830867a59a74b6f47ef158224f7020fb9fa12bb94a5696bdc9875584
                                                                                                                                                                                  • Instruction Fuzzy Hash: 38219F2530464582EF14DB16E95476973A1FB88FE4F488225DB2B037A4EF3CC94ACB00
                                                                                                                                                                                  Function 00B733AC Relevance: 22.7, APIs: 11, Strings: 4, Instructions: 172memorystringCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000006.00000002.1794451873.0000000000B61000.00000020.80000000.00040000.00000000.sdmp, Offset: 00B60000, based on PE: true
                                                                                                                                                                                  • Associated: 00000006.00000002.1794420795.0000000000B60000.00000004.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794498490.0000000000B94000.00000002.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794521630.0000000000B9B000.00000004.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794551870.0000000000B9E000.00000002.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794583919.0000000000BA0000.00000004.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794610717.0000000000BA2000.00000002.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_6_2_b60000_svchost.jbxd
                                                                                                                                                                                  Yara matches
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: Heap$Free$lstrlen$Alloc$lstrcpy
                                                                                                                                                                                  • String ID: IMAP$POP3$SMTP$type=%S, name=%S, address=%S, server=%S, port=%u, ssl=%S, user=%S, password=%S
                                                                                                                                                                                  • API String ID: 3823614700-1010173016
                                                                                                                                                                                  • Opcode ID: 00c88cc3849cd3df9b03faad05e06c6fb70437067fb38dca65f4ee70ed49242e
                                                                                                                                                                                  • Instruction ID: e075ab5793564acb1a68bf6a0870017c2f74ee5156d771889c73d52ef046f2ce
                                                                                                                                                                                  • Opcode Fuzzy Hash: 00c88cc3849cd3df9b03faad05e06c6fb70437067fb38dca65f4ee70ed49242e
                                                                                                                                                                                  • Instruction Fuzzy Hash: 0C617A36304B9086DA25DF66E884B9AB7A1F789F90F858025CF5D93B14CF3CC54ADB00
                                                                                                                                                                                  Function 00B6CA00 Relevance: 18.2, APIs: 12, Instructions: 164memoryregistrystringCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • HeapAlloc.KERNEL32(?,?,?,?,?,?,?,00000000,00000000,?,?,00000000,00000001,?,00B6DC58), ref: 00B6CA55
                                                                                                                                                                                  • HeapAlloc.KERNEL32(?,?,?,?,?,?,?,00000000,00000000,?,?,00000000,00000001,?,00B6DC58), ref: 00B6CA73
                                                                                                                                                                                  • RegCreateKeyA.ADVAPI32 ref: 00B6CAA5
                                                                                                                                                                                  • HeapFree.KERNEL32 ref: 00B6CB02
                                                                                                                                                                                  • HeapFree.KERNEL32 ref: 00B6CB14
                                                                                                                                                                                  • HeapAlloc.KERNEL32 ref: 00B6CB35
                                                                                                                                                                                  • HeapAlloc.KERNEL32 ref: 00B6CB4A
                                                                                                                                                                                  • lstrlenA.KERNEL32 ref: 00B6CB79
                                                                                                                                                                                  • HeapFree.KERNEL32 ref: 00B6CBCD
                                                                                                                                                                                  • RegCloseKey.ADVAPI32 ref: 00B6CBF9
                                                                                                                                                                                  • HeapFree.KERNEL32(?,?,?,?,?,?,?,00000000,00000000,?,?,00000000,00000001,?,00B6DC58), ref: 00B6CC40
                                                                                                                                                                                  • HeapFree.KERNEL32(?,?,?,?,?,?,?,00000000,00000000,?,?,00000000,00000001,?,00B6DC58), ref: 00B6CC57
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000006.00000002.1794451873.0000000000B61000.00000020.80000000.00040000.00000000.sdmp, Offset: 00B60000, based on PE: true
                                                                                                                                                                                  • Associated: 00000006.00000002.1794420795.0000000000B60000.00000004.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794498490.0000000000B94000.00000002.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794521630.0000000000B9B000.00000004.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794551870.0000000000B9E000.00000002.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794583919.0000000000BA0000.00000004.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794610717.0000000000BA2000.00000002.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_6_2_b60000_svchost.jbxd
                                                                                                                                                                                  Yara matches
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: Heap$Free$Alloc$CloseCreatelstrlen
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 687037872-0
                                                                                                                                                                                  • Opcode ID: cce41f10cd294e6995b29c3b0b697367378b1adc65f02489747083d58a3ae8c3
                                                                                                                                                                                  • Instruction ID: 2cd2afcced34ab575a8ea9e68a1c3e676f4f504cd98fdf8574e424c75faf5a71
                                                                                                                                                                                  • Opcode Fuzzy Hash: cce41f10cd294e6995b29c3b0b697367378b1adc65f02489747083d58a3ae8c3
                                                                                                                                                                                  • Instruction Fuzzy Hash: F2616976204B8486EB10DF56E88476ABBA1F789BD4F19412ADF8D83718DF3CD449CB40
                                                                                                                                                                                  Function 00B6F4EC Relevance: 18.1, APIs: 12, Instructions: 133memorypipesynchronizationCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000006.00000002.1794451873.0000000000B61000.00000020.80000000.00040000.00000000.sdmp, Offset: 00B60000, based on PE: true
                                                                                                                                                                                  • Associated: 00000006.00000002.1794420795.0000000000B60000.00000004.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794498490.0000000000B94000.00000002.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794521630.0000000000B9B000.00000004.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794551870.0000000000B9E000.00000002.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794583919.0000000000BA0000.00000004.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794610717.0000000000BA2000.00000002.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_6_2_b60000_svchost.jbxd
                                                                                                                                                                                  Yara matches
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: CloseErrorHandleHeapLastNamedPipe$AllocBuffersConnectCreateDisconnectEventFileFlushFreeObjectSingleWait
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 193829202-0
                                                                                                                                                                                  • Opcode ID: 687c1b9d3f135e25bf919b8e1b446a4c6440bfedb0a8b2a39b313edb3252462f
                                                                                                                                                                                  • Instruction ID: d842a913bb3b367ee296fffd3b344bfc2ff91d08fd99bc6b2c23e9bd582524e3
                                                                                                                                                                                  • Opcode Fuzzy Hash: 687c1b9d3f135e25bf919b8e1b446a4c6440bfedb0a8b2a39b313edb3252462f
                                                                                                                                                                                  • Instruction Fuzzy Hash: 4E517A32214B5186E750DF26F995B2A77A1F799B90F104635EB5A83B64DF3CC846CB00
                                                                                                                                                                                  Function 00B6B110 Relevance: 18.1, APIs: 9, Strings: 3, Instructions: 127memorystringCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                    • Part of subcall function 00B6A878: HeapAlloc.KERNEL32 ref: 00B6A8B6
                                                                                                                                                                                    • Part of subcall function 00B6A878: HeapFree.KERNEL32 ref: 00B6A8E7
                                                                                                                                                                                    • Part of subcall function 00B677B0: EnterCriticalSection.KERNEL32 ref: 00B677F8
                                                                                                                                                                                    • Part of subcall function 00B677B0: LeaveCriticalSection.KERNEL32 ref: 00B6780D
                                                                                                                                                                                    • Part of subcall function 00B677B0: GetSystemTimeAsFileTime.KERNEL32 ref: 00B6781F
                                                                                                                                                                                    • Part of subcall function 00B677B0: HeapAlloc.KERNEL32 ref: 00B6789A
                                                                                                                                                                                  • lstrlenA.KERNEL32 ref: 00B6B209
                                                                                                                                                                                  • lstrlenA.KERNEL32 ref: 00B6B21A
                                                                                                                                                                                  • lstrlenA.KERNEL32 ref: 00B6B225
                                                                                                                                                                                  • HeapAlloc.KERNEL32 ref: 00B6B241
                                                                                                                                                                                  • wsprintfA.USER32 ref: 00B6B284
                                                                                                                                                                                  • HeapFree.KERNEL32 ref: 00B6B2AA
                                                                                                                                                                                  • HeapFree.KERNEL32 ref: 00B6B2C1
                                                                                                                                                                                  • HeapFree.KERNEL32 ref: 00B6B2D3
                                                                                                                                                                                  • HeapFree.KERNEL32 ref: 00B6B2E5
                                                                                                                                                                                    • Part of subcall function 00B6B048: HeapAlloc.KERNEL32 ref: 00B6B077
                                                                                                                                                                                    • Part of subcall function 00B6B048: HeapFree.KERNEL32 ref: 00B6B0F0
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000006.00000002.1794451873.0000000000B61000.00000020.80000000.00040000.00000000.sdmp, Offset: 00B60000, based on PE: true
                                                                                                                                                                                  • Associated: 00000006.00000002.1794420795.0000000000B60000.00000004.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794498490.0000000000B94000.00000002.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794521630.0000000000B9B000.00000004.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794551870.0000000000B9E000.00000002.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794583919.0000000000BA0000.00000004.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794610717.0000000000BA2000.00000002.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_6_2_b60000_svchost.jbxd
                                                                                                                                                                                  Yara matches
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: Heap$Free$Alloc$lstrlen$CriticalSectionTime$EnterFileLeaveSystemwsprintf
                                                                                                                                                                                  • String ID: POST$URL: %suser=%spass=%s$https://
                                                                                                                                                                                  • API String ID: 502145361-1552670939
                                                                                                                                                                                  • Opcode ID: 89a0fe6d42c7d8b2ff7e273ef760e018889de6a41c7ffef0700c814caeaf1e6f
                                                                                                                                                                                  • Instruction ID: 2af586b7bfdc91a8f2a4c301e89f6d4ab26f86aafbf43659faba58923ef1d766
                                                                                                                                                                                  • Opcode Fuzzy Hash: 89a0fe6d42c7d8b2ff7e273ef760e018889de6a41c7ffef0700c814caeaf1e6f
                                                                                                                                                                                  • Instruction Fuzzy Hash: A5416B36304B4486EB15DB62E998B6A7BE1FB89BC8F4941259E0E47B25DF3CC549C700
                                                                                                                                                                                  Function 00B7C528 Relevance: 17.7, APIs: 9, Strings: 1, Instructions: 242COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000006.00000002.1794451873.0000000000B61000.00000020.80000000.00040000.00000000.sdmp, Offset: 00B60000, based on PE: true
                                                                                                                                                                                  • Associated: 00000006.00000002.1794420795.0000000000B60000.00000004.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794498490.0000000000B94000.00000002.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794521630.0000000000B9B000.00000004.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794551870.0000000000B9E000.00000002.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794583919.0000000000BA0000.00000004.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794610717.0000000000BA2000.00000002.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_6_2_b60000_svchost.jbxd
                                                                                                                                                                                  Yara matches
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: ErrorLastmemset
                                                                                                                                                                                  • String ID: vids
                                                                                                                                                                                  • API String ID: 3276359510-3767230166
                                                                                                                                                                                  • Opcode ID: fb6adb2b249be4165c4019f61d5ae5646e6abf7edae7de187e865dc3edc8002f
                                                                                                                                                                                  • Instruction ID: 6013a8677bc87aa6fe71f94f087af581bedd1c2258b196c69497f2140abb96fc
                                                                                                                                                                                  • Opcode Fuzzy Hash: fb6adb2b249be4165c4019f61d5ae5646e6abf7edae7de187e865dc3edc8002f
                                                                                                                                                                                  • Instruction Fuzzy Hash: BEA14B73618A8087D724DF25E4547AEBBA1F7C5B94F148119EB9993B68DF38C845CF00
                                                                                                                                                                                  Function 00B728A0 Relevance: 17.7, APIs: 9, Strings: 1, Instructions: 182memorythreadsleepCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • HeapAlloc.KERNEL32 ref: 00B728DF
                                                                                                                                                                                  • memset.NTDLL ref: 00B728F9
                                                                                                                                                                                    • Part of subcall function 00B64DA8: RegQueryValueExA.ADVAPI32 ref: 00B64DFF
                                                                                                                                                                                    • Part of subcall function 00B64DA8: HeapAlloc.KERNEL32 ref: 00B64E17
                                                                                                                                                                                    • Part of subcall function 00B64DA8: RegQueryValueExA.ADVAPI32 ref: 00B64E3F
                                                                                                                                                                                    • Part of subcall function 00B64DA8: RegCloseKey.KERNELBASE ref: 00B64E6F
                                                                                                                                                                                    • Part of subcall function 00B75430: HeapFree.KERNEL32(?,?,00000000,00B64CAE,?,?,?,?,?,?,?,?,00000004,00000000,00000000,00B627B3), ref: 00B75478
                                                                                                                                                                                  • GetCurrentThreadId.KERNEL32 ref: 00B729A4
                                                                                                                                                                                  • GetCurrentThread.KERNEL32 ref: 00B729BA
                                                                                                                                                                                  • EnterCriticalSection.KERNEL32 ref: 00B72ACC
                                                                                                                                                                                  • Sleep.KERNEL32 ref: 00B72AD9
                                                                                                                                                                                  • LeaveCriticalSection.KERNEL32 ref: 00B72B0B
                                                                                                                                                                                  • HeapFree.KERNEL32 ref: 00B72B4C
                                                                                                                                                                                  • HeapFree.KERNEL32 ref: 00B72B63
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000006.00000002.1794451873.0000000000B61000.00000020.80000000.00040000.00000000.sdmp, Offset: 00B60000, based on PE: true
                                                                                                                                                                                  • Associated: 00000006.00000002.1794420795.0000000000B60000.00000004.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794498490.0000000000B94000.00000002.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794521630.0000000000B9B000.00000004.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794551870.0000000000B9E000.00000002.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794583919.0000000000BA0000.00000004.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794610717.0000000000BA2000.00000002.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_6_2_b60000_svchost.jbxd
                                                                                                                                                                                  Yara matches
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: Heap$Free$AllocCriticalCurrentQuerySectionThreadValue$CloseEnterLeaveSleepmemset
                                                                                                                                                                                  • String ID: TorClient
                                                                                                                                                                                  • API String ID: 1637878286-3399603969
                                                                                                                                                                                  • Opcode ID: 2d5748abebd9ed982a82155d1a36a8c9eb55e06ec74ee909023319b816eb7fdd
                                                                                                                                                                                  • Instruction ID: 090569d66d8fcaf505ef785240027e10f6f4b71544f9465c2c532c56ac397459
                                                                                                                                                                                  • Opcode Fuzzy Hash: 2d5748abebd9ed982a82155d1a36a8c9eb55e06ec74ee909023319b816eb7fdd
                                                                                                                                                                                  • Instruction Fuzzy Hash: 3C718C36704B858AEB20DF62F950B5A73A1FB88B84F498155DF5D47B15EF38C84ACB40
                                                                                                                                                                                  Function 00B776C4 Relevance: 17.7, APIs: 9, Strings: 1, Instructions: 159memorystringCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                    • Part of subcall function 00B772B8: ZwQueryInformationProcess.NTDLL(00B77703), ref: 00B77302
                                                                                                                                                                                    • Part of subcall function 00B772B8: HeapAlloc.KERNEL32 ref: 00B77322
                                                                                                                                                                                    • Part of subcall function 00B772B8: HeapAlloc.KERNEL32 ref: 00B77348
                                                                                                                                                                                  • VirtualAlloc.KERNEL32 ref: 00B7771A
                                                                                                                                                                                  • VirtualFree.KERNEL32 ref: 00B77756
                                                                                                                                                                                  • VirtualAlloc.KERNEL32 ref: 00B7776B
                                                                                                                                                                                  • lstrcmpiA.KERNEL32 ref: 00B777AF
                                                                                                                                                                                  • StrChrA.SHLWAPI ref: 00B777C1
                                                                                                                                                                                  • lstrcmpiA.KERNEL32 ref: 00B777D8
                                                                                                                                                                                  • VirtualFree.KERNEL32 ref: 00B77833
                                                                                                                                                                                  • VirtualAlloc.KERNEL32 ref: 00B77850
                                                                                                                                                                                  • VirtualFree.KERNEL32 ref: 00B778E4
                                                                                                                                                                                    • Part of subcall function 00B772B8: StrRChrA.SHLWAPI ref: 00B77497
                                                                                                                                                                                    • Part of subcall function 00B772B8: HeapFree.KERNEL32 ref: 00B774F1
                                                                                                                                                                                    • Part of subcall function 00B772B8: HeapFree.KERNEL32 ref: 00B77508
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000006.00000002.1794451873.0000000000B61000.00000020.80000000.00040000.00000000.sdmp, Offset: 00B60000, based on PE: true
                                                                                                                                                                                  • Associated: 00000006.00000002.1794420795.0000000000B60000.00000004.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794498490.0000000000B94000.00000002.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794521630.0000000000B9B000.00000004.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794551870.0000000000B9E000.00000002.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794583919.0000000000BA0000.00000004.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794610717.0000000000BA2000.00000002.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_6_2_b60000_svchost.jbxd
                                                                                                                                                                                  Yara matches
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: Virtual$AllocFree$Heap$lstrcmpi$InformationProcessQuery
                                                                                                                                                                                  • String ID: NTDLL.DLL
                                                                                                                                                                                  • API String ID: 2387722688-1613819793
                                                                                                                                                                                  • Opcode ID: 2f59adb411e8af96051036c530317afd51e6308485f8338b627af99a0d445282
                                                                                                                                                                                  • Instruction ID: 9829907e8e17b0b4fda650700a95cc4ae815b2aabcf81976f79cef4f23d1d3b7
                                                                                                                                                                                  • Opcode Fuzzy Hash: 2f59adb411e8af96051036c530317afd51e6308485f8338b627af99a0d445282
                                                                                                                                                                                  • Instruction Fuzzy Hash: 5151F136369A5082EB598F23E504B2A77A1F789FC4F54D065EE6E17B04EF38C906C740
                                                                                                                                                                                  Function 00B7F018 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 144COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  Strings
                                                                                                                                                                                  • {%08X-%04X-%04X-%04X-%08X%04X}, xrefs: 00B7F0EA
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000006.00000002.1794451873.0000000000B61000.00000020.80000000.00040000.00000000.sdmp, Offset: 00B60000, based on PE: true
                                                                                                                                                                                  • Associated: 00000006.00000002.1794420795.0000000000B60000.00000004.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794498490.0000000000B94000.00000002.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794521630.0000000000B9B000.00000004.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794551870.0000000000B9E000.00000002.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794583919.0000000000BA0000.00000004.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794610717.0000000000BA2000.00000002.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_6_2_b60000_svchost.jbxd
                                                                                                                                                                                  Yara matches
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: HandleModule$memset$CountErrorEventLastTickwsprintf
                                                                                                                                                                                  • String ID: {%08X-%04X-%04X-%04X-%08X%04X}
                                                                                                                                                                                  • API String ID: 2469165500-3263720277
                                                                                                                                                                                  • Opcode ID: f4e363011b31baed25c9ef07192af2c0cd4bfea8dba36b6dead3f87e3a485ff2
                                                                                                                                                                                  • Instruction ID: ca4196883e3e9e79b3207784cbf44b6f9f439f9f0f34627412dc84310a91ce5e
                                                                                                                                                                                  • Opcode Fuzzy Hash: f4e363011b31baed25c9ef07192af2c0cd4bfea8dba36b6dead3f87e3a485ff2
                                                                                                                                                                                  • Instruction Fuzzy Hash: C851A236204A41C6DB64DF25F84476E77A1F384B98F948125EB9E43B28DF3DC88ACB04
                                                                                                                                                                                  Function 00B68DCC Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 118memorystringnativeCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000006.00000002.1794451873.0000000000B61000.00000020.80000000.00040000.00000000.sdmp, Offset: 00B60000, based on PE: true
                                                                                                                                                                                  • Associated: 00000006.00000002.1794420795.0000000000B60000.00000004.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794498490.0000000000B94000.00000002.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794521630.0000000000B9B000.00000004.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794551870.0000000000B9E000.00000002.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794583919.0000000000BA0000.00000004.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794610717.0000000000BA2000.00000002.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_6_2_b60000_svchost.jbxd
                                                                                                                                                                                  Yara matches
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: HeapQuery$AllocFreelstrcpylstrlen
                                                                                                                                                                                  • String ID: DelegateExecute$SOFTWARE\Classes\Chrome
                                                                                                                                                                                  • API String ID: 2646686563-1743081400
                                                                                                                                                                                  • Opcode ID: 8d2b48e4b3f673dea93f2d323a3216a8cc6e33e0f3b2eff991b36ef127d8d67e
                                                                                                                                                                                  • Instruction ID: 0ac0d98cd7ddba65b878994e1d7eb19d0d970e77a63ae50147d1a573513d8392
                                                                                                                                                                                  • Opcode Fuzzy Hash: 8d2b48e4b3f673dea93f2d323a3216a8cc6e33e0f3b2eff991b36ef127d8d67e
                                                                                                                                                                                  • Instruction Fuzzy Hash: 72411825304B8187EB149F2AE984B5AB7A1F388BD4F544221DF4953B74DF3DC989CB00
                                                                                                                                                                                  Function 00B7B2C4 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 171memorytimeCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • HeapAlloc.KERNEL32(00000001,00000000,00000008,?,00000000,?,?,00B64FAE), ref: 00B7B312
                                                                                                                                                                                    • Part of subcall function 00B64DA8: RegQueryValueExA.ADVAPI32 ref: 00B64DFF
                                                                                                                                                                                    • Part of subcall function 00B64DA8: HeapAlloc.KERNEL32 ref: 00B64E17
                                                                                                                                                                                    • Part of subcall function 00B64DA8: RegQueryValueExA.ADVAPI32 ref: 00B64E3F
                                                                                                                                                                                    • Part of subcall function 00B64DA8: RegCloseKey.KERNELBASE ref: 00B64E6F
                                                                                                                                                                                  • HeapFree.KERNEL32(?,00000000,?,?,00B64FAE), ref: 00B7B3A6
                                                                                                                                                                                  • GetSystemTimeAsFileTime.KERNEL32(?,00000000,?,?,00B64FAE), ref: 00B7B487
                                                                                                                                                                                  • SystemTimeToFileTime.KERNEL32(?,00000000,?,?,00B64FAE), ref: 00B7B4C3
                                                                                                                                                                                  • HeapFree.KERNEL32(?,00000000,?,?,00B64FAE), ref: 00B7B540
                                                                                                                                                                                  • GetSystemTime.KERNEL32(?,00000000,?,?,00B64FAE), ref: 00B7B54B
                                                                                                                                                                                  • HeapFree.KERNEL32(?,00000000,?,?,00B64FAE), ref: 00B7B570
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000006.00000002.1794451873.0000000000B61000.00000020.80000000.00040000.00000000.sdmp, Offset: 00B60000, based on PE: true
                                                                                                                                                                                  • Associated: 00000006.00000002.1794420795.0000000000B60000.00000004.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794498490.0000000000B94000.00000002.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794521630.0000000000B9B000.00000004.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794551870.0000000000B9E000.00000002.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794583919.0000000000BA0000.00000004.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794610717.0000000000BA2000.00000002.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_6_2_b60000_svchost.jbxd
                                                                                                                                                                                  Yara matches
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: HeapTime$FreeSystem$AllocFileQueryValue$Close
                                                                                                                                                                                  • String ID: Temp
                                                                                                                                                                                  • API String ID: 307624569-2875271924
                                                                                                                                                                                  • Opcode ID: b8f75467e74cb997b786e76a4b75bef6e26761213995de334a2e28f1b69bf02f
                                                                                                                                                                                  • Instruction ID: 279eef5a5477de0c4788151659fe131e26ab44a966dde1e6178616450a372edc
                                                                                                                                                                                  • Opcode Fuzzy Hash: b8f75467e74cb997b786e76a4b75bef6e26761213995de334a2e28f1b69bf02f
                                                                                                                                                                                  • Instruction Fuzzy Hash: 27616E3630478586DB60DF26E880B9B77A6FB89B84F458126DF4D47B28DF38C849CB41
                                                                                                                                                                                  Function 00B80A8C Relevance: 12.1, APIs: 8, Instructions: 114memoryCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000006.00000002.1794451873.0000000000B61000.00000020.80000000.00040000.00000000.sdmp, Offset: 00B60000, based on PE: true
                                                                                                                                                                                  • Associated: 00000006.00000002.1794420795.0000000000B60000.00000004.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794498490.0000000000B94000.00000002.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794521630.0000000000B9B000.00000004.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794551870.0000000000B9E000.00000002.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794583919.0000000000BA0000.00000004.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794610717.0000000000BA2000.00000002.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_6_2_b60000_svchost.jbxd
                                                                                                                                                                                  Yara matches
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: AllocHeap
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 4292702814-0
                                                                                                                                                                                  • Opcode ID: fe55858acc36ab3ad7711b6419883c0d22e53b1602f74eb93b5309087c9c166f
                                                                                                                                                                                  • Instruction ID: 5dea723237c6e977c4afdde186d370e887a058b1e0577e9118ed93b6829a1207
                                                                                                                                                                                  • Opcode Fuzzy Hash: fe55858acc36ab3ad7711b6419883c0d22e53b1602f74eb93b5309087c9c166f
                                                                                                                                                                                  • Instruction Fuzzy Hash: 01419E32211F4182DB64EF25F85475A73E5F784BA8F584365CE69437A4EF38C949C740
                                                                                                                                                                                  Function 00B6AE3C Relevance: 10.6, APIs: 5, Strings: 2, Instructions: 132memoryCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                    • Part of subcall function 00B6A878: HeapAlloc.KERNEL32 ref: 00B6A8B6
                                                                                                                                                                                    • Part of subcall function 00B6A878: HeapFree.KERNEL32 ref: 00B6A8E7
                                                                                                                                                                                  • HeapAlloc.KERNEL32 ref: 00B6AF71
                                                                                                                                                                                  • HeapFree.KERNEL32 ref: 00B6AFA5
                                                                                                                                                                                  • HeapFree.KERNEL32 ref: 00B6AFF1
                                                                                                                                                                                  • HeapFree.KERNEL32 ref: 00B6B015
                                                                                                                                                                                    • Part of subcall function 00B6ADAC: HeapAlloc.KERNEL32 ref: 00B6ADF6
                                                                                                                                                                                  • HeapFree.KERNEL32 ref: 00B6B027
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000006.00000002.1794451873.0000000000B61000.00000020.80000000.00040000.00000000.sdmp, Offset: 00B60000, based on PE: true
                                                                                                                                                                                  • Associated: 00000006.00000002.1794420795.0000000000B60000.00000004.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794498490.0000000000B94000.00000002.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794521630.0000000000B9B000.00000004.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794551870.0000000000B9E000.00000002.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794583919.0000000000BA0000.00000004.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794610717.0000000000BA2000.00000002.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_6_2_b60000_svchost.jbxd
                                                                                                                                                                                  Yara matches
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: Heap$Free$Alloc
                                                                                                                                                                                  • String ID: POST$https://
                                                                                                                                                                                  • API String ID: 3901518246-1363451364
                                                                                                                                                                                  • Opcode ID: 4b00dbf86c2828d74e73f02cfa2e9d0227ff224c8fe135ad1df28246190b8bd3
                                                                                                                                                                                  • Instruction ID: 80f5dbbed13a418a0e0e94d57a53366d1705ab7273d09e78a8e5e7d87055d81a
                                                                                                                                                                                  • Opcode Fuzzy Hash: 4b00dbf86c2828d74e73f02cfa2e9d0227ff224c8fe135ad1df28246190b8bd3
                                                                                                                                                                                  • Instruction Fuzzy Hash: 8A51D86220478086EB24DF62E8547AABBE1FB89BD4F498065DF4D97B55DF3CC449CB00
                                                                                                                                                                                  Function 00B81694 Relevance: 10.4, APIs: 8, Instructions: 412COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000006.00000002.1794451873.0000000000B61000.00000020.80000000.00040000.00000000.sdmp, Offset: 00B60000, based on PE: true
                                                                                                                                                                                  • Associated: 00000006.00000002.1794420795.0000000000B60000.00000004.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794498490.0000000000B94000.00000002.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794521630.0000000000B9B000.00000004.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794551870.0000000000B9E000.00000002.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794583919.0000000000BA0000.00000004.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794610717.0000000000BA2000.00000002.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_6_2_b60000_svchost.jbxd
                                                                                                                                                                                  Yara matches
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: memset$memcpy$__chkstk
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 3176333038-0
                                                                                                                                                                                  • Opcode ID: 1e634505245d1bda3bd843f16fa812d501e12a9f93820737f5a719eb0d0f1a65
                                                                                                                                                                                  • Instruction ID: 763d71e3a3ee517c0b15db550aa1c2fc414ca3bc48e8c549d7f9330cb67081bd
                                                                                                                                                                                  • Opcode Fuzzy Hash: 1e634505245d1bda3bd843f16fa812d501e12a9f93820737f5a719eb0d0f1a65
                                                                                                                                                                                  • Instruction Fuzzy Hash: 300200336053989BC729DB39D5806ED7BA8F354708F04895ACB9A53B21EB3AD576CB00
                                                                                                                                                                                  Function 00B80254 Relevance: 10.2, APIs: 8, Instructions: 240memoryCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000006.00000002.1794451873.0000000000B61000.00000020.80000000.00040000.00000000.sdmp, Offset: 00B60000, based on PE: true
                                                                                                                                                                                  • Associated: 00000006.00000002.1794420795.0000000000B60000.00000004.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794498490.0000000000B94000.00000002.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794521630.0000000000B9B000.00000004.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794551870.0000000000B9E000.00000002.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794583919.0000000000BA0000.00000004.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794610717.0000000000BA2000.00000002.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_6_2_b60000_svchost.jbxd
                                                                                                                                                                                  Yara matches
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: ErrorLast$AllocCriticalSectionVirtual$EnterLeave
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 2296748103-0
                                                                                                                                                                                  • Opcode ID: 1b0961dea9ce7a09e16754413d0028e234348d539c8c9e631e74017eb9161ba8
                                                                                                                                                                                  • Instruction ID: 6fed17bae0d1f21dd9dbf3cb44aa5299927c3b7bac37e1abe2bdd6ae411df5e7
                                                                                                                                                                                  • Opcode Fuzzy Hash: 1b0961dea9ce7a09e16754413d0028e234348d539c8c9e631e74017eb9161ba8
                                                                                                                                                                                  • Instruction Fuzzy Hash: 36A1B172324B4183EB60AF26E59876E77A0F798BD4F100166DB4A97B64DF38C469CB40
                                                                                                                                                                                  Function 00B772B8 Relevance: 9.2, APIs: 6, Instructions: 170memorynativeCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • ZwQueryInformationProcess.NTDLL(00B77703), ref: 00B77302
                                                                                                                                                                                  • HeapAlloc.KERNEL32 ref: 00B77322
                                                                                                                                                                                  • HeapAlloc.KERNEL32 ref: 00B77348
                                                                                                                                                                                  • StrRChrA.SHLWAPI ref: 00B77497
                                                                                                                                                                                  • HeapFree.KERNEL32 ref: 00B774F1
                                                                                                                                                                                  • HeapFree.KERNEL32 ref: 00B77508
                                                                                                                                                                                    • Part of subcall function 00B77E6C: NtReadVirtualMemory.NTDLL ref: 00B77E8A
                                                                                                                                                                                    • Part of subcall function 00B77E6C: RtlNtStatusToDosError.NTDLL ref: 00B77E9F
                                                                                                                                                                                    • Part of subcall function 00B77E6C: SetLastError.KERNEL32 ref: 00B77EA7
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000006.00000002.1794451873.0000000000B61000.00000020.80000000.00040000.00000000.sdmp, Offset: 00B60000, based on PE: true
                                                                                                                                                                                  • Associated: 00000006.00000002.1794420795.0000000000B60000.00000004.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794498490.0000000000B94000.00000002.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794521630.0000000000B9B000.00000004.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794551870.0000000000B9E000.00000002.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794583919.0000000000BA0000.00000004.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794610717.0000000000BA2000.00000002.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_6_2_b60000_svchost.jbxd
                                                                                                                                                                                  Yara matches
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: Heap$AllocErrorFree$InformationLastMemoryProcessQueryReadStatusVirtual
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 736369297-0
                                                                                                                                                                                  • Opcode ID: b01db5f8cf51c573dd646d170fa0f4abff7986bd89c180753ad84f1decbe69f4
                                                                                                                                                                                  • Instruction ID: 7bdeba96da035701c9907381fff9eac69c5d3796d6ad48d90f6939171adeb3d8
                                                                                                                                                                                  • Opcode Fuzzy Hash: b01db5f8cf51c573dd646d170fa0f4abff7986bd89c180753ad84f1decbe69f4
                                                                                                                                                                                  • Instruction Fuzzy Hash: 8B618D36304B959BCB20CF25E844B997BA1F748B94F458065EF9D83B14DF38D999CB40
                                                                                                                                                                                  Function 00B7AB28 Relevance: 9.1, APIs: 6, Instructions: 80memoryCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000006.00000002.1794451873.0000000000B61000.00000020.80000000.00040000.00000000.sdmp, Offset: 00B60000, based on PE: true
                                                                                                                                                                                  • Associated: 00000006.00000002.1794420795.0000000000B60000.00000004.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794498490.0000000000B94000.00000002.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794521630.0000000000B9B000.00000004.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794551870.0000000000B9E000.00000002.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794583919.0000000000BA0000.00000004.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794610717.0000000000BA2000.00000002.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_6_2_b60000_svchost.jbxd
                                                                                                                                                                                  Yara matches
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: Heap$AllocComputerFreeName
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 67122984-0
                                                                                                                                                                                  • Opcode ID: fbfd764331f9cf83d0dff12830ccee1083961cce79c5ccc676e13b918452ccb2
                                                                                                                                                                                  • Instruction ID: 0846c152ea80e2ae1a46f17143381dd0d2c39d72c5d855702d0736cfb54102ed
                                                                                                                                                                                  • Opcode Fuzzy Hash: fbfd764331f9cf83d0dff12830ccee1083961cce79c5ccc676e13b918452ccb2
                                                                                                                                                                                  • Instruction Fuzzy Hash: 4C31367670474087EB18CB26E89535A77B2FBC9B90F58C469DB4987759DF3DC8098B00
                                                                                                                                                                                  Function 00B851A4 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 96COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • memset.NTDLL ref: 00B85231
                                                                                                                                                                                  • FlushFileBuffers.KERNEL32(?,?,?,?,?,00B6131B,00B85530), ref: 00B852D2
                                                                                                                                                                                  • GetLastError.KERNEL32(?,?,?,?,?,00B6131B,00B85530), ref: 00B852DC
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000006.00000002.1794451873.0000000000B61000.00000020.80000000.00040000.00000000.sdmp, Offset: 00B60000, based on PE: true
                                                                                                                                                                                  • Associated: 00000006.00000002.1794420795.0000000000B60000.00000004.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794498490.0000000000B94000.00000002.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794521630.0000000000B9B000.00000004.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794551870.0000000000B9E000.00000002.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794583919.0000000000BA0000.00000004.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794610717.0000000000BA2000.00000002.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_6_2_b60000_svchost.jbxd
                                                                                                                                                                                  Yara matches
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: BuffersErrorFileFlushLastmemset
                                                                                                                                                                                  • String ID: K$P
                                                                                                                                                                                  • API String ID: 3817869962-420285281
                                                                                                                                                                                  • Opcode ID: 6aa67133d37159c6b5e184e7ca3d466447a367eab7542be700f2c225095deeda
                                                                                                                                                                                  • Instruction ID: 1a3d9575e04a078530b50f74a771accc2ee5a892484faa1ff3b9404f0dfa7dde
                                                                                                                                                                                  • Opcode Fuzzy Hash: 6aa67133d37159c6b5e184e7ca3d466447a367eab7542be700f2c225095deeda
                                                                                                                                                                                  • Instruction Fuzzy Hash: 0341D26320CB80C6C7319F69F80035EBBA0F399B88F480259EB8943B5ADF78C659C755
                                                                                                                                                                                  Function 00B8119C Relevance: 7.9, APIs: 5, Instructions: 365COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000006.00000002.1794451873.0000000000B61000.00000020.80000000.00040000.00000000.sdmp, Offset: 00B60000, based on PE: true
                                                                                                                                                                                  • Associated: 00000006.00000002.1794420795.0000000000B60000.00000004.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794498490.0000000000B94000.00000002.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794521630.0000000000B9B000.00000004.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794551870.0000000000B9E000.00000002.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794583919.0000000000BA0000.00000004.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794610717.0000000000BA2000.00000002.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_6_2_b60000_svchost.jbxd
                                                                                                                                                                                  Yara matches
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: memset$__chkstk
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 800090938-0
                                                                                                                                                                                  • Opcode ID: 8dcddf2028583a7582ddfb37b1090302942fa7fb2ceec252353d436afc3d0ffc
                                                                                                                                                                                  • Instruction ID: f53a963991d8fe691c57fa3df9d7be72cd91aa886e8f550de7fa3a0095ab18e9
                                                                                                                                                                                  • Opcode Fuzzy Hash: 8dcddf2028583a7582ddfb37b1090302942fa7fb2ceec252353d436afc3d0ffc
                                                                                                                                                                                  • Instruction Fuzzy Hash: 6DD168B27222A083CB209F2DD5446FDB3EAF794B49F588562DB4A93B14DB3DD946C700
                                                                                                                                                                                  Function 00B7C994 Relevance: 6.1, APIs: 4, Instructions: 117memorynativeCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • HeapAlloc.KERNEL32 ref: 00B7C9BF
                                                                                                                                                                                  • memset.NTDLL ref: 00B7C9E9
                                                                                                                                                                                  • ZwQueryInformationProcess.NTDLL ref: 00B7CA09
                                                                                                                                                                                  • HeapFree.KERNEL32 ref: 00B7CB58
                                                                                                                                                                                    • Part of subcall function 00B77E6C: NtReadVirtualMemory.NTDLL ref: 00B77E8A
                                                                                                                                                                                    • Part of subcall function 00B77E6C: RtlNtStatusToDosError.NTDLL ref: 00B77E9F
                                                                                                                                                                                    • Part of subcall function 00B77E6C: SetLastError.KERNEL32 ref: 00B77EA7
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000006.00000002.1794451873.0000000000B61000.00000020.80000000.00040000.00000000.sdmp, Offset: 00B60000, based on PE: true
                                                                                                                                                                                  • Associated: 00000006.00000002.1794420795.0000000000B60000.00000004.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794498490.0000000000B94000.00000002.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794521630.0000000000B9B000.00000004.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794551870.0000000000B9E000.00000002.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794583919.0000000000BA0000.00000004.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794610717.0000000000BA2000.00000002.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_6_2_b60000_svchost.jbxd
                                                                                                                                                                                  Yara matches
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: ErrorHeap$AllocFreeInformationLastMemoryProcessQueryReadStatusVirtualmemset
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 1794562773-0
                                                                                                                                                                                  • Opcode ID: b56480b246dd9dffaf4c8f26f2876ba78d1a7eceab27dbe0831d8d600547e16c
                                                                                                                                                                                  • Instruction ID: f8d1cb65ec0072bcad2db89e249c2cc008308bd0359c9ba0c3e11d72b1bfd781
                                                                                                                                                                                  • Opcode Fuzzy Hash: b56480b246dd9dffaf4c8f26f2876ba78d1a7eceab27dbe0831d8d600547e16c
                                                                                                                                                                                  • Instruction Fuzzy Hash: F6417E32309B8582DB35DB16F444B9AB7A9F788BC4F448069AE9C47B58DF3CC646C740
                                                                                                                                                                                  Function 00B77DC0 Relevance: 6.0, APIs: 4, Instructions: 49memorynativeCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000006.00000002.1794451873.0000000000B61000.00000020.80000000.00040000.00000000.sdmp, Offset: 00B60000, based on PE: true
                                                                                                                                                                                  • Associated: 00000006.00000002.1794420795.0000000000B60000.00000004.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794498490.0000000000B94000.00000002.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794521630.0000000000B9B000.00000004.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794551870.0000000000B9E000.00000002.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794583919.0000000000BA0000.00000004.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794610717.0000000000BA2000.00000002.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_6_2_b60000_svchost.jbxd
                                                                                                                                                                                  Yara matches
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: Heap$AllocErrorFreeInformationQueryStatusSystem
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 749986012-0
                                                                                                                                                                                  • Opcode ID: abd635b0fba373fd73b1a60663c3a7d41e057cf8e5932a3960e5d4250982aa6a
                                                                                                                                                                                  • Instruction ID: 742668919fac84a9c17a556d27063399d8076b6b1131d86cf8ef5be716f09c1d
                                                                                                                                                                                  • Opcode Fuzzy Hash: abd635b0fba373fd73b1a60663c3a7d41e057cf8e5932a3960e5d4250982aa6a
                                                                                                                                                                                  • Instruction Fuzzy Hash: 1A116D36348B4587EB159B62E88477972A6EB89B94F1980B5DF1E47348EF3CCC85C700
                                                                                                                                                                                  Function 00B77F04 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 27COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000006.00000002.1794451873.0000000000B61000.00000020.80000000.00040000.00000000.sdmp, Offset: 00B60000, based on PE: true
                                                                                                                                                                                  • Associated: 00000006.00000002.1794420795.0000000000B60000.00000004.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794498490.0000000000B94000.00000002.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794521630.0000000000B9B000.00000004.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794551870.0000000000B9E000.00000002.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794583919.0000000000BA0000.00000004.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794610717.0000000000BA2000.00000002.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_6_2_b60000_svchost.jbxd
                                                                                                                                                                                  Yara matches
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: Error$LastStatus
                                                                                                                                                                                  • String ID: @
                                                                                                                                                                                  • API String ID: 4076355890-2766056989
                                                                                                                                                                                  • Opcode ID: 2ec78a4ca895a63ea2db73a897a804f3d67ef30e872dbd0d8a3d1da5ac28541c
                                                                                                                                                                                  • Instruction ID: 20fee0647cdf25f39c3fd0d297f72062c70eaa16fa6e02517c76ecbcd357c454
                                                                                                                                                                                  • Opcode Fuzzy Hash: 2ec78a4ca895a63ea2db73a897a804f3d67ef30e872dbd0d8a3d1da5ac28541c
                                                                                                                                                                                  • Instruction Fuzzy Hash: 4DF08CA2318B4482EB108F61F48876D33A0F748399F980425EB6E0F340CF7DCA898B40
                                                                                                                                                                                  Function 00B7D880 Relevance: 1.6, APIs: 1, Instructions: 53processCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • CreateProcessAsUserW.KERNEL32 ref: 00B7D95D
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000006.00000002.1794451873.0000000000B61000.00000020.80000000.00040000.00000000.sdmp, Offset: 00B60000, based on PE: true
                                                                                                                                                                                  • Associated: 00000006.00000002.1794420795.0000000000B60000.00000004.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794498490.0000000000B94000.00000002.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794521630.0000000000B9B000.00000004.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794551870.0000000000B9E000.00000002.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794583919.0000000000BA0000.00000004.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794610717.0000000000BA2000.00000002.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_6_2_b60000_svchost.jbxd
                                                                                                                                                                                  Yara matches
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: CreateProcessUser
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 2217836671-0
                                                                                                                                                                                  • Opcode ID: d62f5ccacfff9bcee4e85e6b62864ac9b1a550bac247828671b7b76c9430269f
                                                                                                                                                                                  • Instruction ID: b35c6fdbe21bba689822e261a837ba34138ce6a09d42ca6df1981ebd35d9d5c2
                                                                                                                                                                                  • Opcode Fuzzy Hash: d62f5ccacfff9bcee4e85e6b62864ac9b1a550bac247828671b7b76c9430269f
                                                                                                                                                                                  • Instruction Fuzzy Hash: F5219236209BC48AD7B08B19F98075AB7F4F7897A4F244215EBDD43B68DB38C495CB05
                                                                                                                                                                                  Function 00B7A3D0 Relevance: 42.2, APIs: 19, Strings: 5, Instructions: 194memorystringCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • GetTickCount.KERNEL32 ref: 00B7A3FD
                                                                                                                                                                                  • wsprintfA.USER32 ref: 00B7A46C
                                                                                                                                                                                  • wsprintfA.USER32 ref: 00B7A492
                                                                                                                                                                                  • wsprintfA.USER32 ref: 00B7A4B7
                                                                                                                                                                                  • lstrcatA.KERNEL32(?,?,?,?,?,?,00000000,00000008,00000000,00000000,00000000,00B647F4), ref: 00B7A4DC
                                                                                                                                                                                  • HeapAlloc.KERNEL32(?,?,?,?,?,?,00000000,00000008,00000000,00000000,00000000,00B647F4), ref: 00B7A520
                                                                                                                                                                                  • GetTickCount.KERNEL32 ref: 00B7A532
                                                                                                                                                                                  • EnterCriticalSection.KERNEL32(?,?,?,?,?,?,00000000,00000008,00000000,00000000,00000000,00B647F4), ref: 00B7A54A
                                                                                                                                                                                  • LeaveCriticalSection.KERNEL32(?,?,?,?,?,?,00000000,00000008,00000000,00000000,00000000,00B647F4), ref: 00B7A56B
                                                                                                                                                                                  • StrTrimA.SHLWAPI(?,?,?,?,?,?,00000000,00000008,00000000,00000000,00000000,00B647F4), ref: 00B7A5AD
                                                                                                                                                                                  • lstrcpyA.KERNEL32(?,?,?,?,?,?,00000000,00000008,00000000,00000000,00000000,00B647F4), ref: 00B7A5D9
                                                                                                                                                                                  • lstrcpyA.KERNEL32(?,?,?,?,?,?,00000000,00000008,00000000,00000000,00000000,00B647F4), ref: 00B7A5E5
                                                                                                                                                                                  • lstrcatA.KERNEL32(?,?,?,?,?,?,00000000,00000008,00000000,00000000,00000000,00B647F4), ref: 00B7A5F1
                                                                                                                                                                                  • lstrcatA.KERNEL32(?,?,?,?,?,?,00000000,00000008,00000000,00000000,00000000,00B647F4), ref: 00B7A5FD
                                                                                                                                                                                  • HeapFree.KERNEL32(?,?,?,?,?,?,00000000,00000008,00000000,00000000,00000000,00B647F4), ref: 00B7A6CE
                                                                                                                                                                                  • HeapFree.KERNEL32(?,?,?,?,?,?,00000000,00000008,00000000,00000000,00000000,00B647F4), ref: 00B7A6E0
                                                                                                                                                                                  • HeapFree.KERNEL32(?,?,?,?,?,?,00000000,00000008,00000000,00000000,00000000,00B647F4), ref: 00B7A6F2
                                                                                                                                                                                  • HeapFree.KERNEL32(?,?,?,?,?,?,00000000,00000008,00000000,00000000,00000000,00B647F4), ref: 00B7A704
                                                                                                                                                                                  • HeapFree.KERNEL32(?,?,?,?,?,?,00000000,00000008,00000000,00000000,00000000,00B647F4), ref: 00B7A71B
                                                                                                                                                                                    • Part of subcall function 00B72EC4: EnterCriticalSection.KERNEL32 ref: 00B72EF3
                                                                                                                                                                                    • Part of subcall function 00B72EC4: LeaveCriticalSection.KERNEL32 ref: 00B72F14
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000006.00000002.1794451873.0000000000B61000.00000020.80000000.00040000.00000000.sdmp, Offset: 00B60000, based on PE: true
                                                                                                                                                                                  • Associated: 00000006.00000002.1794420795.0000000000B60000.00000004.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794498490.0000000000B94000.00000002.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794521630.0000000000B9B000.00000004.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794551870.0000000000B9E000.00000002.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794583919.0000000000BA0000.00000004.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794610717.0000000000BA2000.00000002.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_6_2_b60000_svchost.jbxd
                                                                                                                                                                                  Yara matches
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: Heap$Free$CriticalSection$lstrcatwsprintf$CountEnterLeaveTicklstrcpy$AllocTrim
                                                                                                                                                                                  • String ID: &ip=%s$&os=%s$&tor=1$/images/$soft=%u&version=%u&user=%08x%08x%08x%08x&server=%u&id=%u&crc=%x
                                                                                                                                                                                  • API String ID: 2560516500-2513872350
                                                                                                                                                                                  • Opcode ID: 8820c8361b7df74ed2a7c1a130dcb70009a3ed44b6f924c6062df70de1237351
                                                                                                                                                                                  • Instruction ID: 0efe50e2c4853ed78cacb0d9c66427375c6c8a6eb987e1279c146c7c4ceeee66
                                                                                                                                                                                  • Opcode Fuzzy Hash: 8820c8361b7df74ed2a7c1a130dcb70009a3ed44b6f924c6062df70de1237351
                                                                                                                                                                                  • Instruction Fuzzy Hash: FF914876204B8086EB54CB2AF894B6A77A1FB89BD5F048126DF5E43768DF3CC489C701
                                                                                                                                                                                  Function 00B7857C Relevance: 29.9, APIs: 16, Strings: 1, Instructions: 142memorystringCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000006.00000002.1794451873.0000000000B61000.00000020.80000000.00040000.00000000.sdmp, Offset: 00B60000, based on PE: true
                                                                                                                                                                                  • Associated: 00000006.00000002.1794420795.0000000000B60000.00000004.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794498490.0000000000B94000.00000002.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794521630.0000000000B9B000.00000004.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794551870.0000000000B9E000.00000002.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794583919.0000000000BA0000.00000004.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794610717.0000000000BA2000.00000002.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_6_2_b60000_svchost.jbxd
                                                                                                                                                                                  Yara matches
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: Heap$AllocTrim$Free_struprlstrlenmemcpymemset
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 2961261462-3688684798
                                                                                                                                                                                  • Opcode ID: 6123450f67303d9660eb7f36165b59a3b4ba273dda63d8086ec2fc56b25ba913
                                                                                                                                                                                  • Instruction ID: 3034e99dae25a4ad0e7aff052303bc9459e2617da5d1ec65ce45204e3322eb6d
                                                                                                                                                                                  • Opcode Fuzzy Hash: 6123450f67303d9660eb7f36165b59a3b4ba273dda63d8086ec2fc56b25ba913
                                                                                                                                                                                  • Instruction Fuzzy Hash: 54513A36601B4086EB00DF66E9587697BA1F798FC4F898861DB5E47B24DF3CD94AC700
                                                                                                                                                                                  Function 00B61AC8 Relevance: 28.1, APIs: 15, Strings: 1, Instructions: 110registrymemorythreadCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • RegOpenKeyA.ADVAPI32 ref: 00B61AEF
                                                                                                                                                                                  • CloseHandle.KERNEL32 ref: 00B61B64
                                                                                                                                                                                  • DeleteFileW.KERNEL32 ref: 00B61B75
                                                                                                                                                                                  • GetLastError.KERNEL32 ref: 00B61B7F
                                                                                                                                                                                  • HeapFree.KERNEL32 ref: 00B61B93
                                                                                                                                                                                  • HeapFree.KERNEL32 ref: 00B61BB5
                                                                                                                                                                                  • RegCloseKey.ADVAPI32 ref: 00B61BF9
                                                                                                                                                                                  • HeapFree.KERNEL32 ref: 00B61C0B
                                                                                                                                                                                  • RegCloseKey.ADVAPI32 ref: 00B61C1D
                                                                                                                                                                                  • SuspendThread.KERNEL32 ref: 00B61C2E
                                                                                                                                                                                  • CreateEventA.KERNEL32 ref: 00B61C49
                                                                                                                                                                                  • SetEvent.KERNEL32 ref: 00B61C5A
                                                                                                                                                                                  • CloseHandle.KERNEL32 ref: 00B61C63
                                                                                                                                                                                  • Sleep.KERNEL32 ref: 00B61C6E
                                                                                                                                                                                  • ResumeThread.KERNEL32 ref: 00B61C98
                                                                                                                                                                                    • Part of subcall function 00B78A04: HeapAlloc.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00B61B23), ref: 00B78A60
                                                                                                                                                                                    • Part of subcall function 00B78A04: RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00B61B23), ref: 00B78AD5
                                                                                                                                                                                  Strings
                                                                                                                                                                                  • Software\Microsoft\Windows\CurrentVersion\Run, xrefs: 00B61AE1
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000006.00000002.1794451873.0000000000B61000.00000020.80000000.00040000.00000000.sdmp, Offset: 00B60000, based on PE: true
                                                                                                                                                                                  • Associated: 00000006.00000002.1794420795.0000000000B60000.00000004.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794498490.0000000000B94000.00000002.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794521630.0000000000B9B000.00000004.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794551870.0000000000B9E000.00000002.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794583919.0000000000BA0000.00000004.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794610717.0000000000BA2000.00000002.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_6_2_b60000_svchost.jbxd
                                                                                                                                                                                  Yara matches
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: Close$Heap$Free$EventHandleThread$AllocCreateDeleteErrorFileLastOpenResumeSleepSuspend
                                                                                                                                                                                  • String ID: Software\Microsoft\Windows\CurrentVersion\Run
                                                                                                                                                                                  • API String ID: 2858932356-1428018034
                                                                                                                                                                                  • Opcode ID: a59d38f784f1ca07e61bb55e7ea5e5fa6c1ecfcc48fcb5315eb2cf89da9e6b23
                                                                                                                                                                                  • Instruction ID: bf8fd5688a80cf2c8c2784931960dbfb7dcc2d31e1e8e6bebd08b03a2f205222
                                                                                                                                                                                  • Opcode Fuzzy Hash: a59d38f784f1ca07e61bb55e7ea5e5fa6c1ecfcc48fcb5315eb2cf89da9e6b23
                                                                                                                                                                                  • Instruction Fuzzy Hash: AF514B25204B4082EB00DB66E9953697BB1FB89FD4F894556DF0E8B764DF7CC48AC300
                                                                                                                                                                                  Function 00B6A6D8 Relevance: 28.0, APIs: 8, Strings: 8, Instructions: 41librarymemoryCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000006.00000002.1794451873.0000000000B61000.00000020.80000000.00040000.00000000.sdmp, Offset: 00B60000, based on PE: true
                                                                                                                                                                                  • Associated: 00000006.00000002.1794420795.0000000000B60000.00000004.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794498490.0000000000B94000.00000002.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794521630.0000000000B9B000.00000004.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794551870.0000000000B9E000.00000002.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794583919.0000000000BA0000.00000004.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794610717.0000000000BA2000.00000002.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_6_2_b60000_svchost.jbxd
                                                                                                                                                                                  Yara matches
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: LibraryLoad$Alloc
                                                                                                                                                                                  • String ID: WININET.DLL$WININET.dll$ieapfltr$ieframe$ieui$inetcpl.cpl$mshtml$urlmon
                                                                                                                                                                                  • API String ID: 31516217-1120705325
                                                                                                                                                                                  • Opcode ID: 23c1dd3a9af6f24863dfed83a6bdb96e7f9eae023207be9b26b4f1fe7bf045bf
                                                                                                                                                                                  • Instruction ID: 7a2aec46b28e3cc0d2cb2e4e7286fa62f05310ae2a7581a25386fe2312329da2
                                                                                                                                                                                  • Opcode Fuzzy Hash: 23c1dd3a9af6f24863dfed83a6bdb96e7f9eae023207be9b26b4f1fe7bf045bf
                                                                                                                                                                                  • Instruction Fuzzy Hash: 63111E25310B0A92FB10EB60ED95B683370F755709F950422C72E921B1DF3CC99EC361
                                                                                                                                                                                  Function 00B72298 Relevance: 27.2, APIs: 18, Instructions: 152memorysleepsynchronizationCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • EnterCriticalSection.KERNEL32(?,?,?,00B61617,?,?,?,?,00B61686), ref: 00B722C9
                                                                                                                                                                                  • HeapFree.KERNEL32(?,?,?,00B61617,?,?,?,?,00B61686), ref: 00B72307
                                                                                                                                                                                  • LeaveCriticalSection.KERNEL32(?,?,?,00B61617,?,?,?,?,00B61686), ref: 00B72319
                                                                                                                                                                                  • SleepEx.KERNEL32(?,?,?,00B61617,?,?,?,?,00B61686), ref: 00B7232D
                                                                                                                                                                                  • HeapFree.KERNEL32(?,?,?,00B61617,?,?,?,?,00B61686), ref: 00B72362
                                                                                                                                                                                  • DeleteCriticalSection.KERNEL32(?,?,?,00B61617,?,?,?,?,00B61686), ref: 00B7236F
                                                                                                                                                                                  • DeleteCriticalSection.KERNEL32(?,?,?,00B61617,?,?,?,?,00B61686), ref: 00B7237C
                                                                                                                                                                                  • SleepEx.KERNEL32(?,?,?,00B61617,?,?,?,?,00B61686), ref: 00B723B0
                                                                                                                                                                                  • SleepEx.KERNEL32(?,?,?,00B61617,?,?,?,?,00B61686), ref: 00B723CF
                                                                                                                                                                                  • HeapFree.KERNEL32(?,?,?,00B61617,?,?,?,?,00B61686), ref: 00B723FD
                                                                                                                                                                                  • RemoveVectoredExceptionHandler.KERNEL32(?,?,?,00B61617,?,?,?,?,00B61686), ref: 00B7243A
                                                                                                                                                                                  • ReleaseMutex.KERNEL32(?,?,?,00B61617,?,?,?,?,00B61686), ref: 00B7244C
                                                                                                                                                                                  • CloseHandle.KERNEL32(?,?,?,00B61617,?,?,?,?,00B61686), ref: 00B72459
                                                                                                                                                                                  • EnterCriticalSection.KERNEL32(?,?,?,00B61617,?,?,?,?,00B61686), ref: 00B72472
                                                                                                                                                                                  • Sleep.KERNEL32(?,?,?,00B61617,?,?,?,?,00B61686), ref: 00B7247F
                                                                                                                                                                                  • LeaveCriticalSection.KERNEL32(?,?,?,00B61617,?,?,?,?,00B61686), ref: 00B724B1
                                                                                                                                                                                  • SleepEx.KERNEL32(?,?,?,00B61617,?,?,?,?,00B61686), ref: 00B724CC
                                                                                                                                                                                  • CloseHandle.KERNEL32(?,?,?,00B61617,?,?,?,?,00B61686), ref: 00B724FD
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000006.00000002.1794451873.0000000000B61000.00000020.80000000.00040000.00000000.sdmp, Offset: 00B60000, based on PE: true
                                                                                                                                                                                  • Associated: 00000006.00000002.1794420795.0000000000B60000.00000004.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794498490.0000000000B94000.00000002.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794521630.0000000000B9B000.00000004.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794551870.0000000000B9E000.00000002.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794583919.0000000000BA0000.00000004.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794610717.0000000000BA2000.00000002.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_6_2_b60000_svchost.jbxd
                                                                                                                                                                                  Yara matches
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: CriticalSection$Sleep$FreeHeap$CloseDeleteEnterHandleLeave$ExceptionHandlerMutexReleaseRemoveVectored
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 2750149408-0
                                                                                                                                                                                  • Opcode ID: b64296843005965941517c4b64a9164b6a93d4bf85720715b19468f2bcc03b81
                                                                                                                                                                                  • Instruction ID: fb060dc3866994f7580291c0aaae5c231247ce6dc2f5b55bb19afe5e51e70242
                                                                                                                                                                                  • Opcode Fuzzy Hash: b64296843005965941517c4b64a9164b6a93d4bf85720715b19468f2bcc03b81
                                                                                                                                                                                  • Instruction Fuzzy Hash: 3E714835200A40C6EB15DF26E9A072873B2F788B85F968162DB6E47764DF3CCC8AC715
                                                                                                                                                                                  Function 00B7AD9C Relevance: 26.3, APIs: 11, Strings: 4, Instructions: 98memorystringtimeCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000006.00000002.1794451873.0000000000B61000.00000020.80000000.00040000.00000000.sdmp, Offset: 00B60000, based on PE: true
                                                                                                                                                                                  • Associated: 00000006.00000002.1794420795.0000000000B60000.00000004.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794498490.0000000000B94000.00000002.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794521630.0000000000B9B000.00000004.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794551870.0000000000B9E000.00000002.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794583919.0000000000BA0000.00000004.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794610717.0000000000BA2000.00000002.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_6_2_b60000_svchost.jbxd
                                                                                                                                                                                  Yara matches
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: wsprintf$Heap$AllocTimememcpy$FileFreeSystemlstrlen
                                                                                                                                                                                  • String ID: %u%u%u$--%s%s$--%s--$Content-Type: multipart/form-data; boundary=%s
                                                                                                                                                                                  • API String ID: 3163594004-3325008428
                                                                                                                                                                                  • Opcode ID: 00e3fe1386cf0824155fcc6c5ec986bfae25e8d8b1e89d962a03b9feefd42a84
                                                                                                                                                                                  • Instruction ID: 7f9ea8500bd735288c097ec1d4a43220651a59012118ec4038fae852ef6cc086
                                                                                                                                                                                  • Opcode Fuzzy Hash: 00e3fe1386cf0824155fcc6c5ec986bfae25e8d8b1e89d962a03b9feefd42a84
                                                                                                                                                                                  • Instruction Fuzzy Hash: 2C416B36310B4696EB10CF16E894B9977B1F789B98F458516DF0E47724DF38C94AC740
                                                                                                                                                                                  Function 00B654C0 Relevance: 24.7, APIs: 10, Strings: 4, Instructions: 157memorystringfileCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                    • Part of subcall function 00B75CF8: GetTempPathA.KERNEL32(?,?,00000001,00B654D7), ref: 00B75D0F
                                                                                                                                                                                    • Part of subcall function 00B75CF8: HeapAlloc.KERNEL32(?,?,00000001,00B654D7), ref: 00B75D28
                                                                                                                                                                                    • Part of subcall function 00B75CF8: GetTempPathA.KERNEL32(?,?,00000001,00B654D7), ref: 00B75D3B
                                                                                                                                                                                    • Part of subcall function 00B75CF8: GetTickCount.KERNEL32 ref: 00B75D45
                                                                                                                                                                                    • Part of subcall function 00B75CF8: GetTempFileNameA.KERNEL32(?,?,00000001,00B654D7), ref: 00B75D57
                                                                                                                                                                                    • Part of subcall function 00B75CF8: lstrcpyA.KERNEL32(?,?,00000001,00B654D7), ref: 00B75D74
                                                                                                                                                                                  • lstrlenA.KERNEL32 ref: 00B654E6
                                                                                                                                                                                    • Part of subcall function 00B69B98: lstrlenA.KERNEL32(?,?,00000000,00B6550A), ref: 00B69BB2
                                                                                                                                                                                    • Part of subcall function 00B69B98: lstrlenA.KERNEL32(?,?,00000000,00B6550A), ref: 00B69BBE
                                                                                                                                                                                    • Part of subcall function 00B69B98: HeapAlloc.KERNEL32(?,?,00000000,00B6550A), ref: 00B69BD5
                                                                                                                                                                                    • Part of subcall function 00B69B98: wsprintfA.USER32 ref: 00B69BF3
                                                                                                                                                                                    • Part of subcall function 00B69B98: wsprintfA.USER32 ref: 00B69C22
                                                                                                                                                                                    • Part of subcall function 00B69B98: HeapFree.KERNEL32(?,?,00000000,00B6550A), ref: 00B69C43
                                                                                                                                                                                  • HeapFree.KERNEL32 ref: 00B655F3
                                                                                                                                                                                    • Part of subcall function 00B75430: HeapFree.KERNEL32(?,?,00000000,00B64CAE,?,?,?,?,?,?,?,?,00000004,00000000,00000000,00B627B3), ref: 00B75478
                                                                                                                                                                                  • StrTrimA.SHLWAPI ref: 00B655B4
                                                                                                                                                                                  • HeapFree.KERNEL32 ref: 00B655D8
                                                                                                                                                                                  • DeleteFileA.KERNEL32 ref: 00B655E1
                                                                                                                                                                                  • StrChrA.SHLWAPI ref: 00B656A7
                                                                                                                                                                                  • HeapFree.KERNEL32 ref: 00B656BE
                                                                                                                                                                                  • StrTrimA.SHLWAPI ref: 00B6570D
                                                                                                                                                                                  • lstrlenA.KERNEL32 ref: 00B65716
                                                                                                                                                                                  • HeapFree.KERNEL32 ref: 00B65732
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000006.00000002.1794451873.0000000000B61000.00000020.80000000.00040000.00000000.sdmp, Offset: 00B60000, based on PE: true
                                                                                                                                                                                  • Associated: 00000006.00000002.1794420795.0000000000B60000.00000004.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794498490.0000000000B94000.00000002.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794521630.0000000000B9B000.00000004.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794551870.0000000000B9E000.00000002.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794583919.0000000000BA0000.00000004.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794610717.0000000000BA2000.00000002.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_6_2_b60000_svchost.jbxd
                                                                                                                                                                                  Yara matches
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: Heap$Free$lstrlen$Temp$AllocFilePathTrimwsprintf$CountDeleteNameTicklstrcpy
                                                                                                                                                                                  • String ID: $ s:$nslookup myip.opendns.com resolver1.opendns.com $ss: *.*.*.*
                                                                                                                                                                                  • API String ID: 715369030-3821195932
                                                                                                                                                                                  • Opcode ID: 83e4a4008f3071b4bf8bc7ebcdbfacb84743d042852674ffa14552aa15a78d6a
                                                                                                                                                                                  • Instruction ID: 29840b0ebacfda40bc88659060ce28ed2c00fdc0afc403ddccf882bf0dd15cca
                                                                                                                                                                                  • Opcode Fuzzy Hash: 83e4a4008f3071b4bf8bc7ebcdbfacb84743d042852674ffa14552aa15a78d6a
                                                                                                                                                                                  • Instruction Fuzzy Hash: 0651C531315B8282EF359B65E8A87B973D1EB84784F894076CE4A47B55DF3CC899CB00
                                                                                                                                                                                  Function 00B746A0 Relevance: 24.6, APIs: 11, Strings: 3, Instructions: 121memorystringCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                    • Part of subcall function 00B78AF0: RegOpenKeyA.ADVAPI32 ref: 00B78B1E
                                                                                                                                                                                    • Part of subcall function 00B78AF0: RegQueryValueExA.ADVAPI32 ref: 00B78B4E
                                                                                                                                                                                    • Part of subcall function 00B78AF0: HeapAlloc.KERNEL32 ref: 00B78B6A
                                                                                                                                                                                    • Part of subcall function 00B78AF0: RegQueryValueExA.ADVAPI32 ref: 00B78B97
                                                                                                                                                                                    • Part of subcall function 00B78AF0: RegCloseKey.ADVAPI32 ref: 00B78BD6
                                                                                                                                                                                  • lstrlenA.KERNEL32 ref: 00B74740
                                                                                                                                                                                  • HeapAlloc.KERNEL32 ref: 00B74757
                                                                                                                                                                                  • mbstowcs.NTDLL ref: 00B74779
                                                                                                                                                                                  • lstrlenA.KERNEL32 ref: 00B74785
                                                                                                                                                                                  • HeapAlloc.KERNEL32 ref: 00B7479C
                                                                                                                                                                                  • mbstowcs.NTDLL ref: 00B747B8
                                                                                                                                                                                    • Part of subcall function 00B75668: HeapAlloc.KERNEL32(?,?,?,?,?,?,?,?,00000000,00000000,00000000,00000000,00B69957), ref: 00B756A3
                                                                                                                                                                                    • Part of subcall function 00B75668: lstrlenW.KERNEL32(?,?,?,?,?,?,?,?,00000000,00000000,00000000,00000000,00B69957), ref: 00B756D8
                                                                                                                                                                                    • Part of subcall function 00B75668: lstrlenW.KERNEL32(?,?,?,?,?,?,?,?,00000000,00000000,00000000,00000000,00B69957), ref: 00B756E5
                                                                                                                                                                                    • Part of subcall function 00B75668: HeapAlloc.KERNEL32(?,?,?,?,?,?,?,?,00000000,00000000,00000000,00000000,00B69957), ref: 00B75738
                                                                                                                                                                                    • Part of subcall function 00B75668: memset.NTDLL ref: 00B7575C
                                                                                                                                                                                    • Part of subcall function 00B75668: FindFirstFileW.KERNEL32(?,?,?,?,?,?,?,?,00000000,00000000,00000000,00000000,00B69957), ref: 00B7577B
                                                                                                                                                                                    • Part of subcall function 00B75668: lstrlenW.KERNEL32(?,?,?,?,?,?,?,?,00000000,00000000,00000000,00000000,00B69957), ref: 00B757C1
                                                                                                                                                                                    • Part of subcall function 00B75668: lstrlenW.KERNEL32(?,?,?,?,?,?,?,?,00000000,00000000,00000000,00000000,00B69957), ref: 00B757D1
                                                                                                                                                                                    • Part of subcall function 00B75668: HeapAlloc.KERNEL32(?,?,?,?,?,?,?,?,00000000,00000000,00000000,00000000,00B69957), ref: 00B757F9
                                                                                                                                                                                  • HeapFree.KERNEL32 ref: 00B747EA
                                                                                                                                                                                  • HeapFree.KERNEL32 ref: 00B747FC
                                                                                                                                                                                  • HeapFree.KERNEL32 ref: 00B7482E
                                                                                                                                                                                  • HeapFree.KERNEL32 ref: 00B74861
                                                                                                                                                                                  • HeapFree.KERNEL32 ref: 00B7487A
                                                                                                                                                                                    • Part of subcall function 00B78AF0: HeapFree.KERNEL32 ref: 00B78BC4
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000006.00000002.1794451873.0000000000B61000.00000020.80000000.00040000.00000000.sdmp, Offset: 00B60000, based on PE: true
                                                                                                                                                                                  • Associated: 00000006.00000002.1794420795.0000000000B60000.00000004.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794498490.0000000000B94000.00000002.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794521630.0000000000B9B000.00000004.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794551870.0000000000B9E000.00000002.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794583919.0000000000BA0000.00000004.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794610717.0000000000BA2000.00000002.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_6_2_b60000_svchost.jbxd
                                                                                                                                                                                  Yara matches
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: Heap$AllocFreelstrlen$QueryValuembstowcs$CloseFileFindFirstOpenmemset
                                                                                                                                                                                  • String ID: Salt$Store Root$account{*}.oeaccount
                                                                                                                                                                                  • API String ID: 354489030-2077432962
                                                                                                                                                                                  • Opcode ID: 1ec41523befdfa68e07b846a79efb122ead3582ced472b500dbc91fd5034b62f
                                                                                                                                                                                  • Instruction ID: 958ed6484edd8aa1cbea0b45f61236df85bfd278fb1d751116884c77164d12c0
                                                                                                                                                                                  • Opcode Fuzzy Hash: 1ec41523befdfa68e07b846a79efb122ead3582ced472b500dbc91fd5034b62f
                                                                                                                                                                                  • Instruction Fuzzy Hash: AA51B032614B8582DB10CF26E848BAA73A6F788BD4F868166DF5D87714DF3CC54AC740
                                                                                                                                                                                  Function 00B61914 Relevance: 24.6, APIs: 12, Strings: 2, Instructions: 85registrymemorystringCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  Strings
                                                                                                                                                                                  • Software\Microsoft\Windows\CurrentVersion\Run, xrefs: 00B619C7
                                                                                                                                                                                  • %lu.exe, xrefs: 00B6198F
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000006.00000002.1794451873.0000000000B61000.00000020.80000000.00040000.00000000.sdmp, Offset: 00B60000, based on PE: true
                                                                                                                                                                                  • Associated: 00000006.00000002.1794420795.0000000000B60000.00000004.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794498490.0000000000B94000.00000002.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794521630.0000000000B9B000.00000004.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794551870.0000000000B9E000.00000002.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794583919.0000000000BA0000.00000004.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794610717.0000000000BA2000.00000002.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_6_2_b60000_svchost.jbxd
                                                                                                                                                                                  Yara matches
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: Heap$Free$PathTemp$AllocCloseCountCreateHeaderImageTickValuelstrlenwsprintf
                                                                                                                                                                                  • String ID: %lu.exe$Software\Microsoft\Windows\CurrentVersion\Run
                                                                                                                                                                                  • API String ID: 1622340061-2576086316
                                                                                                                                                                                  • Opcode ID: 88b65a36fd65748a4cd3cebd7ae84c44b8541a3ff69ab37156df54b0ba30e5e8
                                                                                                                                                                                  • Instruction ID: ae65325e49f178a4f3709eaf7aba7a9da713d08557df365c9c46ace89c28dd73
                                                                                                                                                                                  • Opcode Fuzzy Hash: 88b65a36fd65748a4cd3cebd7ae84c44b8541a3ff69ab37156df54b0ba30e5e8
                                                                                                                                                                                  • Instruction Fuzzy Hash: 0A318C26715B4083EB10DB66B988B5A7BA1FB88BC4F484121DF4A87B65EF3CC449C700
                                                                                                                                                                                  Function 00B77BEC Relevance: 24.6, APIs: 11, Strings: 3, Instructions: 84memorystringCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                    • Part of subcall function 00B78128: lstrlenW.KERNEL32 ref: 00B78146
                                                                                                                                                                                    • Part of subcall function 00B78128: HeapAlloc.KERNEL32 ref: 00B78161
                                                                                                                                                                                    • Part of subcall function 00B78128: memcpy.NTDLL ref: 00B7817D
                                                                                                                                                                                    • Part of subcall function 00B78128: memset.NTDLL ref: 00B78191
                                                                                                                                                                                  • lstrlenW.KERNEL32 ref: 00B77C30
                                                                                                                                                                                    • Part of subcall function 00B75DA4: lstrcpyA.KERNEL32 ref: 00B75DE7
                                                                                                                                                                                    • Part of subcall function 00B75DA4: CreateDirectoryA.KERNEL32 ref: 00B75DFE
                                                                                                                                                                                    • Part of subcall function 00B75DA4: GetTickCount.KERNEL32 ref: 00B75E08
                                                                                                                                                                                    • Part of subcall function 00B75DA4: GetTempFileNameA.KERNEL32 ref: 00B75E1E
                                                                                                                                                                                    • Part of subcall function 00B75DA4: lstrcpyA.KERNEL32 ref: 00B75E3B
                                                                                                                                                                                  • HeapAlloc.KERNEL32 ref: 00B77C5B
                                                                                                                                                                                  • lstrcpyA.KERNEL32 ref: 00B77C80
                                                                                                                                                                                  • wsprintfA.USER32 ref: 00B77C93
                                                                                                                                                                                  • HeapAlloc.KERNEL32 ref: 00B77CA5
                                                                                                                                                                                  • GetTickCount.KERNEL32 ref: 00B77CB3
                                                                                                                                                                                  • wsprintfA.USER32 ref: 00B77CC9
                                                                                                                                                                                    • Part of subcall function 00B77AFC: HeapFree.KERNEL32 ref: 00B77BB4
                                                                                                                                                                                    • Part of subcall function 00B77AFC: HeapFree.KERNEL32 ref: 00B77BC6
                                                                                                                                                                                  • HeapFree.KERNEL32 ref: 00B77CF3
                                                                                                                                                                                  • HeapFree.KERNEL32 ref: 00B77D05
                                                                                                                                                                                  • HeapFree.KERNEL32 ref: 00B77D17
                                                                                                                                                                                  • HeapFree.KERNEL32 ref: 00B77D29
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000006.00000002.1794451873.0000000000B61000.00000020.80000000.00040000.00000000.sdmp, Offset: 00B60000, based on PE: true
                                                                                                                                                                                  • Associated: 00000006.00000002.1794420795.0000000000B60000.00000004.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794498490.0000000000B94000.00000002.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794521630.0000000000B9B000.00000004.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794551870.0000000000B9E000.00000002.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794583919.0000000000BA0000.00000004.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794610717.0000000000BA2000.00000002.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_6_2_b60000_svchost.jbxd
                                                                                                                                                                                  Yara matches
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: Heap$Free$Alloclstrcpy$CountTicklstrlenwsprintf$CreateDirectoryFileNameTempmemcpymemset
                                                                                                                                                                                  • String ID: "%S"$.bat$attrib -r -s -h %%1:%udel %%1if exist %%1 goto %udel %%0
                                                                                                                                                                                  • API String ID: 4096988922-2880143881
                                                                                                                                                                                  • Opcode ID: a99e16a42d8b828de06f5f74dd107251649499bc776793a6281e8db70b649c8a
                                                                                                                                                                                  • Instruction ID: 3eea2203a60038b5423350e87e88b7940730f2d51df67a40449a554cd8407f57
                                                                                                                                                                                  • Opcode Fuzzy Hash: a99e16a42d8b828de06f5f74dd107251649499bc776793a6281e8db70b649c8a
                                                                                                                                                                                  • Instruction Fuzzy Hash: 63315A65700B4182EB14DB66E898B297BA2FB8AFD0F898465CF1E47764DF3CC54AC340
                                                                                                                                                                                  Function 00B6E518 Relevance: 21.2, APIs: 9, Strings: 5, Instructions: 170stringmemoryCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • lstrlenA.KERNEL32 ref: 00B6E552
                                                                                                                                                                                  • lstrlenA.KERNEL32 ref: 00B6E563
                                                                                                                                                                                  • lstrlenA.KERNEL32 ref: 00B6E57A
                                                                                                                                                                                  • lstrlenA.KERNEL32 ref: 00B6E597
                                                                                                                                                                                  • lstrlenA.KERNEL32 ref: 00B6E5AB
                                                                                                                                                                                  • HeapAlloc.KERNEL32 ref: 00B6E5D8
                                                                                                                                                                                  • wsprintfA.USER32 ref: 00B6E6BA
                                                                                                                                                                                  • memcpy.NTDLL ref: 00B6E728
                                                                                                                                                                                  • HeapFree.KERNEL32 ref: 00B6E793
                                                                                                                                                                                    • Part of subcall function 00B67A04: HeapAlloc.KERNEL32 ref: 00B67A48
                                                                                                                                                                                    • Part of subcall function 00B67A04: memcpy.NTDLL ref: 00B67A5F
                                                                                                                                                                                    • Part of subcall function 00B67A04: EnterCriticalSection.KERNEL32 ref: 00B67A6F
                                                                                                                                                                                    • Part of subcall function 00B67A04: LeaveCriticalSection.KERNEL32 ref: 00B67A84
                                                                                                                                                                                    • Part of subcall function 00B67A04: HeapFree.KERNEL32 ref: 00B67AC5
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000006.00000002.1794451873.0000000000B61000.00000020.80000000.00040000.00000000.sdmp, Offset: 00B60000, based on PE: true
                                                                                                                                                                                  • Associated: 00000006.00000002.1794420795.0000000000B60000.00000004.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794498490.0000000000B94000.00000002.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794521630.0000000000B9B000.00000004.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794551870.0000000000B9E000.00000002.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794583919.0000000000BA0000.00000004.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794610717.0000000000BA2000.00000002.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_6_2_b60000_svchost.jbxd
                                                                                                                                                                                  Yara matches
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: lstrlen$Heap$AllocCriticalFreeSectionmemcpy$EnterLeavewsprintf
                                                                                                                                                                                  • String ID: Accept-Language: $Cookie: $Referer: $URL: %sREF: %sLANG: %sAGENT: %sCOOKIE: %sPOST: $USER: %s
                                                                                                                                                                                  • API String ID: 531487546-1852062776
                                                                                                                                                                                  • Opcode ID: c173b8384f2f1dc0a413f47353f646423699f518c1a6276451e3fb4961b413b2
                                                                                                                                                                                  • Instruction ID: 55894c6fb69ac346efbe6743a5a7d1131455afdb6d31c2ca8fd2b564aa8b58b2
                                                                                                                                                                                  • Opcode Fuzzy Hash: c173b8384f2f1dc0a413f47353f646423699f518c1a6276451e3fb4961b413b2
                                                                                                                                                                                  • Instruction Fuzzy Hash: F661E03A305B8086EB25DF16E840BAA77A1FB8ABC8F484166DF0A53714EF3CC549C701
                                                                                                                                                                                  Function 00B62708 Relevance: 21.2, APIs: 14, Instructions: 156memorystringthreadCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • StrChrA.SHLWAPI(?,?,?,?,00000000,00000000,00000000,?,00000000,00B6466F), ref: 00B62749
                                                                                                                                                                                  • StrTrimA.SHLWAPI(?,?,?,?,00000000,00000000,00000000,?,00000000,00B6466F), ref: 00B62767
                                                                                                                                                                                  • StrChrA.SHLWAPI(?,?,?,?,00000000,00000000,00000000,?,00000000,00B6466F), ref: 00B62777
                                                                                                                                                                                  • StrTrimA.SHLWAPI(?,?,?,?,00000000,00000000,00000000,?,00000000,00B6466F), ref: 00B62795
                                                                                                                                                                                  • lstrlenA.KERNEL32(?,?,?,?,00000000,00000000,00000000,?,00000000,00B6466F), ref: 00B627E9
                                                                                                                                                                                  • HeapAlloc.KERNEL32(?,?,?,?,00000000,00000000,00000000,?,00000000,00B6466F), ref: 00B62811
                                                                                                                                                                                  • lstrcpyA.KERNEL32(?,?,?,?,00000000,00000000,00000000,?,00000000,00B6466F), ref: 00B6282F
                                                                                                                                                                                  • lstrlenA.KERNEL32(?,?,?,?,00000000,00000000,00000000,?,00000000,00B6466F), ref: 00B62838
                                                                                                                                                                                  • memcpy.NTDLL(?,?,?,?,00000000,00000000,00000000,?,00000000,00B6466F), ref: 00B6287E
                                                                                                                                                                                  • memcpy.NTDLL(?,?,?,?,00000000,00000000,00000000,?,00000000,00B6466F), ref: 00B62893
                                                                                                                                                                                  • SwitchToThread.KERNEL32(?,?,?,?,00000000,00000000,00000000,?,00000000,00B6466F), ref: 00B628B9
                                                                                                                                                                                  • HeapFree.KERNEL32(?,?,?,?,00000000,00000000,00000000,?,00000000,00B6466F), ref: 00B628EB
                                                                                                                                                                                  • HeapFree.KERNEL32 ref: 00B6290E
                                                                                                                                                                                  • HeapFree.KERNEL32 ref: 00B62925
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000006.00000002.1794451873.0000000000B61000.00000020.80000000.00040000.00000000.sdmp, Offset: 00B60000, based on PE: true
                                                                                                                                                                                  • Associated: 00000006.00000002.1794420795.0000000000B60000.00000004.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794498490.0000000000B94000.00000002.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794521630.0000000000B9B000.00000004.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794551870.0000000000B9E000.00000002.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794583919.0000000000BA0000.00000004.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794610717.0000000000BA2000.00000002.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_6_2_b60000_svchost.jbxd
                                                                                                                                                                                  Yara matches
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: Heap$Free$Trimlstrlenmemcpy$AllocSwitchThreadlstrcpy
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 2465798656-0
                                                                                                                                                                                  • Opcode ID: ec0fa72fb27d8ea03ee6fad734b67796a03f60661ac5ba51e1135170feb0c2df
                                                                                                                                                                                  • Instruction ID: 2964715676f9e56502ff43243d43713544b05692e6e81af677d818b83278bbfd
                                                                                                                                                                                  • Opcode Fuzzy Hash: ec0fa72fb27d8ea03ee6fad734b67796a03f60661ac5ba51e1135170feb0c2df
                                                                                                                                                                                  • Instruction Fuzzy Hash: 4B518636214B4086EB149F26E844B6A7BA1FB89FD4F499065DF4E47B18DF3CC84ACB40
                                                                                                                                                                                  Function 00B72B80 Relevance: 21.1, APIs: 10, Strings: 2, Instructions: 134memorystringCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                    • Part of subcall function 00B780A4: lstrlenA.KERNEL32 ref: 00B780C2
                                                                                                                                                                                    • Part of subcall function 00B780A4: HeapAlloc.KERNEL32 ref: 00B780DC
                                                                                                                                                                                    • Part of subcall function 00B780A4: memcpy.NTDLL ref: 00B780F3
                                                                                                                                                                                    • Part of subcall function 00B780A4: memset.NTDLL ref: 00B78105
                                                                                                                                                                                  • StrChrA.SHLWAPI ref: 00B72BC3
                                                                                                                                                                                  • StrTrimA.SHLWAPI ref: 00B72BE1
                                                                                                                                                                                  • RtlImageNtHeader.NTDLL ref: 00B72C13
                                                                                                                                                                                  • HeapFree.KERNEL32 ref: 00B72C42
                                                                                                                                                                                  • lstrlenA.KERNEL32 ref: 00B72C8A
                                                                                                                                                                                  • HeapFree.KERNEL32 ref: 00B72CD1
                                                                                                                                                                                  • HeapFree.KERNEL32 ref: 00B72CEF
                                                                                                                                                                                  • EnterCriticalSection.KERNEL32 ref: 00B72D04
                                                                                                                                                                                  • LeaveCriticalSection.KERNEL32 ref: 00B72D25
                                                                                                                                                                                  • HeapFree.KERNEL32 ref: 00B72D61
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000006.00000002.1794451873.0000000000B61000.00000020.80000000.00040000.00000000.sdmp, Offset: 00B60000, based on PE: true
                                                                                                                                                                                  • Associated: 00000006.00000002.1794420795.0000000000B60000.00000004.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794498490.0000000000B94000.00000002.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794521630.0000000000B9B000.00000004.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794551870.0000000000B9E000.00000002.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794583919.0000000000BA0000.00000004.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794610717.0000000000BA2000.00000002.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_6_2_b60000_svchost.jbxd
                                                                                                                                                                                  Yara matches
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: Heap$Free$CriticalSectionlstrlen$AllocEnterHeaderImageLeaveTrimmemcpymemset
                                                                                                                                                                                  • String ID: $TorClient
                                                                                                                                                                                  • API String ID: 2443069317-2371105432
                                                                                                                                                                                  • Opcode ID: 974d3b04019e7894b1d48c576a77751344aff1e3e9f995fab9a962066b282795
                                                                                                                                                                                  • Instruction ID: e60e750c6429d8163d490932f347e08b6ace0c1e4cb8940347de62f9ee9f0018
                                                                                                                                                                                  • Opcode Fuzzy Hash: 974d3b04019e7894b1d48c576a77751344aff1e3e9f995fab9a962066b282795
                                                                                                                                                                                  • Instruction Fuzzy Hash: DF519B25304B8086FB15EB7BE89476937A1EB99BD4F098164CF2E477A5DF3CC94A8700
                                                                                                                                                                                  Function 00B69724 Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 103memoryprocessstringCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • memset.NTDLL ref: 00B6974C
                                                                                                                                                                                    • Part of subcall function 00B752A4: lstrlenA.KERNEL32(?,?,00000000,00B75454,?,?,00000000,00B64CAE), ref: 00B752C2
                                                                                                                                                                                    • Part of subcall function 00B752A4: HeapAlloc.KERNEL32(?,?,00000000,00B75454,?,?,00000000,00B64CAE), ref: 00B752D8
                                                                                                                                                                                    • Part of subcall function 00B752A4: mbstowcs.NTDLL ref: 00B752F0
                                                                                                                                                                                    • Part of subcall function 00B752A4: HeapFree.KERNEL32(?,?,00000000,00B75454,?,?,00000000,00B64CAE), ref: 00B75311
                                                                                                                                                                                  • lstrlenW.KERNEL32 ref: 00B697A2
                                                                                                                                                                                  • wcstombs.NTDLL ref: 00B697B3
                                                                                                                                                                                  • HeapFree.KERNEL32 ref: 00B697CA
                                                                                                                                                                                  • CreateProcessA.KERNEL32 ref: 00B69811
                                                                                                                                                                                  • WaitForMultipleObjects.KERNEL32 ref: 00B69841
                                                                                                                                                                                  • GetExitCodeProcess.KERNEL32 ref: 00B6986C
                                                                                                                                                                                  • CloseHandle.KERNEL32 ref: 00B69877
                                                                                                                                                                                  • CloseHandle.KERNEL32 ref: 00B69882
                                                                                                                                                                                  • HeapFree.KERNEL32 ref: 00B698A8
                                                                                                                                                                                    • Part of subcall function 00B78128: lstrlenW.KERNEL32 ref: 00B78146
                                                                                                                                                                                    • Part of subcall function 00B78128: HeapAlloc.KERNEL32 ref: 00B78161
                                                                                                                                                                                    • Part of subcall function 00B78128: memcpy.NTDLL ref: 00B7817D
                                                                                                                                                                                    • Part of subcall function 00B78128: memset.NTDLL ref: 00B78191
                                                                                                                                                                                  • GetLastError.KERNEL32 ref: 00B6988A
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000006.00000002.1794451873.0000000000B61000.00000020.80000000.00040000.00000000.sdmp, Offset: 00B60000, based on PE: true
                                                                                                                                                                                  • Associated: 00000006.00000002.1794420795.0000000000B60000.00000004.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794498490.0000000000B94000.00000002.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794521630.0000000000B9B000.00000004.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794551870.0000000000B9E000.00000002.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794583919.0000000000BA0000.00000004.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794610717.0000000000BA2000.00000002.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_6_2_b60000_svchost.jbxd
                                                                                                                                                                                  Yara matches
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: Heap$Freelstrlen$AllocCloseHandleProcessmemset$CodeCreateErrorExitLastMultipleObjectsWaitmbstowcsmemcpywcstombs
                                                                                                                                                                                  • String ID: h
                                                                                                                                                                                  • API String ID: 4225994567-2439710439
                                                                                                                                                                                  • Opcode ID: c3a035536efa31ce7ea997a91d9e60adc2da576ef3fa415828fb4a43eff29504
                                                                                                                                                                                  • Instruction ID: 2a71c8ead956a0d3cf71712aeadded2da4c7cbc687beef043373c82fe10950e6
                                                                                                                                                                                  • Opcode Fuzzy Hash: c3a035536efa31ce7ea997a91d9e60adc2da576ef3fa415828fb4a43eff29504
                                                                                                                                                                                  • Instruction Fuzzy Hash: 81418C36214B8086EB20DF65F84479AB7E4FB89BD1F054125DB8947B68DF3CC459CB00
                                                                                                                                                                                  Function 00B68F94 Relevance: 21.1, APIs: 8, Strings: 4, Instructions: 96librarymemoryloaderCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000006.00000002.1794451873.0000000000B61000.00000020.80000000.00040000.00000000.sdmp, Offset: 00B60000, based on PE: true
                                                                                                                                                                                  • Associated: 00000006.00000002.1794420795.0000000000B60000.00000004.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794498490.0000000000B94000.00000002.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794521630.0000000000B9B000.00000004.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794551870.0000000000B9E000.00000002.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794583919.0000000000BA0000.00000004.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794610717.0000000000BA2000.00000002.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_6_2_b60000_svchost.jbxd
                                                                                                                                                                                  Yara matches
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: AddressCriticalHeapLibraryLoadProcSection$AllocEnterFreeLeave
                                                                                                                                                                                  • String ID: NSPR4.DLL$NSS3.DLL$PR_GetError$PR_SetError
                                                                                                                                                                                  • API String ID: 1370164896-1785498001
                                                                                                                                                                                  • Opcode ID: 2fbc707ce462ecda5bf06f90d934d15362697923b9aa4c5336f7c86ebaa87c90
                                                                                                                                                                                  • Instruction ID: 22af6ebcf9eefd2d9d01fecd3a59ef302d2de0824da79a639e14f7e19c985eae
                                                                                                                                                                                  • Opcode Fuzzy Hash: 2fbc707ce462ecda5bf06f90d934d15362697923b9aa4c5336f7c86ebaa87c90
                                                                                                                                                                                  • Instruction Fuzzy Hash: 1951D035201B4596EB01CF16F9A575837A9F789B88F994566CB4E83364EF3CC5AAC300
                                                                                                                                                                                  Function 00B617FC Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 70memoryfileCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000006.00000002.1794451873.0000000000B61000.00000020.80000000.00040000.00000000.sdmp, Offset: 00B60000, based on PE: true
                                                                                                                                                                                  • Associated: 00000006.00000002.1794420795.0000000000B60000.00000004.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794498490.0000000000B94000.00000002.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794521630.0000000000B9B000.00000004.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794551870.0000000000B9E000.00000002.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794583919.0000000000BA0000.00000004.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794610717.0000000000BA2000.00000002.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_6_2_b60000_svchost.jbxd
                                                                                                                                                                                  Yara matches
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: ErrorFileHandleHeapLast$AllocCloseCreateDirectoryFreeModuleWindowsWritewsprintf
                                                                                                                                                                                  • String ID: \\.\%s
                                                                                                                                                                                  • API String ID: 679273240-869905501
                                                                                                                                                                                  • Opcode ID: f755b9aa19d85683dff60d69995375f2d9e37b7f3399f27092bae2d738b5e6ca
                                                                                                                                                                                  • Instruction ID: 417d9b1d7d4b165dcdc4426d6ddc1a30523a9c9c9a03bf73c81394982c724a5c
                                                                                                                                                                                  • Opcode Fuzzy Hash: f755b9aa19d85683dff60d69995375f2d9e37b7f3399f27092bae2d738b5e6ca
                                                                                                                                                                                  • Instruction Fuzzy Hash: 6E219C21304B4082E700CB6AE89876A77A1FB89BE5F498629DF5E43795DF7CC54AC700
                                                                                                                                                                                  Function 00B61248 Relevance: 21.1, APIs: 5, Strings: 7, Instructions: 64filememoryCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                    • Part of subcall function 00B75CF8: GetTempPathA.KERNEL32(?,?,00000001,00B654D7), ref: 00B75D0F
                                                                                                                                                                                    • Part of subcall function 00B75CF8: HeapAlloc.KERNEL32(?,?,00000001,00B654D7), ref: 00B75D28
                                                                                                                                                                                    • Part of subcall function 00B75CF8: GetTempPathA.KERNEL32(?,?,00000001,00B654D7), ref: 00B75D3B
                                                                                                                                                                                    • Part of subcall function 00B75CF8: GetTickCount.KERNEL32 ref: 00B75D45
                                                                                                                                                                                    • Part of subcall function 00B75CF8: GetTempFileNameA.KERNEL32(?,?,00000001,00B654D7), ref: 00B75D57
                                                                                                                                                                                    • Part of subcall function 00B75CF8: lstrcpyA.KERNEL32(?,?,00000001,00B654D7), ref: 00B75D74
                                                                                                                                                                                  • DeleteFileA.KERNEL32 ref: 00B61271
                                                                                                                                                                                  • CreateDirectoryA.KERNEL32 ref: 00B6127C
                                                                                                                                                                                  • GetLastError.KERNEL32 ref: 00B61286
                                                                                                                                                                                  • HeapFree.KERNEL32 ref: 00B61342
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000006.00000002.1794451873.0000000000B61000.00000020.80000000.00040000.00000000.sdmp, Offset: 00B60000, based on PE: true
                                                                                                                                                                                  • Associated: 00000006.00000002.1794420795.0000000000B60000.00000004.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794498490.0000000000B94000.00000002.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794521630.0000000000B9B000.00000004.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794551870.0000000000B9E000.00000002.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794583919.0000000000BA0000.00000004.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794610717.0000000000BA2000.00000002.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_6_2_b60000_svchost.jbxd
                                                                                                                                                                                  Yara matches
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: Temp$FileHeapPath$AllocCountCreateDeleteDirectoryErrorFreeLastNameTicklstrcpy
                                                                                                                                                                                  • String ID: AddressBook$AuthRoot$CertificateAuthority$Disallowed$Root$TrustedPeople$TrustedPublisher
                                                                                                                                                                                  • API String ID: 1152113453-3095660563
                                                                                                                                                                                  • Opcode ID: 820113db86e2bd7f7d3fc38705a00d1fb811c6e6113d34181d29a348877258f7
                                                                                                                                                                                  • Instruction ID: 5296db078a3201cc5061e6cc111e3f8aa87c57c3696d112edd215ec4d9029460
                                                                                                                                                                                  • Opcode Fuzzy Hash: 820113db86e2bd7f7d3fc38705a00d1fb811c6e6113d34181d29a348877258f7
                                                                                                                                                                                  • Instruction Fuzzy Hash: BB218C5572464181EE00FF2AB86536A7396AB9ABC2F8C88719E0FCB399DF3CC045C301
                                                                                                                                                                                  Function 00B7E1B4 Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 181timememorystringCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • HeapAlloc.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00B62FD6), ref: 00B7E1ED
                                                                                                                                                                                    • Part of subcall function 00B7DEA0: EnterCriticalSection.KERNEL32(?,?,00000000,00B7E215), ref: 00B7DEBE
                                                                                                                                                                                    • Part of subcall function 00B7DEA0: LeaveCriticalSection.KERNEL32(?,?,00000000,00B7E215), ref: 00B7DECC
                                                                                                                                                                                  • HeapFree.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00B62FD6), ref: 00B7E229
                                                                                                                                                                                  • FileTimeToLocalFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00B62FD6), ref: 00B7E269
                                                                                                                                                                                  • FileTimeToSystemTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00B62FD6), ref: 00B7E27C
                                                                                                                                                                                  • lstrlenW.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00B62FD6), ref: 00B7E28F
                                                                                                                                                                                  • lstrlenW.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00B62FD6), ref: 00B7E29A
                                                                                                                                                                                  • lstrlenW.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00B62FD6), ref: 00B7E365
                                                                                                                                                                                  • FileTimeToLocalFileTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00B62FD6), ref: 00B7E3BC
                                                                                                                                                                                  • FileTimeToSystemTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00B62FD6), ref: 00B7E3CF
                                                                                                                                                                                  Strings
                                                                                                                                                                                  • %02u-%02u-%02u %02u:%02u:%02uClipboard%s, xrefs: 00B7E41A
                                                                                                                                                                                  • %02u-%02u-%02u %02u:%02u:%02u%s%s%s, xrefs: 00B7E337
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000006.00000002.1794451873.0000000000B61000.00000020.80000000.00040000.00000000.sdmp, Offset: 00B60000, based on PE: true
                                                                                                                                                                                  • Associated: 00000006.00000002.1794420795.0000000000B60000.00000004.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794498490.0000000000B94000.00000002.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794521630.0000000000B9B000.00000004.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794551870.0000000000B9E000.00000002.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794583919.0000000000BA0000.00000004.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794610717.0000000000BA2000.00000002.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_6_2_b60000_svchost.jbxd
                                                                                                                                                                                  Yara matches
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: Time$File$lstrlen$CriticalHeapLocalSectionSystem$AllocEnterFreeLeave
                                                                                                                                                                                  • String ID: %02u-%02u-%02u %02u:%02u:%02u%s%s%s$%02u-%02u-%02u %02u:%02u:%02uClipboard%s
                                                                                                                                                                                  • API String ID: 4221666287-2207419989
                                                                                                                                                                                  • Opcode ID: 2dcc24500525e83890a9695004faaf3c9af75e72df94c47d7d8773d3e3841aa7
                                                                                                                                                                                  • Instruction ID: 1ee7d63f14eb8241b2ec3c6b3dfeb50ae17ad2954e019904f3751517078500e8
                                                                                                                                                                                  • Opcode Fuzzy Hash: 2dcc24500525e83890a9695004faaf3c9af75e72df94c47d7d8773d3e3841aa7
                                                                                                                                                                                  • Instruction Fuzzy Hash: BC71B332204B5586D710DF26E84476EB7B1FB88B84F818165EB9E43B68EF3CD596CB04
                                                                                                                                                                                  Function 00B62948 Relevance: 19.4, APIs: 6, Strings: 5, Instructions: 151registrymemoryCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  Strings
                                                                                                                                                                                  • Software\Microsoft\Windows Mail, xrefs: 00B629D7
                                                                                                                                                                                  • Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\, xrefs: 00B62AD3
                                                                                                                                                                                  • Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\, xrefs: 00B62A17
                                                                                                                                                                                  • Software\Microsoft\Windows Live Mail, xrefs: 00B629EB
                                                                                                                                                                                  • Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\, xrefs: 00B62A75
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000006.00000002.1794451873.0000000000B61000.00000020.80000000.00040000.00000000.sdmp, Offset: 00B60000, based on PE: true
                                                                                                                                                                                  • Associated: 00000006.00000002.1794420795.0000000000B60000.00000004.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794498490.0000000000B94000.00000002.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794521630.0000000000B9B000.00000004.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794551870.0000000000B9E000.00000002.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794583919.0000000000BA0000.00000004.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794610717.0000000000BA2000.00000002.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_6_2_b60000_svchost.jbxd
                                                                                                                                                                                  Yara matches
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: Close$Heap$AllocCreateFreeGlobalStream
                                                                                                                                                                                  • String ID: Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\$Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\$Software\Microsoft\Windows Live Mail$Software\Microsoft\Windows Mail$Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\
                                                                                                                                                                                  • API String ID: 1822467528-1891560094
                                                                                                                                                                                  • Opcode ID: 4f23072d48272ddd1a45a4919ad0bc859e7094f7c3f99b4dba4189b500c4b3d5
                                                                                                                                                                                  • Instruction ID: 42fd907f5fdc3e87f586a37279df195f205004b9320ad5af1d6db97ba943ad1c
                                                                                                                                                                                  • Opcode Fuzzy Hash: 4f23072d48272ddd1a45a4919ad0bc859e7094f7c3f99b4dba4189b500c4b3d5
                                                                                                                                                                                  • Instruction Fuzzy Hash: 0B611636308BD482EB709B26E4947AA77A2F7C5B95F448051DE8D47B68DF3CC449CB02
                                                                                                                                                                                  Function 00B68BB0 Relevance: 19.4, APIs: 6, Strings: 5, Instructions: 123registrymemorysynchronizationCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                    • Part of subcall function 00B7851C: HeapFree.KERNEL32(?,?,00000000,00B6359B), ref: 00B78561
                                                                                                                                                                                  • SetEvent.KERNEL32 ref: 00B68C22
                                                                                                                                                                                  • HeapFree.KERNEL32 ref: 00B68CDC
                                                                                                                                                                                  • WaitForSingleObject.KERNEL32 ref: 00B68CF5
                                                                                                                                                                                  • RegOpenKeyA.ADVAPI32 ref: 00B68D37
                                                                                                                                                                                  • RegSetValueExA.ADVAPI32 ref: 00B68D68
                                                                                                                                                                                  • RegCloseKey.ADVAPI32 ref: 00B68D73
                                                                                                                                                                                  Strings
                                                                                                                                                                                  • SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings, xrefs: 00B68D22
                                                                                                                                                                                  • EnableSPDY3_0, xrefs: 00B68D59
                                                                                                                                                                                  • user_pref("network.http.spdy.enabled", false);, xrefs: 00B68C92, 00B68CAA
                                                                                                                                                                                  • prefs.js, xrefs: 00B68C37
                                                                                                                                                                                  • %APPDATA%\Mozilla\Firefox\Profiles, xrefs: 00B68C3E
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000006.00000002.1794451873.0000000000B61000.00000020.80000000.00040000.00000000.sdmp, Offset: 00B60000, based on PE: true
                                                                                                                                                                                  • Associated: 00000006.00000002.1794420795.0000000000B60000.00000004.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794498490.0000000000B94000.00000002.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794521630.0000000000B9B000.00000004.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794551870.0000000000B9E000.00000002.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794583919.0000000000BA0000.00000004.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794610717.0000000000BA2000.00000002.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_6_2_b60000_svchost.jbxd
                                                                                                                                                                                  Yara matches
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: FreeHeap$CloseEventObjectOpenSingleValueWait
                                                                                                                                                                                  • String ID: user_pref("network.http.spdy.enabled", false);$%APPDATA%\Mozilla\Firefox\Profiles$EnableSPDY3_0$SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings$prefs.js
                                                                                                                                                                                  • API String ID: 345797870-3405794569
                                                                                                                                                                                  • Opcode ID: 3d66d3fc50f308c1e24548ca70cfea8552695b0e3f15005955bc813b4ab32463
                                                                                                                                                                                  • Instruction ID: 1986026c839b41c5907deecddffb7478a933755c709a24546456f2166f1186a3
                                                                                                                                                                                  • Opcode Fuzzy Hash: 3d66d3fc50f308c1e24548ca70cfea8552695b0e3f15005955bc813b4ab32463
                                                                                                                                                                                  • Instruction Fuzzy Hash: 8F518472704A82D2EB10DF25F88079977B1F395798F908112EB8D57664DF3CC98ACB54
                                                                                                                                                                                  Function 00B61E18 Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 121memorythreadstringCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • RtlImageNtHeader.NTDLL ref: 00B61E63
                                                                                                                                                                                  • GetCurrentThreadId.KERNEL32 ref: 00B61E7C
                                                                                                                                                                                  • GetCurrentThread.KERNEL32 ref: 00B61E92
                                                                                                                                                                                    • Part of subcall function 00B75CF8: GetTempPathA.KERNEL32(?,?,00000001,00B654D7), ref: 00B75D0F
                                                                                                                                                                                    • Part of subcall function 00B75CF8: HeapAlloc.KERNEL32(?,?,00000001,00B654D7), ref: 00B75D28
                                                                                                                                                                                    • Part of subcall function 00B75CF8: GetTempPathA.KERNEL32(?,?,00000001,00B654D7), ref: 00B75D3B
                                                                                                                                                                                    • Part of subcall function 00B75CF8: GetTickCount.KERNEL32 ref: 00B75D45
                                                                                                                                                                                    • Part of subcall function 00B75CF8: GetTempFileNameA.KERNEL32(?,?,00000001,00B654D7), ref: 00B75D57
                                                                                                                                                                                    • Part of subcall function 00B75CF8: lstrcpyA.KERNEL32(?,?,00000001,00B654D7), ref: 00B75D74
                                                                                                                                                                                    • Part of subcall function 00B61D1C: lstrlenA.KERNEL32 ref: 00B61DBD
                                                                                                                                                                                    • Part of subcall function 00B61D1C: HeapFree.KERNEL32 ref: 00B61DF1
                                                                                                                                                                                  • HeapFree.KERNEL32 ref: 00B61F24
                                                                                                                                                                                  • HeapFree.KERNEL32 ref: 00B61F36
                                                                                                                                                                                  • HeapAlloc.KERNEL32 ref: 00B61F9A
                                                                                                                                                                                  • wsprintfA.USER32 ref: 00B61FB0
                                                                                                                                                                                  • lstrlenA.KERNEL32 ref: 00B61FB9
                                                                                                                                                                                  • HeapFree.KERNEL32 ref: 00B61FDE
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000006.00000002.1794451873.0000000000B61000.00000020.80000000.00040000.00000000.sdmp, Offset: 00B60000, based on PE: true
                                                                                                                                                                                  • Associated: 00000006.00000002.1794420795.0000000000B60000.00000004.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794498490.0000000000B94000.00000002.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794521630.0000000000B9B000.00000004.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794551870.0000000000B9E000.00000002.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794583919.0000000000BA0000.00000004.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794610717.0000000000BA2000.00000002.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_6_2_b60000_svchost.jbxd
                                                                                                                                                                                  Yara matches
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: Heap$Free$Temp$AllocCurrentPathThreadlstrlen$CountFileHeaderImageNameTicklstrcpywsprintf
                                                                                                                                                                                  • String ID: DLL load status: %u$PluginRegisterCallbacks
                                                                                                                                                                                  • API String ID: 2420521510-3090718963
                                                                                                                                                                                  • Opcode ID: fa42ef251eb8642a8884e16af855ccfd4df67b5d59797f7ffdce4165aa867e24
                                                                                                                                                                                  • Instruction ID: 0d85d22c6883c5f47b45c2c783938892bf08b0362731e0ea89689daf670e3bb9
                                                                                                                                                                                  • Opcode Fuzzy Hash: fa42ef251eb8642a8884e16af855ccfd4df67b5d59797f7ffdce4165aa867e24
                                                                                                                                                                                  • Instruction Fuzzy Hash: A1516936710A4582EB20DB6AF884B5977B1F789B88F598826EF4D47724DF3CC44AC740
                                                                                                                                                                                  Function 00B69608 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 74stringfilememoryCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • GetTickCount.KERNEL32 ref: 00B69622
                                                                                                                                                                                  • CreateFileW.KERNEL32 ref: 00B6964D
                                                                                                                                                                                  • GetLastError.KERNEL32 ref: 00B69704
                                                                                                                                                                                    • Part of subcall function 00B76EA0: HeapAlloc.KERNEL32(?,?,?,?,?,00B7138A,?,?,00000000,00B72675), ref: 00B76EDE
                                                                                                                                                                                    • Part of subcall function 00B76EA0: lstrlenA.KERNEL32(?,?,?,?,?,00B7138A,?,?,00000000,00B72675), ref: 00B76F04
                                                                                                                                                                                    • Part of subcall function 00B76EA0: HeapAlloc.KERNEL32(?,?,?,?,?,00B7138A,?,?,00000000,00B72675), ref: 00B76F18
                                                                                                                                                                                    • Part of subcall function 00B76EA0: lstrcpyA.KERNEL32(?,?,?,?,?,00B7138A,?,?,00000000,00B72675), ref: 00B76F34
                                                                                                                                                                                    • Part of subcall function 00B76EA0: lstrcatA.KERNEL32(?,?,?,?,?,00B7138A,?,?,00000000,00B72675), ref: 00B76F40
                                                                                                                                                                                    • Part of subcall function 00B76EA0: HeapFree.KERNEL32(?,?,?,?,?,00B7138A,?,?,00000000,00B72675), ref: 00B76F52
                                                                                                                                                                                  • GetFileSize.KERNEL32 ref: 00B69685
                                                                                                                                                                                  • CreateFileMappingA.KERNEL32 ref: 00B696A8
                                                                                                                                                                                  • lstrlenA.KERNEL32 ref: 00B696C0
                                                                                                                                                                                  • lstrcpyA.KERNEL32 ref: 00B696D0
                                                                                                                                                                                  • GetLastError.KERNEL32 ref: 00B696D8
                                                                                                                                                                                  • HeapFree.KERNEL32 ref: 00B696EC
                                                                                                                                                                                  • CloseHandle.KERNEL32 ref: 00B696FC
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000006.00000002.1794451873.0000000000B61000.00000020.80000000.00040000.00000000.sdmp, Offset: 00B60000, based on PE: true
                                                                                                                                                                                  • Associated: 00000006.00000002.1794420795.0000000000B60000.00000004.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794498490.0000000000B94000.00000002.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794521630.0000000000B9B000.00000004.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794551870.0000000000B9E000.00000002.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794583919.0000000000BA0000.00000004.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794610717.0000000000BA2000.00000002.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_6_2_b60000_svchost.jbxd
                                                                                                                                                                                  Yara matches
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: Heap$File$AllocCreateErrorFreeLastlstrcpylstrlen$CloseCountHandleMappingSizeTicklstrcat
                                                                                                                                                                                  • String ID: Local\
                                                                                                                                                                                  • API String ID: 449263349-422136742
                                                                                                                                                                                  • Opcode ID: ea38d541606482d737df6cad89961df66ce4340562429e3951187dc4989a68aa
                                                                                                                                                                                  • Instruction ID: ae3f1cd8196c2e5ff4fd5d250a9e4e3ebe08f3dfa287b08bbb3aa100e3481171
                                                                                                                                                                                  • Opcode Fuzzy Hash: ea38d541606482d737df6cad89961df66ce4340562429e3951187dc4989a68aa
                                                                                                                                                                                  • Instruction Fuzzy Hash: 9D318F32214B41CBDB149F26F944B5AB7A1F788BA4F598221DB6E43B64DF3CC45ACB00
                                                                                                                                                                                  Function 00B6C6A4 Relevance: 17.7, APIs: 14, Instructions: 225memorystringCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • lstrlenA.KERNEL32(?,?,00000000,?,?,?,00B9D480,00B9D480,?,00B67877), ref: 00B6C6DC
                                                                                                                                                                                  • HeapAlloc.KERNEL32(?,?,00000000,?,?,?,00B9D480,00B9D480,?,00B67877), ref: 00B6C723
                                                                                                                                                                                  • HeapReAlloc.KERNEL32(?,?,00000000,?,?,?,00B9D480,00B9D480,?,00B67877), ref: 00B6C75B
                                                                                                                                                                                  • memcpy.NTDLL(?,?,00000000,?,?,?,00B9D480,00B9D480,?,00B67877), ref: 00B6C78A
                                                                                                                                                                                  • lstrlenA.KERNEL32(?,?,00000000,?,?,?,00B9D480,00B9D480,?,00B67877), ref: 00B6C7DB
                                                                                                                                                                                  • memcpy.NTDLL(?,?,00000000,?,?,?,00B9D480,00B9D480,?,00B67877), ref: 00B6C821
                                                                                                                                                                                  • lstrlenA.KERNEL32(?,?,00000000,?,?,?,00B9D480,00B9D480,?,00B67877), ref: 00B6C831
                                                                                                                                                                                  • memcpy.NTDLL(?,?,00000000,?,?,?,00B9D480,00B9D480,?,00B67877), ref: 00B6C8B2
                                                                                                                                                                                  • lstrlenA.KERNEL32(?,?,00000000,?,?,?,00B9D480,00B9D480,?,00B67877), ref: 00B6C8C5
                                                                                                                                                                                  • lstrlenA.KERNEL32(?,?,00000000,?,?,?,00B9D480,00B9D480,?,00B67877), ref: 00B6C90B
                                                                                                                                                                                  • memcpy.NTDLL(?,?,00000000,?,?,?,00B9D480,00B9D480,?,00B67877), ref: 00B6C91C
                                                                                                                                                                                  • LocalFree.KERNEL32(?,?,00000000,?,?,?,00B9D480,00B9D480,?,00B67877), ref: 00B6C929
                                                                                                                                                                                  • HeapFree.KERNEL32(?,?,00000000,?,?,?,00B9D480,00B9D480,?,00B67877), ref: 00B6C994
                                                                                                                                                                                  • memcpy.NTDLL(?,?,00000000,?,?,?,00B9D480,00B9D480,?,00B67877), ref: 00B6C9B4
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000006.00000002.1794451873.0000000000B61000.00000020.80000000.00040000.00000000.sdmp, Offset: 00B60000, based on PE: true
                                                                                                                                                                                  • Associated: 00000006.00000002.1794420795.0000000000B60000.00000004.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794498490.0000000000B94000.00000002.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794521630.0000000000B9B000.00000004.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794551870.0000000000B9E000.00000002.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794583919.0000000000BA0000.00000004.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794610717.0000000000BA2000.00000002.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_6_2_b60000_svchost.jbxd
                                                                                                                                                                                  Yara matches
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: lstrlenmemcpy$Heap$AllocFree$Local
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 320820760-0
                                                                                                                                                                                  • Opcode ID: c0cbdd572ff734064652c256e0dfaebca4dd4f5838119d03fca1bd30dc6f22e9
                                                                                                                                                                                  • Instruction ID: 00b056103da84973a8b4bab9caf88cff9bea66ef57a8608386776a0e7ef4db1b
                                                                                                                                                                                  • Opcode Fuzzy Hash: c0cbdd572ff734064652c256e0dfaebca4dd4f5838119d03fca1bd30dc6f22e9
                                                                                                                                                                                  • Instruction Fuzzy Hash: 9F818F32615B8586DB25DF26A44476ABBE0F788FC4F184165AF8E47B55EF3CC80ACB00
                                                                                                                                                                                  Function 00B7438C Relevance: 17.7, APIs: 7, Strings: 3, Instructions: 197memorystringCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000006.00000002.1794451873.0000000000B61000.00000020.80000000.00040000.00000000.sdmp, Offset: 00B60000, based on PE: true
                                                                                                                                                                                  • Associated: 00000006.00000002.1794420795.0000000000B60000.00000004.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794498490.0000000000B94000.00000002.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794521630.0000000000B9B000.00000004.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794551870.0000000000B9E000.00000002.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794583919.0000000000BA0000.00000004.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794610717.0000000000BA2000.00000002.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_6_2_b60000_svchost.jbxd
                                                                                                                                                                                  Yara matches
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: String$Free$Variant$AllocClearInitlstrcmpi
                                                                                                                                                                                  • String ID: Account_Name$MessageAccount$SMTP_Email_Address
                                                                                                                                                                                  • API String ID: 410883849-3844700805
                                                                                                                                                                                  • Opcode ID: 6ad1382c8745c2003d6da95ae79848c5ff0443a75d94bbea2fc5732dfbbe5e1b
                                                                                                                                                                                  • Instruction ID: dab039935674b6efe3e433ef96eb853ee420d252a7f31410908150e95963eb54
                                                                                                                                                                                  • Opcode Fuzzy Hash: 6ad1382c8745c2003d6da95ae79848c5ff0443a75d94bbea2fc5732dfbbe5e1b
                                                                                                                                                                                  • Instruction Fuzzy Hash: E7811626305B8582DB649F1AE884B6EB3A0FB89FC9F458065DE5E47B28DF38C559C700
                                                                                                                                                                                  Function 00B6ECA8 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 117memorystringCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  Strings
                                                                                                                                                                                  • --use-spdy=off --disable-http2, xrefs: 00B6EE0D
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000006.00000002.1794451873.0000000000B61000.00000020.80000000.00040000.00000000.sdmp, Offset: 00B60000, based on PE: true
                                                                                                                                                                                  • Associated: 00000006.00000002.1794420795.0000000000B60000.00000004.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794498490.0000000000B94000.00000002.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794521630.0000000000B9B000.00000004.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794551870.0000000000B9E000.00000002.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794583919.0000000000BA0000.00000004.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794610717.0000000000BA2000.00000002.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_6_2_b60000_svchost.jbxd
                                                                                                                                                                                  Yara matches
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: Heap$Alloclstrlen$Free_wcsuprlstrcatlstrcpymemcpy
                                                                                                                                                                                  • String ID: --use-spdy=off --disable-http2
                                                                                                                                                                                  • API String ID: 2348846386-3215622688
                                                                                                                                                                                  • Opcode ID: 28474f5058aea1fb1d6eb048b49d1eeb2f9bcc0d4c56a1297fefa260d0230732
                                                                                                                                                                                  • Instruction ID: 89ee45e43ce300485128b98ef7e8b65626be727f18e94a4d8fca0482cc71708a
                                                                                                                                                                                  • Opcode Fuzzy Hash: 28474f5058aea1fb1d6eb048b49d1eeb2f9bcc0d4c56a1297fefa260d0230732
                                                                                                                                                                                  • Instruction Fuzzy Hash: C841B32A300B5486EB14EF26E95872937A2F789FD0F591462DF1A57760CF3CD89ACB00
                                                                                                                                                                                  Function 00B75498 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 96filesynchronizationCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000006.00000002.1794451873.0000000000B61000.00000020.80000000.00040000.00000000.sdmp, Offset: 00B60000, based on PE: true
                                                                                                                                                                                  • Associated: 00000006.00000002.1794420795.0000000000B60000.00000004.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794498490.0000000000B94000.00000002.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794521630.0000000000B9B000.00000004.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794551870.0000000000B9E000.00000002.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794583919.0000000000BA0000.00000004.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794610717.0000000000BA2000.00000002.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_6_2_b60000_svchost.jbxd
                                                                                                                                                                                  Yara matches
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: File$CreateErrorLast$CloseHandleObjectPointerSingleWaitWrite
                                                                                                                                                                                  • String ID: | "%s" | %u
                                                                                                                                                                                  • API String ID: 2864405449-3278422759
                                                                                                                                                                                  • Opcode ID: 6f489da7f593ec56478cbadf8b7c0f9bc0f123765e63ea260066318c40d93210
                                                                                                                                                                                  • Instruction ID: 5b6218e6e671ab8cf2c88f6b7aa62dde48adda1aa5ce16a78c2a9ffa24b66e8c
                                                                                                                                                                                  • Opcode Fuzzy Hash: 6f489da7f593ec56478cbadf8b7c0f9bc0f123765e63ea260066318c40d93210
                                                                                                                                                                                  • Instruction Fuzzy Hash: BE31C322710A5086E3709B26E949F2A36A5F359BF8F508310DF7A03BD0CFB9C8468740
                                                                                                                                                                                  Function 00B80794 Relevance: 16.7, APIs: 11, Instructions: 160synchronizationstringCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000006.00000002.1794451873.0000000000B61000.00000020.80000000.00040000.00000000.sdmp, Offset: 00B60000, based on PE: true
                                                                                                                                                                                  • Associated: 00000006.00000002.1794420795.0000000000B60000.00000004.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794498490.0000000000B94000.00000002.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794521630.0000000000B9B000.00000004.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794551870.0000000000B9E000.00000002.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794583919.0000000000BA0000.00000004.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794610717.0000000000BA2000.00000002.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_6_2_b60000_svchost.jbxd
                                                                                                                                                                                  Yara matches
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: ErrorLastObjectSingleWait$MutexReleaselstrcpynmemcpymemset
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 4220474992-0
                                                                                                                                                                                  • Opcode ID: a26d30cc12b7043f58311f5acb2033e52cb6496aae3cf20bdf9cac3ef3bb9fb2
                                                                                                                                                                                  • Instruction ID: ad5e87ff9f1e4c9186397cf6f6653e4697e02adb0fdb8924ee819ce6cbd9f8c4
                                                                                                                                                                                  • Opcode Fuzzy Hash: a26d30cc12b7043f58311f5acb2033e52cb6496aae3cf20bdf9cac3ef3bb9fb2
                                                                                                                                                                                  • Instruction Fuzzy Hash: D451827222064583EB50FB29E84476D77E2F784BE4F540652DE5A43AB8DF39C8CAC741
                                                                                                                                                                                  Function 00B6E024 Relevance: 16.6, APIs: 9, Strings: 2, Instructions: 130memorystringCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                    • Part of subcall function 00B6750C: EnterCriticalSection.KERNEL32(?,?,?,00B675A4,?,?,00000000,00B653A4), ref: 00B6751C
                                                                                                                                                                                    • Part of subcall function 00B6750C: LeaveCriticalSection.KERNEL32(?,?,?,00B675A4,?,?,00000000,00B653A4), ref: 00B67531
                                                                                                                                                                                  • HeapAlloc.KERNEL32(?,?,?,?,?,?,?,?,00000000,00000000,00000000,00000004,?,00000000,00000119,00B64086), ref: 00B6E080
                                                                                                                                                                                  • memset.NTDLL ref: 00B6E096
                                                                                                                                                                                  • lstrcmpiA.KERNEL32(?,?,?,?,?,?,?,?,00000000,00000000,00000000,00000004,?,00000000,00000119,00B64086), ref: 00B6E0EA
                                                                                                                                                                                  • HeapAlloc.KERNEL32(?,?,?,?,?,?,?,?,00000000,00000000,00000000,00000004,?,00000000,00000119,00B64086), ref: 00B6E120
                                                                                                                                                                                  • memcpy.NTDLL(?,?,?,?,?,?,?,?,00000000,00000000,00000000,00000004,?,00000000,00000119,00B64086), ref: 00B6E13A
                                                                                                                                                                                  • memset.NTDLL ref: 00B6E14B
                                                                                                                                                                                  • memcpy.NTDLL(?,?,?,?,?,?,?,?,00000000,00000000,00000000,00000004,?,00000000,00000119,00B64086), ref: 00B6E16E
                                                                                                                                                                                  • memcpy.NTDLL(?,?,?,?,?,?,?,?,00000000,00000000,00000000,00000004,?,00000000,00000119,00B64086), ref: 00B6E190
                                                                                                                                                                                  • HeapFree.KERNEL32(?,?,?,?,?,?,?,?,00000000,00000000,00000000,00000004,?,00000000,00000119,00B64086), ref: 00B6E1A8
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000006.00000002.1794451873.0000000000B61000.00000020.80000000.00040000.00000000.sdmp, Offset: 00B60000, based on PE: true
                                                                                                                                                                                  • Associated: 00000006.00000002.1794420795.0000000000B60000.00000004.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794498490.0000000000B94000.00000002.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794521630.0000000000B9B000.00000004.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794551870.0000000000B9E000.00000002.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794583919.0000000000BA0000.00000004.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794610717.0000000000BA2000.00000002.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_6_2_b60000_svchost.jbxd
                                                                                                                                                                                  Yara matches
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: Heapmemcpy$AllocCriticalSectionmemset$EnterFreeLeavelstrcmpi
                                                                                                                                                                                  • String ID: Blocked$HIDDEN
                                                                                                                                                                                  • API String ID: 2834240418-4010945860
                                                                                                                                                                                  • Opcode ID: 0634de5bf192994b98131d576cea81ce2cb391af25ffe95fbd21b936a8978791
                                                                                                                                                                                  • Instruction ID: d853ca534b328d296e776384ddec1165b433c2b14537dda44bad2bee9030a82b
                                                                                                                                                                                  • Opcode Fuzzy Hash: 0634de5bf192994b98131d576cea81ce2cb391af25ffe95fbd21b936a8978791
                                                                                                                                                                                  • Instruction Fuzzy Hash: D141D236311A8186DB10DF2AE84475677A1FB85BD8F088064EF5E57795EF3DC50AC700
                                                                                                                                                                                  Function 00B731D8 Relevance: 16.6, APIs: 10, Strings: 1, Instructions: 130stringmemoryCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  Strings
                                                                                                                                                                                  • type=%S, name=%s, address=%s, server=%s, port=%u, ssl=%s, user=%s, password=%s, xrefs: 00B73326
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000006.00000002.1794451873.0000000000B61000.00000020.80000000.00040000.00000000.sdmp, Offset: 00B60000, based on PE: true
                                                                                                                                                                                  • Associated: 00000006.00000002.1794420795.0000000000B60000.00000004.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794498490.0000000000B94000.00000002.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794521630.0000000000B9B000.00000004.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794551870.0000000000B9E000.00000002.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794583919.0000000000BA0000.00000004.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794610717.0000000000BA2000.00000002.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_6_2_b60000_svchost.jbxd
                                                                                                                                                                                  Yara matches
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: lstrlen$Heap$AllocFree
                                                                                                                                                                                  • String ID: type=%S, name=%s, address=%s, server=%s, port=%u, ssl=%s, user=%s, password=%s
                                                                                                                                                                                  • API String ID: 890479616-1056788794
                                                                                                                                                                                  • Opcode ID: 3f96ae6ac17a925ce194bb05246e1102dba7973662d7c3544619b3911fe7fc77
                                                                                                                                                                                  • Instruction ID: 1813be4ab7e2f6e37ee0af6058604fdb6014681196d1d677c430a08019305f25
                                                                                                                                                                                  • Opcode Fuzzy Hash: 3f96ae6ac17a925ce194bb05246e1102dba7973662d7c3544619b3911fe7fc77
                                                                                                                                                                                  • Instruction Fuzzy Hash: 8E514836200A10D6EB14CF62E894B6977E4F798FD4F568626DF5A93B24CF38C986D340
                                                                                                                                                                                  Function 00B6DB28 Relevance: 16.6, APIs: 10, Strings: 1, Instructions: 122stringmemoryCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • lstrlenA.KERNEL32 ref: 00B6DB52
                                                                                                                                                                                  • lstrlenA.KERNEL32 ref: 00B6DB5E
                                                                                                                                                                                  • HeapAlloc.KERNEL32 ref: 00B6DB79
                                                                                                                                                                                  • lstrcpyA.KERNEL32 ref: 00B6DB9F
                                                                                                                                                                                  • lstrlenA.KERNEL32 ref: 00B6DBB7
                                                                                                                                                                                  • lstrlenA.KERNEL32 ref: 00B6DBF9
                                                                                                                                                                                  • lstrlenA.KERNEL32 ref: 00B6DC38
                                                                                                                                                                                  • HeapFree.KERNEL32 ref: 00B6DC6D
                                                                                                                                                                                  • HeapFree.KERNEL32 ref: 00B6DCB3
                                                                                                                                                                                    • Part of subcall function 00B780A4: lstrlenA.KERNEL32 ref: 00B780C2
                                                                                                                                                                                    • Part of subcall function 00B780A4: HeapAlloc.KERNEL32 ref: 00B780DC
                                                                                                                                                                                    • Part of subcall function 00B780A4: memcpy.NTDLL ref: 00B780F3
                                                                                                                                                                                    • Part of subcall function 00B780A4: memset.NTDLL ref: 00B78105
                                                                                                                                                                                  • HeapFree.KERNEL32 ref: 00B6DC9A
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000006.00000002.1794451873.0000000000B61000.00000020.80000000.00040000.00000000.sdmp, Offset: 00B60000, based on PE: true
                                                                                                                                                                                  • Associated: 00000006.00000002.1794420795.0000000000B60000.00000004.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794498490.0000000000B94000.00000002.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794521630.0000000000B9B000.00000004.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794551870.0000000000B9E000.00000002.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794583919.0000000000BA0000.00000004.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794610717.0000000000BA2000.00000002.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_6_2_b60000_svchost.jbxd
                                                                                                                                                                                  Yara matches
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: lstrlen$Heap$Free$Alloc$lstrcpymemcpymemset
                                                                                                                                                                                  • String ID: http
                                                                                                                                                                                  • API String ID: 2629903374-2541227442
                                                                                                                                                                                  • Opcode ID: ef585cf62dc6ca9925157c706609b1f6bc28d23a9fb9b170ba0126a13e46f73f
                                                                                                                                                                                  • Instruction ID: 5f15223e71d483213145fa159b8bc5a3f2dbbf98ec3526e9f747bcb205ef8a05
                                                                                                                                                                                  • Opcode Fuzzy Hash: ef585cf62dc6ca9925157c706609b1f6bc28d23a9fb9b170ba0126a13e46f73f
                                                                                                                                                                                  • Instruction Fuzzy Hash: 9B415F22718B8986EB14DF62E84476977A1FB89BC4F494165EF4E83725EF7CC44AC700
                                                                                                                                                                                  Function 00B7691C Relevance: 16.6, APIs: 11, Instructions: 112memorystringCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000006.00000002.1794451873.0000000000B61000.00000020.80000000.00040000.00000000.sdmp, Offset: 00B60000, based on PE: true
                                                                                                                                                                                  • Associated: 00000006.00000002.1794420795.0000000000B60000.00000004.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794498490.0000000000B94000.00000002.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794521630.0000000000B9B000.00000004.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794551870.0000000000B9E000.00000002.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794583919.0000000000BA0000.00000004.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794610717.0000000000BA2000.00000002.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_6_2_b60000_svchost.jbxd
                                                                                                                                                                                  Yara matches
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: ProtectVirtual$ErrorLastlstrcpylstrlen
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 3676034644-0
                                                                                                                                                                                  • Opcode ID: 8be86b0c5fd19cf68ad6fc8daceebad2c446055de8143399b330ba6a6a6cb212
                                                                                                                                                                                  • Instruction ID: ba44094adfc92c226e2a31a3025442f7bf423922dd1d01f1d2f4988cbd4afcbe
                                                                                                                                                                                  • Opcode Fuzzy Hash: 8be86b0c5fd19cf68ad6fc8daceebad2c446055de8143399b330ba6a6a6cb212
                                                                                                                                                                                  • Instruction Fuzzy Hash: 15510876214A04C6DB14CF2AE55475A77B0F789F98F248052EF5E93B68CF3AC896CB40
                                                                                                                                                                                  Function 00B6A260 Relevance: 16.6, APIs: 5, Strings: 6, Instructions: 86memoryCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • HeapAlloc.KERNEL32(?,?,00000000,00B70161,?,?,00000000,?,?,00B70A71,?,?,?,00B68501), ref: 00B6A288
                                                                                                                                                                                  • HeapAlloc.KERNEL32(?,?,00000000,00B70161,?,?,00000000,?,?,00B70A71,?,?,?,00B68501), ref: 00B6A2A7
                                                                                                                                                                                  • memset.NTDLL ref: 00B6A2BE
                                                                                                                                                                                  • HeapFree.KERNEL32(?,?,00000000,00B70161,?,?,00000000,?,?,00B70A71,?,?,?,00B68501), ref: 00B6A2D7
                                                                                                                                                                                  • memcpy.NTDLL(?,?,00000000,00B70161,?,?,00000000,?,?,00B70A71,?,?,?,00B68501), ref: 00B6A2F9
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000006.00000002.1794451873.0000000000B61000.00000020.80000000.00040000.00000000.sdmp, Offset: 00B60000, based on PE: true
                                                                                                                                                                                  • Associated: 00000006.00000002.1794420795.0000000000B60000.00000004.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794498490.0000000000B94000.00000002.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794521630.0000000000B9B000.00000004.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794551870.0000000000B9E000.00000002.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794583919.0000000000BA0000.00000004.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794610717.0000000000BA2000.00000002.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_6_2_b60000_svchost.jbxd
                                                                                                                                                                                  Yara matches
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: Heap$Alloc$Freememcpymemset
                                                                                                                                                                                  • String ID: Content-Length:$HTTP$POST$Referer: $Transfer-Encoding:$chun
                                                                                                                                                                                  • API String ID: 68260371-1096462370
                                                                                                                                                                                  • Opcode ID: 12f0b54530ae533142b177c8cb0824e1ae69656a20eb5397b6d66e3b9268370a
                                                                                                                                                                                  • Instruction ID: a3ee5dde9f9ad5f2767a6724685e4d50aeed0528be17e8c08c92d15eb1e22ebe
                                                                                                                                                                                  • Opcode Fuzzy Hash: 12f0b54530ae533142b177c8cb0824e1ae69656a20eb5397b6d66e3b9268370a
                                                                                                                                                                                  • Instruction Fuzzy Hash: F9316332201B809ADF15DF2AE58031837B0F789B80F484066DB5E57B24EF38E8A5CB05
                                                                                                                                                                                  Function 00B80C44 Relevance: 16.6, APIs: 11, Instructions: 62sleepmemorysynchronizationCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • SetEvent.KERNEL32(?,?,00000000,00B723A8,?,?,?,00B61617,?,?,?,?,00B61686), ref: 00B80C71
                                                                                                                                                                                  • WaitForSingleObject.KERNEL32 ref: 00B80C91
                                                                                                                                                                                  • CloseHandle.KERNEL32 ref: 00B80C9E
                                                                                                                                                                                  • CloseHandle.KERNEL32 ref: 00B80CAD
                                                                                                                                                                                  • EnterCriticalSection.KERNEL32 ref: 00B80CB7
                                                                                                                                                                                  • LeaveCriticalSection.KERNEL32 ref: 00B80CE3
                                                                                                                                                                                  • Sleep.KERNEL32 ref: 00B80CF0
                                                                                                                                                                                  • CloseHandle.KERNEL32 ref: 00B80CFF
                                                                                                                                                                                  • LocalFree.KERNEL32 ref: 00B80D0E
                                                                                                                                                                                  • DeleteCriticalSection.KERNEL32(?,?,00000000,00B723A8,?,?,?,00B61617,?,?,?,?,00B61686), ref: 00B80D18
                                                                                                                                                                                  • HeapFree.KERNEL32(?,?,00000000,00B723A8,?,?,?,00B61617,?,?,?,?,00B61686), ref: 00B80D2A
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000006.00000002.1794451873.0000000000B61000.00000020.80000000.00040000.00000000.sdmp, Offset: 00B60000, based on PE: true
                                                                                                                                                                                  • Associated: 00000006.00000002.1794420795.0000000000B60000.00000004.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794498490.0000000000B94000.00000002.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794521630.0000000000B9B000.00000004.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794551870.0000000000B9E000.00000002.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794583919.0000000000BA0000.00000004.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794610717.0000000000BA2000.00000002.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_6_2_b60000_svchost.jbxd
                                                                                                                                                                                  Yara matches
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: CloseCriticalHandleSection$Free$DeleteEnterEventHeapLeaveLocalObjectSingleSleepWait
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 2999993074-0
                                                                                                                                                                                  • Opcode ID: 8e278cbfacd2e1045ed24b4ea96ce560acc0cab79b32e15e1b982d08b60c8169
                                                                                                                                                                                  • Instruction ID: 5c621c304596a7c2272b4a0d8f8c4144aea430c786f9f28c36b66d2986e77456
                                                                                                                                                                                  • Opcode Fuzzy Hash: 8e278cbfacd2e1045ed24b4ea96ce560acc0cab79b32e15e1b982d08b60c8169
                                                                                                                                                                                  • Instruction Fuzzy Hash: 92217A36221E4192EB48FF62EA943693770FB90BD4F444162DB5B53A74CF38D8AAC300
                                                                                                                                                                                  Function 00B6311C Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 102memorystringCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • StrChrA.SHLWAPI(?,00B6166F), ref: 00B6314D
                                                                                                                                                                                  • StrChrA.SHLWAPI(?,00B6166F), ref: 00B6316A
                                                                                                                                                                                  • StrTrimA.SHLWAPI(?,00B6166F), ref: 00B63188
                                                                                                                                                                                  • StrTrimA.SHLWAPI(?,00B6166F), ref: 00B63198
                                                                                                                                                                                  • lstrlenA.KERNEL32(?,00B6166F), ref: 00B631DB
                                                                                                                                                                                  • HeapAlloc.KERNEL32(?,00B6166F), ref: 00B631F0
                                                                                                                                                                                  • lstrcpyA.KERNEL32(?,00B6166F), ref: 00B6320D
                                                                                                                                                                                  • HeapFree.KERNEL32 ref: 00B63242
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000006.00000002.1794451873.0000000000B61000.00000020.80000000.00040000.00000000.sdmp, Offset: 00B60000, based on PE: true
                                                                                                                                                                                  • Associated: 00000006.00000002.1794420795.0000000000B60000.00000004.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794498490.0000000000B94000.00000002.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794521630.0000000000B9B000.00000004.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794551870.0000000000B9E000.00000002.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794583919.0000000000BA0000.00000004.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794610717.0000000000BA2000.00000002.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_6_2_b60000_svchost.jbxd
                                                                                                                                                                                  Yara matches
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: HeapTrim$AllocFreelstrcpylstrlen
                                                                                                                                                                                  • String ID: Scr
                                                                                                                                                                                  • API String ID: 3451116848-1633706383
                                                                                                                                                                                  • Opcode ID: a6690092c49c3276f2eb5eaf98e87b14b678b1f041b293f3c194b3c23374b766
                                                                                                                                                                                  • Instruction ID: 4db5f8fb6e285aa7956ecece9215f289ddaea341aeeaafae6f96c26b49a18869
                                                                                                                                                                                  • Opcode Fuzzy Hash: a6690092c49c3276f2eb5eaf98e87b14b678b1f041b293f3c194b3c23374b766
                                                                                                                                                                                  • Instruction Fuzzy Hash: 5B41A329304A4086EB10EFA6E89476A7BE1F789FC4F895055DF0A43729DF7CCA4AC741
                                                                                                                                                                                  Function 00B650A0 Relevance: 15.8, APIs: 5, Strings: 4, Instructions: 89registrymemoryCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                    • Part of subcall function 00B64D14: RegCreateKeyA.ADVAPI32 ref: 00B64D37
                                                                                                                                                                                    • Part of subcall function 00B64D14: lstrlenA.KERNEL32 ref: 00B64D62
                                                                                                                                                                                  • RegQueryValueExA.ADVAPI32 ref: 00B65109
                                                                                                                                                                                  • RegSetValueExA.ADVAPI32 ref: 00B6516A
                                                                                                                                                                                  • RegCloseKey.ADVAPI32 ref: 00B65177
                                                                                                                                                                                  • HeapAlloc.KERNEL32 ref: 00B651D3
                                                                                                                                                                                  • wsprintfA.USER32 ref: 00B65217
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000006.00000002.1794451873.0000000000B61000.00000020.80000000.00040000.00000000.sdmp, Offset: 00B60000, based on PE: true
                                                                                                                                                                                  • Associated: 00000006.00000002.1794420795.0000000000B60000.00000004.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794498490.0000000000B94000.00000002.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794521630.0000000000B9B000.00000004.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794551870.0000000000B9E000.00000002.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794583919.0000000000BA0000.00000004.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794610717.0000000000BA2000.00000002.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_6_2_b60000_svchost.jbxd
                                                                                                                                                                                  Yara matches
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: Value$AllocCloseCreateHeapQuerylstrlenwsprintf
                                                                                                                                                                                  • String ID: %08x%08x%08x%08x$($($Client
                                                                                                                                                                                  • API String ID: 2771199766-2360310874
                                                                                                                                                                                  • Opcode ID: 2fe958e97636895bcd4874c8057eb2d0911537096a68bec21b71ee6013403061
                                                                                                                                                                                  • Instruction ID: 590aace84d14900f0a022125db7cca70d91aa6b8683a59c5254ec82bb95535e9
                                                                                                                                                                                  • Opcode Fuzzy Hash: 2fe958e97636895bcd4874c8057eb2d0911537096a68bec21b71ee6013403061
                                                                                                                                                                                  • Instruction Fuzzy Hash: 9F418D76200A8987EB20CF56F994B5A77B1F78A798F40411ADE8943B64DF7CC949CB04
                                                                                                                                                                                  Function 00B6DA54 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 51registrymemorystringCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000006.00000002.1794451873.0000000000B61000.00000020.80000000.00040000.00000000.sdmp, Offset: 00B60000, based on PE: true
                                                                                                                                                                                  • Associated: 00000006.00000002.1794420795.0000000000B60000.00000004.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794498490.0000000000B94000.00000002.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794521630.0000000000B9B000.00000004.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794551870.0000000000B9E000.00000002.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794583919.0000000000BA0000.00000004.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794610717.0000000000BA2000.00000002.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_6_2_b60000_svchost.jbxd
                                                                                                                                                                                  Yara matches
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: Heaplstrlen$AllocCloseCreateFreeValuewsprintf
                                                                                                                                                                                  • String ID: @%s@
                                                                                                                                                                                  • API String ID: 4176907632-4128794767
                                                                                                                                                                                  • Opcode ID: d8759af14741db41903e016958e249536c7fcd89a0649085f94ac597044a05bf
                                                                                                                                                                                  • Instruction ID: 1c1fca9590662107510d6f0867785b5d0153e415bd14f7a5dd7c93f9b493e26d
                                                                                                                                                                                  • Opcode Fuzzy Hash: d8759af14741db41903e016958e249536c7fcd89a0649085f94ac597044a05bf
                                                                                                                                                                                  • Instruction Fuzzy Hash: 26110726704B8186EB109F66F84575AB761FB88BE4F494121EF4D83B69DF7CC449C700
                                                                                                                                                                                  Function 00B738C8 Relevance: 15.1, APIs: 7, Strings: 3, Instructions: 134memorystringCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • HeapAlloc.KERNEL32(?,?,?,00000008), ref: 00B7398E
                                                                                                                                                                                  • HeapAlloc.KERNEL32(?,?,?,00000008), ref: 00B739AF
                                                                                                                                                                                  • lstrlenW.KERNEL32 ref: 00B73A0E
                                                                                                                                                                                  • lstrlenW.KERNEL32 ref: 00B73A2E
                                                                                                                                                                                  • HeapFree.KERNEL32 ref: 00B73A5F
                                                                                                                                                                                  • HeapFree.KERNEL32(?,?,?,00000008), ref: 00B73A71
                                                                                                                                                                                  • GetLastError.KERNEL32(?,?,?,00000008), ref: 00B73AB4
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000006.00000002.1794451873.0000000000B61000.00000020.80000000.00040000.00000000.sdmp, Offset: 00B60000, based on PE: true
                                                                                                                                                                                  • Associated: 00000006.00000002.1794420795.0000000000B60000.00000004.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794498490.0000000000B94000.00000002.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794521630.0000000000B9B000.00000004.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794551870.0000000000B9E000.00000002.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794583919.0000000000BA0000.00000004.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794610717.0000000000BA2000.00000002.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_6_2_b60000_svchost.jbxd
                                                                                                                                                                                  Yara matches
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: Heap$AllocFreelstrlen$ErrorLast
                                                                                                                                                                                  • String ID: 1.0$A8000A$EmailAddressCollection/EmailAddress[%u]/Address
                                                                                                                                                                                  • API String ID: 4226019938-2884085418
                                                                                                                                                                                  • Opcode ID: 838dc8df3cb8cf0a62e9e5ab65bc8902cf74e718d30896fc37509a9c12d484bf
                                                                                                                                                                                  • Instruction ID: cea17f7fce353ac69628f48919790f81773a80955c5efd9eb7a5da9046453c97
                                                                                                                                                                                  • Opcode Fuzzy Hash: 838dc8df3cb8cf0a62e9e5ab65bc8902cf74e718d30896fc37509a9c12d484bf
                                                                                                                                                                                  • Instruction Fuzzy Hash: 58511866300A4592EB20DF2AE894BAA77A1FB89FD9F458152CF5E43724DF38C54AD700
                                                                                                                                                                                  Function 00B7B864 Relevance: 15.1, APIs: 7, Strings: 3, Instructions: 119memorystringCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                    • Part of subcall function 00B7AC94: lstrlenA.KERNEL32 ref: 00B7ACBB
                                                                                                                                                                                    • Part of subcall function 00B7AC94: HeapAlloc.KERNEL32 ref: 00B7ACD1
                                                                                                                                                                                    • Part of subcall function 00B7AC94: HeapAlloc.KERNEL32 ref: 00B7ACEF
                                                                                                                                                                                    • Part of subcall function 00B7AC94: memcpy.NTDLL ref: 00B7AD38
                                                                                                                                                                                    • Part of subcall function 00B7AC94: lstrcpyA.KERNEL32 ref: 00B7AD47
                                                                                                                                                                                  • lstrlenA.KERNEL32 ref: 00B7B8C8
                                                                                                                                                                                  • HeapAlloc.KERNEL32 ref: 00B7B8DB
                                                                                                                                                                                  • wsprintfA.USER32 ref: 00B7B901
                                                                                                                                                                                    • Part of subcall function 00B7AD9C: GetSystemTimeAsFileTime.KERNEL32 ref: 00B7ADCB
                                                                                                                                                                                    • Part of subcall function 00B7AD9C: wsprintfA.USER32 ref: 00B7ADED
                                                                                                                                                                                    • Part of subcall function 00B7AD9C: lstrlenA.KERNEL32 ref: 00B7ADFE
                                                                                                                                                                                    • Part of subcall function 00B7AD9C: HeapAlloc.KERNEL32 ref: 00B7AE24
                                                                                                                                                                                    • Part of subcall function 00B7AD9C: wsprintfA.USER32 ref: 00B7AE45
                                                                                                                                                                                    • Part of subcall function 00B7AD9C: HeapAlloc.KERNEL32 ref: 00B7AE57
                                                                                                                                                                                    • Part of subcall function 00B7AD9C: wsprintfA.USER32 ref: 00B7AE89
                                                                                                                                                                                    • Part of subcall function 00B7AD9C: memcpy.NTDLL ref: 00B7AE9D
                                                                                                                                                                                    • Part of subcall function 00B7AD9C: memcpy.NTDLL ref: 00B7AEB8
                                                                                                                                                                                    • Part of subcall function 00B7AD9C: wsprintfA.USER32 ref: 00B7AED7
                                                                                                                                                                                  • HeapFree.KERNEL32 ref: 00B7B93E
                                                                                                                                                                                    • Part of subcall function 00B7B590: GetVersion.KERNEL32(00000000,00000000,000000D8,00B7BA89,?,00B64FAE), ref: 00B7B5C8
                                                                                                                                                                                    • Part of subcall function 00B7B590: HeapFree.KERNEL32(?,00B64FAE), ref: 00B7B612
                                                                                                                                                                                    • Part of subcall function 00B7B590: HeapFree.KERNEL32(?,00B64FAE), ref: 00B7B670
                                                                                                                                                                                    • Part of subcall function 00B7B590: HeapFree.KERNEL32(?,00B64FAE), ref: 00B7B6F5
                                                                                                                                                                                    • Part of subcall function 00B781B4: lstrlenA.KERNEL32 ref: 00B781CD
                                                                                                                                                                                    • Part of subcall function 00B781B4: HeapAlloc.KERNEL32 ref: 00B781E8
                                                                                                                                                                                    • Part of subcall function 00B781B4: memset.NTDLL ref: 00B78214
                                                                                                                                                                                  • GetLastError.KERNEL32 ref: 00B7B9B7
                                                                                                                                                                                  • HeapFree.KERNEL32 ref: 00B7B9CB
                                                                                                                                                                                  • HeapFree.KERNEL32 ref: 00B7BA08
                                                                                                                                                                                  Strings
                                                                                                                                                                                  • form, xrefs: 00B7B8B7
                                                                                                                                                                                  • Content-Disposition: form-data; name="upload_file"; filename="%s", xrefs: 00B7B8F4
                                                                                                                                                                                  • Content-Type: application/octet-stream, xrefs: 00B7B8ED
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000006.00000002.1794451873.0000000000B61000.00000020.80000000.00040000.00000000.sdmp, Offset: 00B60000, based on PE: true
                                                                                                                                                                                  • Associated: 00000006.00000002.1794420795.0000000000B60000.00000004.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794498490.0000000000B94000.00000002.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794521630.0000000000B9B000.00000004.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794551870.0000000000B9E000.00000002.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794583919.0000000000BA0000.00000004.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794610717.0000000000BA2000.00000002.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_6_2_b60000_svchost.jbxd
                                                                                                                                                                                  Yara matches
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: Heap$AllocFree$wsprintf$lstrlen$memcpy$Time$ErrorFileLastSystemVersionlstrcpymemset
                                                                                                                                                                                  • String ID: Content-Disposition: form-data; name="upload_file"; filename="%s"$Content-Type: application/octet-stream$form
                                                                                                                                                                                  • API String ID: 1526974534-2216708087
                                                                                                                                                                                  • Opcode ID: f7c3835255ea8b9f5f3bc814939ef4c8dae8156602f94575314fde3e72e658c3
                                                                                                                                                                                  • Instruction ID: b4eccea621fdad30504b55d6c7f1ba5efbc0309f784b41d13c3ba6afc21b17ce
                                                                                                                                                                                  • Opcode Fuzzy Hash: f7c3835255ea8b9f5f3bc814939ef4c8dae8156602f94575314fde3e72e658c3
                                                                                                                                                                                  • Instruction Fuzzy Hash: 0B415F26300B858ADB60DF66E884B9A77A5FB89BD4F458065DF6D47B14DF38C84ACB00
                                                                                                                                                                                  Function 00B6DCDC Relevance: 15.1, APIs: 5, Strings: 5, Instructions: 74memorystringCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • lstrlenA.KERNEL32 ref: 00B6DCFB
                                                                                                                                                                                  • HeapAlloc.KERNEL32 ref: 00B6DD0E
                                                                                                                                                                                  • memset.NTDLL ref: 00B6DD29
                                                                                                                                                                                    • Part of subcall function 00B7AC94: lstrlenA.KERNEL32 ref: 00B7ACBB
                                                                                                                                                                                    • Part of subcall function 00B7AC94: HeapAlloc.KERNEL32 ref: 00B7ACD1
                                                                                                                                                                                    • Part of subcall function 00B7AC94: HeapAlloc.KERNEL32 ref: 00B7ACEF
                                                                                                                                                                                    • Part of subcall function 00B7AC94: memcpy.NTDLL ref: 00B7AD38
                                                                                                                                                                                    • Part of subcall function 00B7AC94: lstrcpyA.KERNEL32 ref: 00B7AD47
                                                                                                                                                                                  • HeapFree.KERNEL32 ref: 00B6DD4D
                                                                                                                                                                                  • lstrcpyA.KERNEL32 ref: 00B6DD5F
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000006.00000002.1794451873.0000000000B61000.00000020.80000000.00040000.00000000.sdmp, Offset: 00B60000, based on PE: true
                                                                                                                                                                                  • Associated: 00000006.00000002.1794420795.0000000000B60000.00000004.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794498490.0000000000B94000.00000002.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794521630.0000000000B9B000.00000004.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794551870.0000000000B9E000.00000002.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794583919.0000000000BA0000.00000004.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794610717.0000000000BA2000.00000002.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_6_2_b60000_svchost.jbxd
                                                                                                                                                                                  Yara matches
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: Heap$Alloc$lstrcpylstrlen$Freememcpymemset
                                                                                                                                                                                  • String ID: Accept-Encoding:$Connection:$GET$Host:$User-Agent:
                                                                                                                                                                                  • API String ID: 2662158417-3467890120
                                                                                                                                                                                  • Opcode ID: 1bc7ccd4396567f8ae2c8b52f9aa85e4092f3fa604767a52a6fcb7ff82224324
                                                                                                                                                                                  • Instruction ID: c5c0deee49d9124dcccca3a14e6e7ca3c26f82188931c4160a879f341acd3d07
                                                                                                                                                                                  • Opcode Fuzzy Hash: 1bc7ccd4396567f8ae2c8b52f9aa85e4092f3fa604767a52a6fcb7ff82224324
                                                                                                                                                                                  • Instruction Fuzzy Hash: 20216D75714B4086DA00EF26B890369B3A1F7C9BC0F888061EE4A57715DF7CC546CB01
                                                                                                                                                                                  Function 00B90C80 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 128threadinjectionCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000006.00000002.1794451873.0000000000B61000.00000020.80000000.00040000.00000000.sdmp, Offset: 00B60000, based on PE: true
                                                                                                                                                                                  • Associated: 00000006.00000002.1794420795.0000000000B60000.00000004.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794498490.0000000000B94000.00000002.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794521630.0000000000B9B000.00000004.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794551870.0000000000B9E000.00000002.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794583919.0000000000BA0000.00000004.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794610717.0000000000BA2000.00000002.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_6_2_b60000_svchost.jbxd
                                                                                                                                                                                  Yara matches
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: Thread$CriticalSection$EnterLeaveResumeSuspendSwitchmemcpy
                                                                                                                                                                                  • String ID: 0123456789ABCDEF$P
                                                                                                                                                                                  • API String ID: 1863160333-4199925091
                                                                                                                                                                                  • Opcode ID: ad66a04ebbb8590323bbdc366796c928eac002c02d21c0eadb47ab389f32edbc
                                                                                                                                                                                  • Instruction ID: 0022c53a426b92592a64e7eb85b906076caea1dbfb497a6e789fac7037b6bd30
                                                                                                                                                                                  • Opcode Fuzzy Hash: ad66a04ebbb8590323bbdc366796c928eac002c02d21c0eadb47ab389f32edbc
                                                                                                                                                                                  • Instruction Fuzzy Hash: 42612972218B44CEEB10EB1AE99436A77B1FBC8B85F914036EB8D47769CB38C444CB05
                                                                                                                                                                                  Function 00B698D0 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 108memorystringsynchronizationCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                    • Part of subcall function 00B752A4: lstrlenA.KERNEL32(?,?,00000000,00B75454,?,?,00000000,00B64CAE), ref: 00B752C2
                                                                                                                                                                                    • Part of subcall function 00B752A4: HeapAlloc.KERNEL32(?,?,00000000,00B75454,?,?,00000000,00B64CAE), ref: 00B752D8
                                                                                                                                                                                    • Part of subcall function 00B752A4: mbstowcs.NTDLL ref: 00B752F0
                                                                                                                                                                                    • Part of subcall function 00B752A4: HeapFree.KERNEL32(?,?,00000000,00B75454,?,?,00000000,00B64CAE), ref: 00B75311
                                                                                                                                                                                  • lstrlenW.KERNEL32(?,?,?,?,?,?,00000000,00B69AC1,?,?,?,?,?,?,?,00B6131B), ref: 00B69930
                                                                                                                                                                                    • Part of subcall function 00B75668: HeapAlloc.KERNEL32(?,?,?,?,?,?,?,?,00000000,00000000,00000000,00000000,00B69957), ref: 00B756A3
                                                                                                                                                                                    • Part of subcall function 00B75668: lstrlenW.KERNEL32(?,?,?,?,?,?,?,?,00000000,00000000,00000000,00000000,00B69957), ref: 00B756D8
                                                                                                                                                                                    • Part of subcall function 00B75668: lstrlenW.KERNEL32(?,?,?,?,?,?,?,?,00000000,00000000,00000000,00000000,00B69957), ref: 00B756E5
                                                                                                                                                                                    • Part of subcall function 00B75668: HeapAlloc.KERNEL32(?,?,?,?,?,?,?,?,00000000,00000000,00000000,00000000,00B69957), ref: 00B75738
                                                                                                                                                                                    • Part of subcall function 00B75668: memset.NTDLL ref: 00B7575C
                                                                                                                                                                                    • Part of subcall function 00B75668: FindFirstFileW.KERNEL32(?,?,?,?,?,?,?,?,00000000,00000000,00000000,00000000,00B69957), ref: 00B7577B
                                                                                                                                                                                    • Part of subcall function 00B75668: lstrlenW.KERNEL32(?,?,?,?,?,?,?,?,00000000,00000000,00000000,00000000,00B69957), ref: 00B757C1
                                                                                                                                                                                    • Part of subcall function 00B75668: lstrlenW.KERNEL32(?,?,?,?,?,?,?,?,00000000,00000000,00000000,00000000,00B69957), ref: 00B757D1
                                                                                                                                                                                    • Part of subcall function 00B75668: HeapAlloc.KERNEL32(?,?,?,?,?,?,?,?,00000000,00000000,00000000,00000000,00B69957), ref: 00B757F9
                                                                                                                                                                                  • lstrlenW.KERNEL32(?,?,?,?,?,?,00000000,00B69AC1,?,?,?,?,?,?,?,00B6131B), ref: 00B6998D
                                                                                                                                                                                    • Part of subcall function 00B75668: memset.NTDLL ref: 00B7581B
                                                                                                                                                                                    • Part of subcall function 00B75668: wcscpy.NTDLL ref: 00B7582E
                                                                                                                                                                                    • Part of subcall function 00B75668: EnterCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,00000000,00000000,00000000,00000000,00B69957), ref: 00B758B0
                                                                                                                                                                                    • Part of subcall function 00B75668: LeaveCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,00000000,00000000,00000000,00000000,00B69957), ref: 00B758DF
                                                                                                                                                                                    • Part of subcall function 00B75668: FindNextFileW.KERNEL32(?,?,?,?,?,?,?,?,00000000,00000000,00000000,00000000,00B69957), ref: 00B758F2
                                                                                                                                                                                    • Part of subcall function 00B75668: WaitForSingleObject.KERNEL32(?,?,?,?,?,?,?,?,00000000,00000000,00000000,00000000,00B69957), ref: 00B75907
                                                                                                                                                                                    • Part of subcall function 00B75668: FindClose.KERNEL32(?,?,?,?,?,?,?,?,00000000,00000000,00000000,00000000,00B69957), ref: 00B7591F
                                                                                                                                                                                    • Part of subcall function 00B75668: FindFirstFileW.KERNEL32(?,?,?,?,?,?,?,?,00000000,00000000,00000000,00000000,00B69957), ref: 00B7594F
                                                                                                                                                                                    • Part of subcall function 00B75668: lstrlenW.KERNEL32(?,?,?,?,?,?,?,?,00000000,00000000,00000000,00000000,00B69957), ref: 00B7597E
                                                                                                                                                                                    • Part of subcall function 00B75668: HeapFree.KERNEL32(?,?,?,?,?,?,?,?,00000000,00000000,00000000,00000000,00B69957), ref: 00B7599E
                                                                                                                                                                                  • LocalFree.KERNEL32(?,?,?,?,?,?,00000000,00B69AC1,?,?,?,?,?,?,?,00B6131B), ref: 00B699B5
                                                                                                                                                                                  • WaitForSingleObject.KERNEL32(?,?,?,?,?,?,00000000,00B69AC1,?,?,?,?,?,?,?,00B6131B), ref: 00B699D8
                                                                                                                                                                                  • HeapFree.KERNEL32(?,?,?,?,?,?,00000000,00B69AC1,?,?,?,?,?,?,?,00B6131B), ref: 00B69A29
                                                                                                                                                                                  • HeapFree.KERNEL32(?,?,?,?,?,?,00000000,00B69AC1,?,?,?,?,?,?,?,00B6131B), ref: 00B69A45
                                                                                                                                                                                  • HeapFree.KERNEL32(?,?,?,?,?,?,00000000,00B69AC1,?,?,?,?,?,?,?,00B6131B), ref: 00B69A57
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000006.00000002.1794451873.0000000000B61000.00000020.80000000.00040000.00000000.sdmp, Offset: 00B60000, based on PE: true
                                                                                                                                                                                  • Associated: 00000006.00000002.1794420795.0000000000B60000.00000004.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794498490.0000000000B94000.00000002.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794521630.0000000000B9B000.00000004.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794551870.0000000000B9E000.00000002.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794583919.0000000000BA0000.00000004.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794610717.0000000000BA2000.00000002.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_6_2_b60000_svchost.jbxd
                                                                                                                                                                                  Yara matches
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: Heap$lstrlen$Free$AllocFind$File$CriticalFirstObjectSectionSingleWaitmemset$CloseEnterLeaveLocalNextmbstowcswcscpy
                                                                                                                                                                                  • String ID: *.*
                                                                                                                                                                                  • API String ID: 3761820065-438819550
                                                                                                                                                                                  • Opcode ID: 1f5e66f8b93f07a56d74f5ccea10c8901f093a5ba2f823f697208dd3a7e9048e
                                                                                                                                                                                  • Instruction ID: bfc134d9aea8b5bfaa129602601e743b7969762e109d540d16f9f81ac8e7cdd7
                                                                                                                                                                                  • Opcode Fuzzy Hash: 1f5e66f8b93f07a56d74f5ccea10c8901f093a5ba2f823f697208dd3a7e9048e
                                                                                                                                                                                  • Instruction Fuzzy Hash: 1F413822215B91D2EA10DFA2F94475A77A5FB88BC4F844426EA4E47B68CF3CC596C700
                                                                                                                                                                                  Function 00B75DA4 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 51stringmemoryCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                    • Part of subcall function 00B75CF8: GetTempPathA.KERNEL32(?,?,00000001,00B654D7), ref: 00B75D0F
                                                                                                                                                                                    • Part of subcall function 00B75CF8: HeapAlloc.KERNEL32(?,?,00000001,00B654D7), ref: 00B75D28
                                                                                                                                                                                    • Part of subcall function 00B75CF8: GetTempPathA.KERNEL32(?,?,00000001,00B654D7), ref: 00B75D3B
                                                                                                                                                                                    • Part of subcall function 00B75CF8: GetTickCount.KERNEL32 ref: 00B75D45
                                                                                                                                                                                    • Part of subcall function 00B75CF8: GetTempFileNameA.KERNEL32(?,?,00000001,00B654D7), ref: 00B75D57
                                                                                                                                                                                    • Part of subcall function 00B75CF8: lstrcpyA.KERNEL32(?,?,00000001,00B654D7), ref: 00B75D74
                                                                                                                                                                                  • lstrcpyA.KERNEL32 ref: 00B75DE7
                                                                                                                                                                                  • CreateDirectoryA.KERNEL32 ref: 00B75DFE
                                                                                                                                                                                  • GetTickCount.KERNEL32 ref: 00B75E08
                                                                                                                                                                                  • GetTempFileNameA.KERNEL32 ref: 00B75E1E
                                                                                                                                                                                  • lstrcpyA.KERNEL32 ref: 00B75E3B
                                                                                                                                                                                  • HeapFree.KERNEL32 ref: 00B75E4F
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000006.00000002.1794451873.0000000000B61000.00000020.80000000.00040000.00000000.sdmp, Offset: 00B60000, based on PE: true
                                                                                                                                                                                  • Associated: 00000006.00000002.1794420795.0000000000B60000.00000004.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794498490.0000000000B94000.00000002.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794521630.0000000000B9B000.00000004.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794551870.0000000000B9E000.00000002.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794583919.0000000000BA0000.00000004.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794610717.0000000000BA2000.00000002.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_6_2_b60000_svchost.jbxd
                                                                                                                                                                                  Yara matches
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: Temp$lstrcpy$CountFileHeapNamePathTick$AllocCreateDirectoryFree
                                                                                                                                                                                  • String ID: .bin$\Low
                                                                                                                                                                                  • API String ID: 400280060-4063908808
                                                                                                                                                                                  • Opcode ID: 5fc3c65c8ea31b4b6f630452ccdc6167e0e0b280134c2417b21631b6bc360238
                                                                                                                                                                                  • Instruction ID: 3ec0d365374eb3b71bed1533de04e6877f277709658962c0478c3fb921b35e4c
                                                                                                                                                                                  • Opcode Fuzzy Hash: 5fc3c65c8ea31b4b6f630452ccdc6167e0e0b280134c2417b21631b6bc360238
                                                                                                                                                                                  • Instruction Fuzzy Hash: 60110C21701A0182EF24EFA6A89CB6926D1BB99F85F89C4798B1E47354EF7CC649C311
                                                                                                                                                                                  Function 00B75CF8 Relevance: 14.0, APIs: 7, Strings: 1, Instructions: 49memorystringCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • GetTempPathA.KERNEL32(?,?,00000001,00B654D7), ref: 00B75D0F
                                                                                                                                                                                  • HeapAlloc.KERNEL32(?,?,00000001,00B654D7), ref: 00B75D28
                                                                                                                                                                                  • GetTempPathA.KERNEL32(?,?,00000001,00B654D7), ref: 00B75D3B
                                                                                                                                                                                  • GetTickCount.KERNEL32 ref: 00B75D45
                                                                                                                                                                                  • GetTempFileNameA.KERNEL32(?,?,00000001,00B654D7), ref: 00B75D57
                                                                                                                                                                                  • lstrcpyA.KERNEL32(?,?,00000001,00B654D7), ref: 00B75D74
                                                                                                                                                                                  • HeapFree.KERNEL32(?,?,00000001,00B654D7), ref: 00B75D88
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000006.00000002.1794451873.0000000000B61000.00000020.80000000.00040000.00000000.sdmp, Offset: 00B60000, based on PE: true
                                                                                                                                                                                  • Associated: 00000006.00000002.1794420795.0000000000B60000.00000004.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794498490.0000000000B94000.00000002.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794521630.0000000000B9B000.00000004.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794551870.0000000000B9E000.00000002.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794583919.0000000000BA0000.00000004.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794610717.0000000000BA2000.00000002.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_6_2_b60000_svchost.jbxd
                                                                                                                                                                                  Yara matches
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: Temp$HeapPath$AllocCountFileFreeNameTicklstrcpy
                                                                                                                                                                                  • String ID: .bin
                                                                                                                                                                                  • API String ID: 2764796691-886015214
                                                                                                                                                                                  • Opcode ID: b784e5636b4dd928acd644ee3c9d1e7a0a5e0717fe88ed246e40e09a6c95e27a
                                                                                                                                                                                  • Instruction ID: 75dcaad2a7715124a06a4f3d6984f222ae00434e853397bfb5f230e5b02dd430
                                                                                                                                                                                  • Opcode Fuzzy Hash: b784e5636b4dd928acd644ee3c9d1e7a0a5e0717fe88ed246e40e09a6c95e27a
                                                                                                                                                                                  • Instruction Fuzzy Hash: 6C111225704B4182EB249F67B888B2A77A2FB88BD5F49C474DB1A47364DF7CC44A8700
                                                                                                                                                                                  Function 00B63D42 Relevance: 13.6, APIs: 9, Instructions: 84registryCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000006.00000002.1794451873.0000000000B61000.00000020.80000000.00040000.00000000.sdmp, Offset: 00B60000, based on PE: true
                                                                                                                                                                                  • Associated: 00000006.00000002.1794420795.0000000000B60000.00000004.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794498490.0000000000B94000.00000002.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794521630.0000000000B9B000.00000004.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794551870.0000000000B9E000.00000002.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794583919.0000000000BA0000.00000004.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794610717.0000000000BA2000.00000002.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_6_2_b60000_svchost.jbxd
                                                                                                                                                                                  Yara matches
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: ErrorLast$CloseHandleOpen$CreateDuplicateProcess
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 839804029-0
                                                                                                                                                                                  • Opcode ID: 1faaebb678b4f0c638fdd22ea4811676f5f16dae31966556e2fdfa4780ac4105
                                                                                                                                                                                  • Instruction ID: defa68e797d67d34c9a5037ff33ca83c8fcf69b3658c4bbf0d7fb9c2c7dc3d69
                                                                                                                                                                                  • Opcode Fuzzy Hash: 1faaebb678b4f0c638fdd22ea4811676f5f16dae31966556e2fdfa4780ac4105
                                                                                                                                                                                  • Instruction Fuzzy Hash: 10316D36204A8086D7109F66F48475A7BE1F788FA4F500562DF4A63B64DB7EC589CB21
                                                                                                                                                                                  Function 00B72FF8 Relevance: 13.6, APIs: 6, Strings: 3, Instructions: 83memorystringCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • lstrlenA.KERNEL32 ref: 00B73030
                                                                                                                                                                                  • HeapAlloc.KERNEL32 ref: 00B73043
                                                                                                                                                                                  • wsprintfA.USER32 ref: 00B7306E
                                                                                                                                                                                    • Part of subcall function 00B7AD9C: GetSystemTimeAsFileTime.KERNEL32 ref: 00B7ADCB
                                                                                                                                                                                    • Part of subcall function 00B7AD9C: wsprintfA.USER32 ref: 00B7ADED
                                                                                                                                                                                    • Part of subcall function 00B7AD9C: lstrlenA.KERNEL32 ref: 00B7ADFE
                                                                                                                                                                                    • Part of subcall function 00B7AD9C: HeapAlloc.KERNEL32 ref: 00B7AE24
                                                                                                                                                                                    • Part of subcall function 00B7AD9C: wsprintfA.USER32 ref: 00B7AE45
                                                                                                                                                                                    • Part of subcall function 00B7AD9C: HeapAlloc.KERNEL32 ref: 00B7AE57
                                                                                                                                                                                    • Part of subcall function 00B7AD9C: wsprintfA.USER32 ref: 00B7AE89
                                                                                                                                                                                    • Part of subcall function 00B7AD9C: memcpy.NTDLL ref: 00B7AE9D
                                                                                                                                                                                    • Part of subcall function 00B7AD9C: memcpy.NTDLL ref: 00B7AEB8
                                                                                                                                                                                    • Part of subcall function 00B7AD9C: wsprintfA.USER32 ref: 00B7AED7
                                                                                                                                                                                  • HeapFree.KERNEL32 ref: 00B7312C
                                                                                                                                                                                    • Part of subcall function 00B72EC4: EnterCriticalSection.KERNEL32 ref: 00B72EF3
                                                                                                                                                                                    • Part of subcall function 00B72EC4: LeaveCriticalSection.KERNEL32 ref: 00B72F14
                                                                                                                                                                                  • HeapFree.KERNEL32 ref: 00B73108
                                                                                                                                                                                  • HeapFree.KERNEL32 ref: 00B7311A
                                                                                                                                                                                  Strings
                                                                                                                                                                                  • form, xrefs: 00B73007
                                                                                                                                                                                  • Content-Disposition: form-data; name="upload_file"; filename="%s", xrefs: 00B73064
                                                                                                                                                                                  • Content-Type: application/octet-stream, xrefs: 00B7305D
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000006.00000002.1794451873.0000000000B61000.00000020.80000000.00040000.00000000.sdmp, Offset: 00B60000, based on PE: true
                                                                                                                                                                                  • Associated: 00000006.00000002.1794420795.0000000000B60000.00000004.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794498490.0000000000B94000.00000002.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794521630.0000000000B9B000.00000004.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794551870.0000000000B9E000.00000002.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794583919.0000000000BA0000.00000004.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794610717.0000000000BA2000.00000002.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_6_2_b60000_svchost.jbxd
                                                                                                                                                                                  Yara matches
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: Heap$wsprintf$AllocFree$CriticalSectionTimelstrlenmemcpy$EnterFileLeaveSystem
                                                                                                                                                                                  • String ID: Content-Disposition: form-data; name="upload_file"; filename="%s"$Content-Type: application/octet-stream$form
                                                                                                                                                                                  • API String ID: 1509223482-2216708087
                                                                                                                                                                                  • Opcode ID: cc8336886e0ec670467800cfdb7ac5b700aa80ed1ea17ab9c5da7a7469d53586
                                                                                                                                                                                  • Instruction ID: a97812578133e7625b7b72b0cc10b987d3653fd82ec8085c08a515e275a3a17a
                                                                                                                                                                                  • Opcode Fuzzy Hash: cc8336886e0ec670467800cfdb7ac5b700aa80ed1ea17ab9c5da7a7469d53586
                                                                                                                                                                                  • Instruction Fuzzy Hash: 9E315C36204B919ADB20DF16F884B9A77A5F788B94F454125DF8D93B24CF38C58ACB40
                                                                                                                                                                                  Function 00B6F284 Relevance: 13.6, APIs: 9, Instructions: 81fileCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • CreateEventA.KERNEL32(?,?,0000012B,00000001,?), ref: 00B6F2C1
                                                                                                                                                                                  • WriteFile.KERNEL32 ref: 00B6F30E
                                                                                                                                                                                  • ReadFile.KERNEL32 ref: 00B6F316
                                                                                                                                                                                  • GetLastError.KERNEL32 ref: 00B6F320
                                                                                                                                                                                  • WaitForMultipleObjects.KERNEL32 ref: 00B6F341
                                                                                                                                                                                  • GetOverlappedResult.KERNEL32 ref: 00B6F361
                                                                                                                                                                                  • CancelIo.KERNEL32 ref: 00B6F37F
                                                                                                                                                                                  • CloseHandle.KERNEL32 ref: 00B6F390
                                                                                                                                                                                  • GetLastError.KERNEL32(?,?,0000012B,00000001,?), ref: 00B6F398
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000006.00000002.1794451873.0000000000B61000.00000020.80000000.00040000.00000000.sdmp, Offset: 00B60000, based on PE: true
                                                                                                                                                                                  • Associated: 00000006.00000002.1794420795.0000000000B60000.00000004.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794498490.0000000000B94000.00000002.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794521630.0000000000B9B000.00000004.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794551870.0000000000B9E000.00000002.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794583919.0000000000BA0000.00000004.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794610717.0000000000BA2000.00000002.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_6_2_b60000_svchost.jbxd
                                                                                                                                                                                  Yara matches
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: ErrorFileLast$CancelCloseCreateEventHandleMultipleObjectsOverlappedReadResultWaitWrite
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 4263211335-0
                                                                                                                                                                                  • Opcode ID: 9f8479ab2e58b048e57b944e2ffc6c3de5893632834e4dec728b5fa94898e5c2
                                                                                                                                                                                  • Instruction ID: a5ab490444ea96048e3b561392dfa1ce635e6ca89b1f78b3578326f9a7407636
                                                                                                                                                                                  • Opcode Fuzzy Hash: 9f8479ab2e58b048e57b944e2ffc6c3de5893632834e4dec728b5fa94898e5c2
                                                                                                                                                                                  • Instruction Fuzzy Hash: 5C317E32228B91C6EB509B65F888B6A73A4F788B94F554135DB8E83B14EF38C849C704
                                                                                                                                                                                  Function 00B652C8 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 129memoryregistrystringCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                    • Part of subcall function 00B7A2B0: HeapAlloc.KERNEL32 ref: 00B7A2E4
                                                                                                                                                                                    • Part of subcall function 00B7A2B0: memcpy.NTDLL ref: 00B7A2FF
                                                                                                                                                                                    • Part of subcall function 00B7A2B0: memset.NTDLL ref: 00B7A338
                                                                                                                                                                                    • Part of subcall function 00B7A2B0: HeapFree.KERNEL32 ref: 00B7A349
                                                                                                                                                                                  • HeapAlloc.KERNEL32(?,?,?,?,?,?,?,?,?,?,00000000,00000000,00000004,?,00000000,00B630EB), ref: 00B65342
                                                                                                                                                                                  • lstrcmpiA.KERNEL32(?,?,?,?,?,?,?,?,?,?,00000000,00000000,00000004,?,00000000,00B630EB), ref: 00B65372
                                                                                                                                                                                  • RegSetValueExA.ADVAPI32(?,?,?,?,?,?,?,?,?,?,00000000,00000000,00000004,?,00000000,00B630EB), ref: 00B653D9
                                                                                                                                                                                  • RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,?,00000000,00000000,00000004,?,00000000,00B630EB), ref: 00B653E9
                                                                                                                                                                                  • HeapFree.KERNEL32(?,?,?,?,?,?,?,?,?,?,00000000,00000000,00000004,?,00000000,00B630EB), ref: 00B65469
                                                                                                                                                                                  • HeapFree.KERNEL32(?,?,?,?,?,?,?,?,?,?,00000000,00000000,00000004,?,00000000,00B630EB), ref: 00B65480
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000006.00000002.1794451873.0000000000B61000.00000020.80000000.00040000.00000000.sdmp, Offset: 00B60000, based on PE: true
                                                                                                                                                                                  • Associated: 00000006.00000002.1794420795.0000000000B60000.00000004.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794498490.0000000000B94000.00000002.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794521630.0000000000B9B000.00000004.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794551870.0000000000B9E000.00000002.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794583919.0000000000BA0000.00000004.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794610717.0000000000BA2000.00000002.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_6_2_b60000_svchost.jbxd
                                                                                                                                                                                  Yara matches
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: Heap$Free$Alloc$CloseValuelstrcmpimemcpymemset
                                                                                                                                                                                  • String ID: Main
                                                                                                                                                                                  • API String ID: 1401969112-521822810
                                                                                                                                                                                  • Opcode ID: b381c6780e5067431f9fd09525e89712687ba23c173a31607f41774881ccb28d
                                                                                                                                                                                  • Instruction ID: e55a30fd3a5fd9194a42fc7a6c448485c89364f8931e63f74f7a497e3db1b6b2
                                                                                                                                                                                  • Opcode Fuzzy Hash: b381c6780e5067431f9fd09525e89712687ba23c173a31607f41774881ccb28d
                                                                                                                                                                                  • Instruction Fuzzy Hash: 64516E26310A8096DB20EF26E88075A77A2F7C8BD4F548452EB4E87718DF3CC989C700
                                                                                                                                                                                  Function 00B7F3D8 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 122stringmemoryCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000006.00000002.1794451873.0000000000B61000.00000020.80000000.00040000.00000000.sdmp, Offset: 00B60000, based on PE: true
                                                                                                                                                                                  • Associated: 00000006.00000002.1794420795.0000000000B60000.00000004.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794498490.0000000000B94000.00000002.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794521630.0000000000B9B000.00000004.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794551870.0000000000B9E000.00000002.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794583919.0000000000BA0000.00000004.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794610717.0000000000BA2000.00000002.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_6_2_b60000_svchost.jbxd
                                                                                                                                                                                  Yara matches
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: AllocHeaplstrcpylstrcpynlstrlen
                                                                                                                                                                                  • String ID: Unknown
                                                                                                                                                                                  • API String ID: 231384863-1654365787
                                                                                                                                                                                  • Opcode ID: 06af6ce9d538635688a69ceffc031f8683523a47945bc47d1672632e3db9c866
                                                                                                                                                                                  • Instruction ID: 06265f0194c9ffb90a5e2793cd66cbbafa72a11432589bc0d5d06ef68f12dcce
                                                                                                                                                                                  • Opcode Fuzzy Hash: 06af6ce9d538635688a69ceffc031f8683523a47945bc47d1672632e3db9c866
                                                                                                                                                                                  • Instruction Fuzzy Hash: 4E41A232204B9586DB20DF15E844BAA77A5F789BD4F848126DF5D47B54DF3CC94ACB00
                                                                                                                                                                                  Function 00B63370 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 64registrymemorystringCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • RegOpenKeyA.ADVAPI32 ref: 00B6339C
                                                                                                                                                                                    • Part of subcall function 00B78A04: HeapAlloc.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00B61B23), ref: 00B78A60
                                                                                                                                                                                    • Part of subcall function 00B78A04: RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00B61B23), ref: 00B78AD5
                                                                                                                                                                                  • lstrcmpiW.KERNEL32 ref: 00B633DE
                                                                                                                                                                                  • lstrlenW.KERNEL32 ref: 00B633EB
                                                                                                                                                                                  • HeapFree.KERNEL32 ref: 00B63434
                                                                                                                                                                                  • HeapFree.KERNEL32 ref: 00B63457
                                                                                                                                                                                  • RegCloseKey.ADVAPI32 ref: 00B63462
                                                                                                                                                                                  Strings
                                                                                                                                                                                  • Software\Microsoft\Windows\CurrentVersion\Run, xrefs: 00B6338A
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000006.00000002.1794451873.0000000000B61000.00000020.80000000.00040000.00000000.sdmp, Offset: 00B60000, based on PE: true
                                                                                                                                                                                  • Associated: 00000006.00000002.1794420795.0000000000B60000.00000004.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794498490.0000000000B94000.00000002.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794521630.0000000000B9B000.00000004.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794551870.0000000000B9E000.00000002.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794583919.0000000000BA0000.00000004.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794610717.0000000000BA2000.00000002.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_6_2_b60000_svchost.jbxd
                                                                                                                                                                                  Yara matches
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: Heap$CloseFree$AllocOpenlstrcmpilstrlen
                                                                                                                                                                                  • String ID: Software\Microsoft\Windows\CurrentVersion\Run
                                                                                                                                                                                  • API String ID: 3867856032-1428018034
                                                                                                                                                                                  • Opcode ID: 2f4c7b6c27b5b6d358578dcd0ff352d193527e565a3b89c4355827327ea55a47
                                                                                                                                                                                  • Instruction ID: a632bbe503204ce07d628689e98d7a52f12a1e7b2a9facb98f43b880de1b2ef2
                                                                                                                                                                                  • Opcode Fuzzy Hash: 2f4c7b6c27b5b6d358578dcd0ff352d193527e565a3b89c4355827327ea55a47
                                                                                                                                                                                  • Instruction Fuzzy Hash: 46314A76204B8482E710DB66E85439ABBA0FBC9F94F854126EF4987765DFBCC58AC700
                                                                                                                                                                                  Function 00B76CE0 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 50librarymemoryloaderCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • GetVersion.KERNEL32(?,?,00000000,00B722C2,?,?,?,00B61617,?,?,?,?,00B61686), ref: 00B76D1F
                                                                                                                                                                                  • GetModuleHandleA.KERNEL32(?,?,00000000,00B722C2,?,?,?,00B61617,?,?,?,?,00B61686), ref: 00B76D30
                                                                                                                                                                                  • GetProcAddress.KERNEL32(?,?,00000000,00B722C2,?,?,?,00B61617,?,?,?,?,00B61686), ref: 00B76D40
                                                                                                                                                                                  • HeapFree.KERNEL32(?,?,00000000,00B722C2,?,?,?,00B61617,?,?,?,?,00B61686), ref: 00B76D88
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000006.00000002.1794451873.0000000000B61000.00000020.80000000.00040000.00000000.sdmp, Offset: 00B60000, based on PE: true
                                                                                                                                                                                  • Associated: 00000006.00000002.1794420795.0000000000B60000.00000004.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794498490.0000000000B94000.00000002.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794521630.0000000000B9B000.00000004.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794551870.0000000000B9E000.00000002.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794583919.0000000000BA0000.00000004.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794610717.0000000000BA2000.00000002.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_6_2_b60000_svchost.jbxd
                                                                                                                                                                                  Yara matches
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: AddressFreeHandleHeapModuleProcVersion
                                                                                                                                                                                  • String ID: LdrUnregisterDllNotification$NTDLL.DLL
                                                                                                                                                                                  • API String ID: 2974905969-3940208311
                                                                                                                                                                                  • Opcode ID: c9ddd18a8a797977759c8d0f281c5dd6aaf1920a585abf566a09c49ef8849bd8
                                                                                                                                                                                  • Instruction ID: 49f2f5f00e27875718c99823cc8b5fbe9fe934e5f82f149931c94a939c0e79f1
                                                                                                                                                                                  • Opcode Fuzzy Hash: c9ddd18a8a797977759c8d0f281c5dd6aaf1920a585abf566a09c49ef8849bd8
                                                                                                                                                                                  • Instruction Fuzzy Hash: 69212332215E44D5EA249F16F8943697771F788BC0F988026DB9E43768CF38C49AC300
                                                                                                                                                                                  Function 00B65978 Relevance: 12.1, APIs: 8, Instructions: 127memoryregistrysynchronizationCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                    • Part of subcall function 00B64D14: RegCreateKeyA.ADVAPI32 ref: 00B64D37
                                                                                                                                                                                    • Part of subcall function 00B64D14: lstrlenA.KERNEL32 ref: 00B64D62
                                                                                                                                                                                  • HeapAlloc.KERNEL32(?,?,00000001,00000000,00000008,?,3C6EF35F,00B65D94), ref: 00B659D7
                                                                                                                                                                                  • HeapAlloc.KERNEL32(?,?,00000001,00000000,00000008,?,3C6EF35F,00B65D94), ref: 00B659F7
                                                                                                                                                                                  • HeapFree.KERNEL32 ref: 00B65A7F
                                                                                                                                                                                  • HeapAlloc.KERNEL32 ref: 00B65A95
                                                                                                                                                                                  • WaitForSingleObject.KERNEL32 ref: 00B65AFC
                                                                                                                                                                                  • HeapFree.KERNEL32 ref: 00B65B24
                                                                                                                                                                                  • HeapFree.KERNEL32(?,?,00000001,00000000,00000008,?,3C6EF35F,00B65D94), ref: 00B65B36
                                                                                                                                                                                  • RegCloseKey.ADVAPI32(?,?,00000001,00000000,00000008,?,3C6EF35F,00B65D94), ref: 00B65B41
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000006.00000002.1794451873.0000000000B61000.00000020.80000000.00040000.00000000.sdmp, Offset: 00B60000, based on PE: true
                                                                                                                                                                                  • Associated: 00000006.00000002.1794420795.0000000000B60000.00000004.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794498490.0000000000B94000.00000002.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794521630.0000000000B9B000.00000004.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794551870.0000000000B9E000.00000002.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794583919.0000000000BA0000.00000004.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794610717.0000000000BA2000.00000002.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_6_2_b60000_svchost.jbxd
                                                                                                                                                                                  Yara matches
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: Heap$AllocFree$CloseCreateObjectSingleWaitlstrlen
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 2036970056-0
                                                                                                                                                                                  • Opcode ID: b1476027d716d9185638a1b7ddad8ab7d6ccb9725062e40021f924d8508fcdc7
                                                                                                                                                                                  • Instruction ID: 5965dd7350ec0b7b78794ad78cc9b5c2dd3c54a0da29ae7d0cf19d3855429d6b
                                                                                                                                                                                  • Opcode Fuzzy Hash: b1476027d716d9185638a1b7ddad8ab7d6ccb9725062e40021f924d8508fcdc7
                                                                                                                                                                                  • Instruction Fuzzy Hash: 6D514976204B8486E720DF52E98875A77A2F7C9BD0F254526DF4A43B24CF7CC896CB00
                                                                                                                                                                                  Function 00B62E60 Relevance: 12.1, APIs: 8, Instructions: 92memorystringtimeCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000006.00000002.1794451873.0000000000B61000.00000020.80000000.00040000.00000000.sdmp, Offset: 00B60000, based on PE: true
                                                                                                                                                                                  • Associated: 00000006.00000002.1794420795.0000000000B60000.00000004.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794498490.0000000000B94000.00000002.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794521630.0000000000B9B000.00000004.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794551870.0000000000B9E000.00000002.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794583919.0000000000BA0000.00000004.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794610717.0000000000BA2000.00000002.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_6_2_b60000_svchost.jbxd
                                                                                                                                                                                  Yara matches
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: Heap$FreeTime$AllocCreateDirectoryErrorFileLastSystemlstrcpylstrlen
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 347137194-0
                                                                                                                                                                                  • Opcode ID: 1aa22330849e04a49507f3abcf2d9ed485005afb7843b7e8e9f6742923c09ce1
                                                                                                                                                                                  • Instruction ID: f04cca30091b32badba3802ffe1ede7834e1f8b65d5ccc7ecfa91094787befea
                                                                                                                                                                                  • Opcode Fuzzy Hash: 1aa22330849e04a49507f3abcf2d9ed485005afb7843b7e8e9f6742923c09ce1
                                                                                                                                                                                  • Instruction Fuzzy Hash: 9C317826714B8186EB24CB66A84475ABBE1FBC8FC4F494065DF4E83B65EF3CC54A8700
                                                                                                                                                                                  Function 00B6B4F4 Relevance: 12.1, APIs: 8, Instructions: 79memorystringCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000006.00000002.1794451873.0000000000B61000.00000020.80000000.00040000.00000000.sdmp, Offset: 00B60000, based on PE: true
                                                                                                                                                                                  • Associated: 00000006.00000002.1794420795.0000000000B60000.00000004.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794498490.0000000000B94000.00000002.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794521630.0000000000B9B000.00000004.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794551870.0000000000B9E000.00000002.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794583919.0000000000BA0000.00000004.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794610717.0000000000BA2000.00000002.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_6_2_b60000_svchost.jbxd
                                                                                                                                                                                  Yara matches
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: Heap$AllocFreelstrlen$mbstowcswcstombs
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 2620562290-0
                                                                                                                                                                                  • Opcode ID: 6912d2076587290fb0bb0b400115f29a8cfaebd9dc561b5b0dc13cb464657f10
                                                                                                                                                                                  • Instruction ID: 7c4ae76f338c708fd91c080b18ac725987fd2dec4ad34f17f3ff978e42a4bc9a
                                                                                                                                                                                  • Opcode Fuzzy Hash: 6912d2076587290fb0bb0b400115f29a8cfaebd9dc561b5b0dc13cb464657f10
                                                                                                                                                                                  • Instruction Fuzzy Hash: E4218C25710B4482EF14DB67A858B55B7A2FB99FD0F4941698F0E83764EF3CC08A8300
                                                                                                                                                                                  Function 00B7E9E4 Relevance: 12.1, APIs: 8, Instructions: 72memorystringthreadCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000006.00000002.1794451873.0000000000B61000.00000020.80000000.00040000.00000000.sdmp, Offset: 00B60000, based on PE: true
                                                                                                                                                                                  • Associated: 00000006.00000002.1794420795.0000000000B60000.00000004.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794498490.0000000000B94000.00000002.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794521630.0000000000B9B000.00000004.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794551870.0000000000B9E000.00000002.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794583919.0000000000BA0000.00000004.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794610717.0000000000BA2000.00000002.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_6_2_b60000_svchost.jbxd
                                                                                                                                                                                  Yara matches
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: Globalmemset$AllocHeapLockProcessThreadUnlockWindowlstrcpylstrlen
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 741049644-0
                                                                                                                                                                                  • Opcode ID: d9b0b5234f2341a79a1a12001887d8cdea8903050dd2be2602d3f03145f739ed
                                                                                                                                                                                  • Instruction ID: 3b69f6aa06cfe5e7d446d7c93414c854188b7cd67f11524c4aeef763639c2e85
                                                                                                                                                                                  • Opcode Fuzzy Hash: d9b0b5234f2341a79a1a12001887d8cdea8903050dd2be2602d3f03145f739ed
                                                                                                                                                                                  • Instruction Fuzzy Hash: E8313632706B4186EB25DB26A85432A77A1FB88B81F884165DB5E07764EF38C509CB04
                                                                                                                                                                                  Function 00B7E8D4 Relevance: 12.1, APIs: 8, Instructions: 57memorythreadCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • SwitchToThread.KERNEL32(?,?,00000001,00B72394,?,?,?,00B61617,?,?,?,?,00B61686), ref: 00B7E902
                                                                                                                                                                                  • CloseHandle.KERNEL32(?,?,00000001,00B72394,?,?,?,00B61617,?,?,?,?,00B61686), ref: 00B7E90F
                                                                                                                                                                                  • CloseHandle.KERNEL32(?,?,00000001,00B72394,?,?,?,00B61617,?,?,?,?,00B61686), ref: 00B7E929
                                                                                                                                                                                  • memset.NTDLL ref: 00B7E950
                                                                                                                                                                                  • memset.NTDLL ref: 00B7E972
                                                                                                                                                                                  • memset.NTDLL ref: 00B7E98F
                                                                                                                                                                                  • memset.NTDLL ref: 00B7E9AC
                                                                                                                                                                                  • HeapFree.KERNEL32(?,?,00000001,00B72394,?,?,?,00B61617,?,?,?,?,00B61686), ref: 00B7E9C6
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000006.00000002.1794451873.0000000000B61000.00000020.80000000.00040000.00000000.sdmp, Offset: 00B60000, based on PE: true
                                                                                                                                                                                  • Associated: 00000006.00000002.1794420795.0000000000B60000.00000004.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794498490.0000000000B94000.00000002.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794521630.0000000000B9B000.00000004.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794551870.0000000000B9E000.00000002.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794583919.0000000000BA0000.00000004.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794610717.0000000000BA2000.00000002.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_6_2_b60000_svchost.jbxd
                                                                                                                                                                                  Yara matches
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: memset$CloseHandle$FreeHeapSwitchThread
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 2270483019-0
                                                                                                                                                                                  • Opcode ID: 69b89b510512deb776666c1445dcba3de3d98f84a4d8485e42d6877e3e43ba90
                                                                                                                                                                                  • Instruction ID: 247e7ac309cc65243752e23edd6672291649dde1d4d42f99f262987b6064373b
                                                                                                                                                                                  • Opcode Fuzzy Hash: 69b89b510512deb776666c1445dcba3de3d98f84a4d8485e42d6877e3e43ba90
                                                                                                                                                                                  • Instruction Fuzzy Hash: C5216D65614A0092FF04EF62FD9177473B2FB88B81F8481A5AB1E46271DF3CC589C308
                                                                                                                                                                                  Function 00B69B98 Relevance: 12.1, APIs: 6, Strings: 2, Instructions: 54memorystringCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • lstrlenA.KERNEL32(?,?,00000000,00B6550A), ref: 00B69BB2
                                                                                                                                                                                  • lstrlenA.KERNEL32(?,?,00000000,00B6550A), ref: 00B69BBE
                                                                                                                                                                                  • HeapAlloc.KERNEL32(?,?,00000000,00B6550A), ref: 00B69BD5
                                                                                                                                                                                  • wsprintfA.USER32 ref: 00B69BF3
                                                                                                                                                                                    • Part of subcall function 00B69724: memset.NTDLL ref: 00B6974C
                                                                                                                                                                                    • Part of subcall function 00B69724: lstrlenW.KERNEL32 ref: 00B697A2
                                                                                                                                                                                    • Part of subcall function 00B69724: wcstombs.NTDLL ref: 00B697B3
                                                                                                                                                                                    • Part of subcall function 00B69724: HeapFree.KERNEL32 ref: 00B697CA
                                                                                                                                                                                    • Part of subcall function 00B69724: CreateProcessA.KERNEL32 ref: 00B69811
                                                                                                                                                                                    • Part of subcall function 00B69724: WaitForMultipleObjects.KERNEL32 ref: 00B69841
                                                                                                                                                                                    • Part of subcall function 00B69724: CloseHandle.KERNEL32 ref: 00B69877
                                                                                                                                                                                    • Part of subcall function 00B69724: CloseHandle.KERNEL32 ref: 00B69882
                                                                                                                                                                                    • Part of subcall function 00B69724: HeapFree.KERNEL32 ref: 00B698A8
                                                                                                                                                                                  • wsprintfA.USER32 ref: 00B69C22
                                                                                                                                                                                    • Part of subcall function 00B69724: GetExitCodeProcess.KERNEL32 ref: 00B6986C
                                                                                                                                                                                    • Part of subcall function 00B69724: GetLastError.KERNEL32 ref: 00B6988A
                                                                                                                                                                                  • HeapFree.KERNEL32(?,?,00000000,00B6550A), ref: 00B69C43
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000006.00000002.1794451873.0000000000B61000.00000020.80000000.00040000.00000000.sdmp, Offset: 00B60000, based on PE: true
                                                                                                                                                                                  • Associated: 00000006.00000002.1794420795.0000000000B60000.00000004.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794498490.0000000000B94000.00000002.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794521630.0000000000B9B000.00000004.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794551870.0000000000B9E000.00000002.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794583919.0000000000BA0000.00000004.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794610717.0000000000BA2000.00000002.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_6_2_b60000_svchost.jbxd
                                                                                                                                                                                  Yara matches
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: Heap$Freelstrlen$CloseHandleProcesswsprintf$AllocCodeCreateErrorExitLastMultipleObjectsWaitmemsetwcstombs
                                                                                                                                                                                  • String ID: cmd /C "%s> %s1"$echo -------- >
                                                                                                                                                                                  • API String ID: 3696417543-1722754249
                                                                                                                                                                                  • Opcode ID: 2dc6a98135092fbd2ee34dd66427e20d96bb97379d0033f345f9008e0531d9b0
                                                                                                                                                                                  • Instruction ID: c0162c6bbcf7bf8e5f9b8b27f932b7e439091d2679efc594c4c01fc2eee606f1
                                                                                                                                                                                  • Opcode Fuzzy Hash: 2dc6a98135092fbd2ee34dd66427e20d96bb97379d0033f345f9008e0531d9b0
                                                                                                                                                                                  • Instruction Fuzzy Hash: 73114C65715B8086EB14EB66B8883A973A1FB8DFC4F854025DF4E47B29DF3CC94A8300
                                                                                                                                                                                  Function 00B67560 Relevance: 11.4, APIs: 9, Instructions: 115memorystringCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                    • Part of subcall function 00B6750C: EnterCriticalSection.KERNEL32(?,?,?,00B675A4,?,?,00000000,00B653A4), ref: 00B6751C
                                                                                                                                                                                    • Part of subcall function 00B6750C: LeaveCriticalSection.KERNEL32(?,?,?,00B675A4,?,?,00000000,00B653A4), ref: 00B67531
                                                                                                                                                                                  • HeapAlloc.KERNEL32(?,?,00000000,00B653A4,?,?,?,?,?,?,?,?,?,?,00000000,00000000), ref: 00B675CC
                                                                                                                                                                                  • lstrlenA.KERNEL32(?,?,?,?,?,?,?,?,?,?,00000000,00000000,00000004,?,00000000,00B630EB), ref: 00B675E1
                                                                                                                                                                                  • HeapAlloc.KERNEL32(?,?,?,?,?,?,?,?,?,?,00000000,00000000,00000004,?,00000000,00B630EB), ref: 00B675F7
                                                                                                                                                                                  • HeapFree.KERNEL32(?,?,?,?,?,?,?,?,?,?,00000000,00000000,00000004,?,00000000,00B630EB), ref: 00B67611
                                                                                                                                                                                  • memcpy.NTDLL(?,?,?,?,?,?,?,?,?,?,00000000,00000000,00000004,?,00000000,00B630EB), ref: 00B67627
                                                                                                                                                                                  • lstrcpyA.KERNEL32(?,?,?,?,?,?,?,?,?,?,00000000,00000000,00000004,?,00000000,00B630EB), ref: 00B67652
                                                                                                                                                                                  • EnterCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,00000000,00000000,00000004,?,00000000,00B630EB), ref: 00B6765F
                                                                                                                                                                                  • LeaveCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,00000000,00000000,00000004,?,00000000,00B630EB), ref: 00B676CF
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000006.00000002.1794451873.0000000000B61000.00000020.80000000.00040000.00000000.sdmp, Offset: 00B60000, based on PE: true
                                                                                                                                                                                  • Associated: 00000006.00000002.1794420795.0000000000B60000.00000004.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794498490.0000000000B94000.00000002.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794521630.0000000000B9B000.00000004.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794551870.0000000000B9E000.00000002.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794583919.0000000000BA0000.00000004.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794610717.0000000000BA2000.00000002.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_6_2_b60000_svchost.jbxd
                                                                                                                                                                                  Yara matches
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: CriticalSection$Heap$AllocEnterLeave$Freelstrcpylstrlenmemcpy
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 3503894462-0
                                                                                                                                                                                  • Opcode ID: 86cd31c9351d40a1447702c26fc9e5dda5dc0df824bb008d8cfdabb3a4d7204f
                                                                                                                                                                                  • Instruction ID: 6d5fc30056a09e8e21d026ead493f766cf1d96a7ed8b67dbb3859c80033ee5aa
                                                                                                                                                                                  • Opcode Fuzzy Hash: 86cd31c9351d40a1447702c26fc9e5dda5dc0df824bb008d8cfdabb3a4d7204f
                                                                                                                                                                                  • Instruction Fuzzy Hash: 70416572245F408AEB10CF26E89076877A0FB98F88F098465EE4E0B324DF3CC846C340
                                                                                                                                                                                  Function 00B6A45C Relevance: 11.4, APIs: 9, Instructions: 109stringmemoryCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • lstrlenA.KERNEL32(?,00000000,00000000,00000000,?,00B7003C,?,?,00000000,00B704B7,?,?,00000000,?,?,00B70A71), ref: 00B6A489
                                                                                                                                                                                  • lstrlenA.KERNEL32(?,00000000,00000000,00000000,?,00B7003C,?,?,00000000,00B704B7,?,?,00000000,?,?,00B70A71), ref: 00B6A496
                                                                                                                                                                                  • lstrlenA.KERNEL32(?,00000000,00000000,00000000,?,00B7003C,?,?,00000000,00B704B7,?,?,00000000,?,?,00B70A71), ref: 00B6A506
                                                                                                                                                                                  • HeapAlloc.KERNEL32(?,00000000,00000000,00000000,?,00B7003C,?,?,00000000,00B704B7,?,?,00000000,?,?,00B70A71), ref: 00B6A539
                                                                                                                                                                                  • memcpy.NTDLL(?,00000000,00000000,00000000,?,00B7003C,?,?,00000000,00B704B7,?,?,00000000,?,?,00B70A71), ref: 00B6A550
                                                                                                                                                                                  • memcpy.NTDLL(?,00000000,00000000,00000000,?,00B7003C,?,?,00000000,00B704B7,?,?,00000000,?,?,00B70A71), ref: 00B6A56B
                                                                                                                                                                                  • memcpy.NTDLL(?,00000000,00000000,00000000,?,00B7003C,?,?,00000000,00B704B7,?,?,00000000,?,?,00B70A71), ref: 00B6A583
                                                                                                                                                                                  • memcpy.NTDLL(?,00000000,00000000,00000000,?,00B7003C,?,?,00000000,00B704B7,?,?,00000000,?,?,00B70A71), ref: 00B6A59D
                                                                                                                                                                                  • memcpy.NTDLL(?,00000000,00000000,00000000,?,00B7003C,?,?,00000000,00B704B7,?,?,00000000,?,?,00B70A71), ref: 00B6A5B0
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000006.00000002.1794451873.0000000000B61000.00000020.80000000.00040000.00000000.sdmp, Offset: 00B60000, based on PE: true
                                                                                                                                                                                  • Associated: 00000006.00000002.1794420795.0000000000B60000.00000004.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794498490.0000000000B94000.00000002.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794521630.0000000000B9B000.00000004.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794551870.0000000000B9E000.00000002.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794583919.0000000000BA0000.00000004.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794610717.0000000000BA2000.00000002.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_6_2_b60000_svchost.jbxd
                                                                                                                                                                                  Yara matches
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: memcpy$lstrlen$AllocHeap
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 2757895527-0
                                                                                                                                                                                  • Opcode ID: e5cea6eb85020d3be79e0e6bc690928af0c2fc0c5d29798a52153202f4676585
                                                                                                                                                                                  • Instruction ID: eaffe038090be56d8d48335862e59b5f28fb0d781dd637838f3ffd1c53126ad8
                                                                                                                                                                                  • Opcode Fuzzy Hash: e5cea6eb85020d3be79e0e6bc690928af0c2fc0c5d29798a52153202f4676585
                                                                                                                                                                                  • Instruction Fuzzy Hash: 2031D06371164086DE24DF1AA858B6AB7E1FB88BD8F4981659F4E17711EF3CD909CB00
                                                                                                                                                                                  Function 00B7EC80 Relevance: 10.6, APIs: 7, Instructions: 128threadstringCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000006.00000002.1794451873.0000000000B61000.00000020.80000000.00040000.00000000.sdmp, Offset: 00B60000, based on PE: true
                                                                                                                                                                                  • Associated: 00000006.00000002.1794420795.0000000000B60000.00000004.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794498490.0000000000B94000.00000002.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794521630.0000000000B9B000.00000004.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794551870.0000000000B9E000.00000002.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794583919.0000000000BA0000.00000004.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794610717.0000000000BA2000.00000002.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_6_2_b60000_svchost.jbxd
                                                                                                                                                                                  Yara matches
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: ProcessThread$Window$CloseCurrentHandleOpen_struprlstrlen
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 3831658075-0
                                                                                                                                                                                  • Opcode ID: 1706c6c877883bd845d14e1f1b477d3732aac6541fcac0f188d441d0bf71f3eb
                                                                                                                                                                                  • Instruction ID: 4946cb65237c841493243c837b4641d13931bfe5e7f16d5cb87d812dba3f758b
                                                                                                                                                                                  • Opcode Fuzzy Hash: 1706c6c877883bd845d14e1f1b477d3732aac6541fcac0f188d441d0bf71f3eb
                                                                                                                                                                                  • Instruction Fuzzy Hash: 3241B03A701A8087EB31AB65E8447AA76E1FB8DB84F548464DE6983714EF3CD949C700
                                                                                                                                                                                  Function 00B76604 Relevance: 10.6, APIs: 7, Instructions: 127memoryCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • VirtualProtect.KERNEL32 ref: 00B76668
                                                                                                                                                                                  • GetLastError.KERNEL32 ref: 00B767CE
                                                                                                                                                                                    • Part of subcall function 00B764E0: lstrlenA.KERNEL32(?,?,?,?,00000001,00B76B7C), ref: 00B76535
                                                                                                                                                                                    • Part of subcall function 00B764E0: HeapAlloc.KERNEL32(?,?,?,?,00000001,00B76B7C), ref: 00B76548
                                                                                                                                                                                    • Part of subcall function 00B764E0: lstrcpyA.KERNEL32(?,?,?,?,00000001,00B76B7C), ref: 00B76561
                                                                                                                                                                                    • Part of subcall function 00B764E0: StrChrA.SHLWAPI(?,?,?,?,00000001,00B76B7C), ref: 00B7656D
                                                                                                                                                                                    • Part of subcall function 00B764E0: GetModuleHandleA.KERNEL32(?,?,?,?,00000001,00B76B7C), ref: 00B76594
                                                                                                                                                                                    • Part of subcall function 00B764E0: HeapFree.KERNEL32(?,?,?,?,00000001,00B76B7C), ref: 00B765D6
                                                                                                                                                                                  • VirtualProtect.KERNEL32 ref: 00B766E0
                                                                                                                                                                                  • VirtualProtect.KERNEL32 ref: 00B76728
                                                                                                                                                                                  • VirtualProtect.KERNEL32 ref: 00B7674B
                                                                                                                                                                                  • EnterCriticalSection.KERNEL32 ref: 00B76773
                                                                                                                                                                                  • LeaveCriticalSection.KERNEL32 ref: 00B767A0
                                                                                                                                                                                    • Part of subcall function 00B76380: HeapAlloc.KERNEL32 ref: 00B7641B
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000006.00000002.1794451873.0000000000B61000.00000020.80000000.00040000.00000000.sdmp, Offset: 00B60000, based on PE: true
                                                                                                                                                                                  • Associated: 00000006.00000002.1794420795.0000000000B60000.00000004.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794498490.0000000000B94000.00000002.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794521630.0000000000B9B000.00000004.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794551870.0000000000B9E000.00000002.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794583919.0000000000BA0000.00000004.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794610717.0000000000BA2000.00000002.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_6_2_b60000_svchost.jbxd
                                                                                                                                                                                  Yara matches
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: ProtectVirtual$Heap$AllocCriticalSection$EnterErrorFreeHandleLastLeaveModulelstrcpylstrlen
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 3126486416-0
                                                                                                                                                                                  • Opcode ID: af28a77eb3ac084180139ed4af77b3a8adeb11cfb8a7a53ea186bc8e766855d7
                                                                                                                                                                                  • Instruction ID: 93cac52092e14d59839b6947be20999ee8f7f2d0f9f70c8f9e1f408700329ac1
                                                                                                                                                                                  • Opcode Fuzzy Hash: af28a77eb3ac084180139ed4af77b3a8adeb11cfb8a7a53ea186bc8e766855d7
                                                                                                                                                                                  • Instruction Fuzzy Hash: 9C515A76210B1486D724CF16EA8471AB7E8F748BC8F54816AEF9D83B14DF38D965CB04
                                                                                                                                                                                  Function 00B66514 Relevance: 10.6, APIs: 7, Instructions: 124filestringCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000006.00000002.1794451873.0000000000B61000.00000020.80000000.00040000.00000000.sdmp, Offset: 00B60000, based on PE: true
                                                                                                                                                                                  • Associated: 00000006.00000002.1794420795.0000000000B60000.00000004.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794498490.0000000000B94000.00000002.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794521630.0000000000B9B000.00000004.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794551870.0000000000B9E000.00000002.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794583919.0000000000BA0000.00000004.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794610717.0000000000BA2000.00000002.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_6_2_b60000_svchost.jbxd
                                                                                                                                                                                  Yara matches
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: lstrlen$CloseFileHandleView$Unmapmemsetwcstombs
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 3850253092-0
                                                                                                                                                                                  • Opcode ID: 9edb5421031ad1040acecb9ba2469d555fb5e847c0dbd3fbd130678842775aef
                                                                                                                                                                                  • Instruction ID: 4bd8bd3586c99564e2c08e4c9fa576f124795791c61fba65ab81bbd87a6d7d43
                                                                                                                                                                                  • Opcode Fuzzy Hash: 9edb5421031ad1040acecb9ba2469d555fb5e847c0dbd3fbd130678842775aef
                                                                                                                                                                                  • Instruction Fuzzy Hash: D541CF32204A808ADB219F35F9947AE77A1F395BC8F558161DF9A97715CF3CC886CB40
                                                                                                                                                                                  Function 00B6257C Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 114memoryfilestringCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • lstrcpyA.KERNEL32 ref: 00B625DA
                                                                                                                                                                                    • Part of subcall function 00B752A4: lstrlenA.KERNEL32(?,?,00000000,00B75454,?,?,00000000,00B64CAE), ref: 00B752C2
                                                                                                                                                                                    • Part of subcall function 00B752A4: HeapAlloc.KERNEL32(?,?,00000000,00B75454,?,?,00000000,00B64CAE), ref: 00B752D8
                                                                                                                                                                                    • Part of subcall function 00B752A4: mbstowcs.NTDLL ref: 00B752F0
                                                                                                                                                                                    • Part of subcall function 00B752A4: HeapFree.KERNEL32(?,?,00000000,00B75454,?,?,00000000,00B64CAE), ref: 00B75311
                                                                                                                                                                                  • GetLastError.KERNEL32 ref: 00B62689
                                                                                                                                                                                  • HeapFree.KERNEL32 ref: 00B6269D
                                                                                                                                                                                  • DeleteFileA.KERNEL32 ref: 00B626D5
                                                                                                                                                                                  • HeapFree.KERNEL32 ref: 00B626E7
                                                                                                                                                                                    • Part of subcall function 00B75CF8: GetTempPathA.KERNEL32(?,?,00000001,00B654D7), ref: 00B75D0F
                                                                                                                                                                                    • Part of subcall function 00B75CF8: HeapAlloc.KERNEL32(?,?,00000001,00B654D7), ref: 00B75D28
                                                                                                                                                                                    • Part of subcall function 00B75CF8: GetTempPathA.KERNEL32(?,?,00000001,00B654D7), ref: 00B75D3B
                                                                                                                                                                                    • Part of subcall function 00B75CF8: GetTickCount.KERNEL32 ref: 00B75D45
                                                                                                                                                                                    • Part of subcall function 00B75CF8: GetTempFileNameA.KERNEL32(?,?,00000001,00B654D7), ref: 00B75D57
                                                                                                                                                                                    • Part of subcall function 00B75CF8: lstrcpyA.KERNEL32(?,?,00000001,00B654D7), ref: 00B75D74
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000006.00000002.1794451873.0000000000B61000.00000020.80000000.00040000.00000000.sdmp, Offset: 00B60000, based on PE: true
                                                                                                                                                                                  • Associated: 00000006.00000002.1794420795.0000000000B60000.00000004.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794498490.0000000000B94000.00000002.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794521630.0000000000B9B000.00000004.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794551870.0000000000B9E000.00000002.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794583919.0000000000BA0000.00000004.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794610717.0000000000BA2000.00000002.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_6_2_b60000_svchost.jbxd
                                                                                                                                                                                  Yara matches
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: Heap$FreeTemp$AllocFilePathlstrcpy$CountDeleteErrorLastNameTicklstrlenmbstowcs
                                                                                                                                                                                  • String ID: .avi
                                                                                                                                                                                  • API String ID: 2358123550-1706533258
                                                                                                                                                                                  • Opcode ID: 360ad862f5fbee8cf54517c4d26ed52710395685e786b08c97212f46bb5f3e5e
                                                                                                                                                                                  • Instruction ID: 67618e10bfadd575313c13661267f1e889ccb326e54d6e82b057d1bb84f296e7
                                                                                                                                                                                  • Opcode Fuzzy Hash: 360ad862f5fbee8cf54517c4d26ed52710395685e786b08c97212f46bb5f3e5e
                                                                                                                                                                                  • Instruction Fuzzy Hash: B7312231304B5187FB18ABAAF99432A76D1EB88BD0F4440399F4E87B91DF7CC8468740
                                                                                                                                                                                  Function 00B726E0 Relevance: 10.6, APIs: 6, Strings: 1, Instructions: 95memorystringCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  Strings
                                                                                                                                                                                  • DEVICE: %sCLASS: %sINTERFACE: %sADD: %u, xrefs: 00B727C7
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000006.00000002.1794451873.0000000000B61000.00000020.80000000.00040000.00000000.sdmp, Offset: 00B60000, based on PE: true
                                                                                                                                                                                  • Associated: 00000006.00000002.1794420795.0000000000B60000.00000004.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794498490.0000000000B94000.00000002.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794521630.0000000000B9B000.00000004.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794551870.0000000000B9E000.00000002.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794583919.0000000000BA0000.00000004.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794610717.0000000000BA2000.00000002.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_6_2_b60000_svchost.jbxd
                                                                                                                                                                                  Yara matches
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: lstrlen$Heap$AllocFree_snprintf
                                                                                                                                                                                  • String ID: DEVICE: %sCLASS: %sINTERFACE: %sADD: %u
                                                                                                                                                                                  • API String ID: 4259797675-567302550
                                                                                                                                                                                  • Opcode ID: f35f8dd9b663e474f8d595d76b5d0b70f961b8c6eb3d55196e02e1a0c64606aa
                                                                                                                                                                                  • Instruction ID: 7f23db36a28f955d7c48bf4a439e2ab024cf2f918c9e7b59a527d2ce74c55e76
                                                                                                                                                                                  • Opcode Fuzzy Hash: f35f8dd9b663e474f8d595d76b5d0b70f961b8c6eb3d55196e02e1a0c64606aa
                                                                                                                                                                                  • Instruction Fuzzy Hash: 4631D12630464096EB18EF22A998B6A77E2F788FC4F199461DF1E47B14DF3CC90AC700
                                                                                                                                                                                  Function 00B6F790 Relevance: 10.6, APIs: 7, Instructions: 90memorystringpipeCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • lstrlenA.KERNEL32(?,?,?,?,?,00B6166F), ref: 00B6F7DA
                                                                                                                                                                                  • HeapAlloc.KERNEL32(?,?,?,?,?,00B6166F), ref: 00B6F800
                                                                                                                                                                                  • memcpy.NTDLL(?,?,?,?,?,00B6166F), ref: 00B6F838
                                                                                                                                                                                  • memcpy.NTDLL(?,?,?,?,?,00B6166F), ref: 00B6F851
                                                                                                                                                                                  • CallNamedPipeA.KERNEL32 ref: 00B6F885
                                                                                                                                                                                  • GetLastError.KERNEL32 ref: 00B6F88F
                                                                                                                                                                                  • HeapFree.KERNEL32 ref: 00B6F8A7
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000006.00000002.1794451873.0000000000B61000.00000020.80000000.00040000.00000000.sdmp, Offset: 00B60000, based on PE: true
                                                                                                                                                                                  • Associated: 00000006.00000002.1794420795.0000000000B60000.00000004.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794498490.0000000000B94000.00000002.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794521630.0000000000B9B000.00000004.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794551870.0000000000B9E000.00000002.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794583919.0000000000BA0000.00000004.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794610717.0000000000BA2000.00000002.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_6_2_b60000_svchost.jbxd
                                                                                                                                                                                  Yara matches
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: Heapmemcpy$AllocCallErrorFreeLastNamedPipelstrlen
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 3803389134-0
                                                                                                                                                                                  • Opcode ID: f9ad9828ccb591440fb388136ef3d1759f8cadc46bd0caae758d0e10d1bd0f03
                                                                                                                                                                                  • Instruction ID: 15f08a15f65c6aa937a8febd48dc25ca08b362f3ff10f50a41729347d19230af
                                                                                                                                                                                  • Opcode Fuzzy Hash: f9ad9828ccb591440fb388136ef3d1759f8cadc46bd0caae758d0e10d1bd0f03
                                                                                                                                                                                  • Instruction Fuzzy Hash: 02318D766107518BD724CF26E884B6ABBA1F788F94F45816ADF4A43714DB3CC44ACB00
                                                                                                                                                                                  Function 00B657C8 Relevance: 10.6, APIs: 7, Instructions: 90timememoryCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • OpenWaitableTimerA.KERNEL32 ref: 00B657F0
                                                                                                                                                                                  • CreateWaitableTimerA.KERNEL32(?,?,?,?,00000000,00000001,00000000,00B66D07), ref: 00B65811
                                                                                                                                                                                  • GetLastError.KERNEL32(?,?,?,?,00000000,00000001,00000000,00B66D07), ref: 00B65823
                                                                                                                                                                                  • SetWaitableTimer.KERNEL32 ref: 00B65901
                                                                                                                                                                                    • Part of subcall function 00B64DA8: RegQueryValueExA.ADVAPI32 ref: 00B64DFF
                                                                                                                                                                                    • Part of subcall function 00B64DA8: HeapAlloc.KERNEL32 ref: 00B64E17
                                                                                                                                                                                    • Part of subcall function 00B64DA8: RegQueryValueExA.ADVAPI32 ref: 00B64E3F
                                                                                                                                                                                    • Part of subcall function 00B64DA8: RegCloseKey.KERNELBASE ref: 00B64E6F
                                                                                                                                                                                  • GetSystemTimeAsFileTime.KERNEL32 ref: 00B65877
                                                                                                                                                                                  • SetWaitableTimer.KERNEL32 ref: 00B6589D
                                                                                                                                                                                  • HeapFree.KERNEL32 ref: 00B658B6
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000006.00000002.1794451873.0000000000B61000.00000020.80000000.00040000.00000000.sdmp, Offset: 00B60000, based on PE: true
                                                                                                                                                                                  • Associated: 00000006.00000002.1794420795.0000000000B60000.00000004.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794498490.0000000000B94000.00000002.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794521630.0000000000B9B000.00000004.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794551870.0000000000B9E000.00000002.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794583919.0000000000BA0000.00000004.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794610717.0000000000BA2000.00000002.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_6_2_b60000_svchost.jbxd
                                                                                                                                                                                  Yara matches
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: TimerWaitable$HeapQueryTimeValue$AllocCloseCreateErrorFileFreeLastOpenSystem
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 1610029871-0
                                                                                                                                                                                  • Opcode ID: b93c8cf906c26263da3570a2c0fe25acf9678845b793ead80fe321966a4a3227
                                                                                                                                                                                  • Instruction ID: 63ef249fcb59f149fb8608cf5501442a8e5a4959da3168a55db79a4b80d59f60
                                                                                                                                                                                  • Opcode Fuzzy Hash: b93c8cf906c26263da3570a2c0fe25acf9678845b793ead80fe321966a4a3227
                                                                                                                                                                                  • Instruction Fuzzy Hash: 5C319062214F4582EB249B16F944B6AB7E1FB88BE5F585224EF4A43B68DF3CC455CB00
                                                                                                                                                                                  Function 00B69A7C Relevance: 10.6, APIs: 7, Instructions: 74filememoryCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                    • Part of subcall function 00B75CF8: GetTempPathA.KERNEL32(?,?,00000001,00B654D7), ref: 00B75D0F
                                                                                                                                                                                    • Part of subcall function 00B75CF8: HeapAlloc.KERNEL32(?,?,00000001,00B654D7), ref: 00B75D28
                                                                                                                                                                                    • Part of subcall function 00B75CF8: GetTempPathA.KERNEL32(?,?,00000001,00B654D7), ref: 00B75D3B
                                                                                                                                                                                    • Part of subcall function 00B75CF8: GetTickCount.KERNEL32 ref: 00B75D45
                                                                                                                                                                                    • Part of subcall function 00B75CF8: GetTempFileNameA.KERNEL32(?,?,00000001,00B654D7), ref: 00B75D57
                                                                                                                                                                                    • Part of subcall function 00B75CF8: lstrcpyA.KERNEL32(?,?,00000001,00B654D7), ref: 00B75D74
                                                                                                                                                                                  • CreateFileA.KERNEL32 ref: 00B69AF0
                                                                                                                                                                                  • HeapFree.KERNEL32(?,?,?,?,?,?,?,00B6131B), ref: 00B69B75
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000006.00000002.1794451873.0000000000B61000.00000020.80000000.00040000.00000000.sdmp, Offset: 00B60000, based on PE: true
                                                                                                                                                                                  • Associated: 00000006.00000002.1794420795.0000000000B60000.00000004.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794498490.0000000000B94000.00000002.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794521630.0000000000B9B000.00000004.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794551870.0000000000B9E000.00000002.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794583919.0000000000BA0000.00000004.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794610717.0000000000BA2000.00000002.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_6_2_b60000_svchost.jbxd
                                                                                                                                                                                  Yara matches
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: Temp$FileHeapPath$AllocCountCreateFreeNameTicklstrcpy
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 1959833082-0
                                                                                                                                                                                  • Opcode ID: 4e1ea93b48d77f94a4d11a8da31f529c8bf2a5ff110977fe5baf357b06f02766
                                                                                                                                                                                  • Instruction ID: 20341eaf2cc4a76e9601aede94e0702c15e16afb210f9b0d69501a5ba835e326
                                                                                                                                                                                  • Opcode Fuzzy Hash: 4e1ea93b48d77f94a4d11a8da31f529c8bf2a5ff110977fe5baf357b06f02766
                                                                                                                                                                                  • Instruction Fuzzy Hash: 2F219D25300B4086EB00DB27F99875A77A5FB88FE4F484225DF5A47795EF3CC44A8740
                                                                                                                                                                                  Function 00B75334 Relevance: 10.6, APIs: 7, Instructions: 74memoryfileCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000006.00000002.1794451873.0000000000B61000.00000020.80000000.00040000.00000000.sdmp, Offset: 00B60000, based on PE: true
                                                                                                                                                                                  • Associated: 00000006.00000002.1794420795.0000000000B60000.00000004.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794498490.0000000000B94000.00000002.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794521630.0000000000B9B000.00000004.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794551870.0000000000B9E000.00000002.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794583919.0000000000BA0000.00000004.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794610717.0000000000BA2000.00000002.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_6_2_b60000_svchost.jbxd
                                                                                                                                                                                  Yara matches
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: File$Heap$AllocCloseCreateErrorFreeHandleLastReadSize
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 4260168601-0
                                                                                                                                                                                  • Opcode ID: f8bb49987adde552a409d2b55611ba92b475d868dcb8be773476c42cda3adf80
                                                                                                                                                                                  • Instruction ID: 8870d0e92dd349f95e5bdeec099c58974ab8186bc750aa860714f87e02a51010
                                                                                                                                                                                  • Opcode Fuzzy Hash: f8bb49987adde552a409d2b55611ba92b475d868dcb8be773476c42cda3adf80
                                                                                                                                                                                  • Instruction Fuzzy Hash: A2215E22310B4087E7209F26A98875976E1F788BE4F158365DF3E477E4DFB8C48A8700
                                                                                                                                                                                  Function 00B62C84 Relevance: 10.6, APIs: 7, Instructions: 64memorystringthreadCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • lstrlenA.KERNEL32(?,00B6166F), ref: 00B62CB1
                                                                                                                                                                                  • HeapAlloc.KERNEL32(?,00B6166F), ref: 00B62CCA
                                                                                                                                                                                  • lstrcpyA.KERNEL32(?,00B6166F), ref: 00B62CEA
                                                                                                                                                                                  • CreateThread.KERNEL32 ref: 00B62D11
                                                                                                                                                                                  • CloseHandle.KERNEL32(?,00B6166F), ref: 00B62D1F
                                                                                                                                                                                  • GetLastError.KERNEL32(?,00B6166F), ref: 00B62D27
                                                                                                                                                                                  • HeapFree.KERNEL32(?,00B6166F), ref: 00B62D3B
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000006.00000002.1794451873.0000000000B61000.00000020.80000000.00040000.00000000.sdmp, Offset: 00B60000, based on PE: true
                                                                                                                                                                                  • Associated: 00000006.00000002.1794420795.0000000000B60000.00000004.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794498490.0000000000B94000.00000002.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794521630.0000000000B9B000.00000004.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794551870.0000000000B9E000.00000002.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794583919.0000000000BA0000.00000004.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794610717.0000000000BA2000.00000002.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_6_2_b60000_svchost.jbxd
                                                                                                                                                                                  Yara matches
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: Heap$AllocCloseCreateErrorFreeHandleLastThreadlstrcpylstrlen
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 2422424506-0
                                                                                                                                                                                  • Opcode ID: 76e74ec9dae3840c3b6c74fe496ca581335f06e66342d4542813249f1d2b9c44
                                                                                                                                                                                  • Instruction ID: 55f9bc6bce0e86cc85f78a5fee9132c20585d539724d2316c4f416fea8f33471
                                                                                                                                                                                  • Opcode Fuzzy Hash: 76e74ec9dae3840c3b6c74fe496ca581335f06e66342d4542813249f1d2b9c44
                                                                                                                                                                                  • Instruction Fuzzy Hash: 5B216D26208B8086EB109F96B88475AB7A1F788BD4F848475DF4E47B25DF3CC58AC700
                                                                                                                                                                                  Function 00B6E970 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 61memoryCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000006.00000002.1794451873.0000000000B61000.00000020.80000000.00040000.00000000.sdmp, Offset: 00B60000, based on PE: true
                                                                                                                                                                                  • Associated: 00000006.00000002.1794420795.0000000000B60000.00000004.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794498490.0000000000B94000.00000002.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794521630.0000000000B9B000.00000004.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794551870.0000000000B9E000.00000002.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794583919.0000000000BA0000.00000004.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794610717.0000000000BA2000.00000002.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_6_2_b60000_svchost.jbxd
                                                                                                                                                                                  Yara matches
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: Create$GlobalStream$AllocEventHeap
                                                                                                                                                                                  • String ID: Jw
                                                                                                                                                                                  • API String ID: 11186220-2844248137
                                                                                                                                                                                  • Opcode ID: 5230de3f0b2d133a23714cc614b50e3cd6e45590a71bc3affe0e6c7a22af551f
                                                                                                                                                                                  • Instruction ID: 9fdcc554735b991404c03b23dcc8f2af9fffe7205d8724b781efac1d4f6b8100
                                                                                                                                                                                  • Opcode Fuzzy Hash: 5230de3f0b2d133a23714cc614b50e3cd6e45590a71bc3affe0e6c7a22af551f
                                                                                                                                                                                  • Instruction Fuzzy Hash: BE212975301A4082EF18CFB6D49976A37A1FB88F88F548466CA2A87650EF3DC8498741
                                                                                                                                                                                  Function 00B798F8 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 58memorylibraryloaderCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000006.00000002.1794451873.0000000000B61000.00000020.80000000.00040000.00000000.sdmp, Offset: 00B60000, based on PE: true
                                                                                                                                                                                  • Associated: 00000006.00000002.1794420795.0000000000B60000.00000004.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794498490.0000000000B94000.00000002.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794521630.0000000000B9B000.00000004.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794551870.0000000000B9E000.00000002.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794583919.0000000000BA0000.00000004.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794610717.0000000000BA2000.00000002.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_6_2_b60000_svchost.jbxd
                                                                                                                                                                                  Yara matches
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: AddressAllocHandleHeapModuleProcVersion
                                                                                                                                                                                  • String ID: LdrRegisterDllNotification$NTDLL.DLL
                                                                                                                                                                                  • API String ID: 189344148-3368964806
                                                                                                                                                                                  • Opcode ID: 0894189c4dc902fc273b06c0866a10674d5201c4a06900b4d68a7bbe5d39e8c3
                                                                                                                                                                                  • Instruction ID: b54b170ceeb37147206bf5e24eef474eefff05e8d6ec6d2cca01610e0d984629
                                                                                                                                                                                  • Opcode Fuzzy Hash: 0894189c4dc902fc273b06c0866a10674d5201c4a06900b4d68a7bbe5d39e8c3
                                                                                                                                                                                  • Instruction Fuzzy Hash: 22210672205F4085FB149F66F89071977E4FB88B84F85C5699B9D837A4EF38C9A5C300
                                                                                                                                                                                  Function 00B64A5C Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 49registryfilememoryCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • RegOpenKeyA.ADVAPI32 ref: 00B64A79
                                                                                                                                                                                    • Part of subcall function 00B78A04: HeapAlloc.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00B61B23), ref: 00B78A60
                                                                                                                                                                                    • Part of subcall function 00B78A04: RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00B61B23), ref: 00B78AD5
                                                                                                                                                                                  • CreateFileW.KERNEL32 ref: 00B64AEC
                                                                                                                                                                                  • GetLastError.KERNEL32 ref: 00B64AF8
                                                                                                                                                                                  • HeapFree.KERNEL32 ref: 00B64B13
                                                                                                                                                                                  • RegCloseKey.ADVAPI32 ref: 00B64B25
                                                                                                                                                                                  Strings
                                                                                                                                                                                  • Software\Microsoft\Windows\CurrentVersion\Run, xrefs: 00B64A6B
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000006.00000002.1794451873.0000000000B61000.00000020.80000000.00040000.00000000.sdmp, Offset: 00B60000, based on PE: true
                                                                                                                                                                                  • Associated: 00000006.00000002.1794420795.0000000000B60000.00000004.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794498490.0000000000B94000.00000002.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794521630.0000000000B9B000.00000004.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794551870.0000000000B9E000.00000002.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794583919.0000000000BA0000.00000004.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794610717.0000000000BA2000.00000002.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_6_2_b60000_svchost.jbxd
                                                                                                                                                                                  Yara matches
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: CloseHeap$AllocCreateErrorFileFreeLastOpen
                                                                                                                                                                                  • String ID: Software\Microsoft\Windows\CurrentVersion\Run
                                                                                                                                                                                  • API String ID: 732267872-1428018034
                                                                                                                                                                                  • Opcode ID: 68cde69c1c36ce3c218ad93c946945702270966f511399160471a889cbbbb73f
                                                                                                                                                                                  • Instruction ID: 93707a6264c00ff60e566758d0fc94344ca7d60bb830493c6c6abb15408c8882
                                                                                                                                                                                  • Opcode Fuzzy Hash: 68cde69c1c36ce3c218ad93c946945702270966f511399160471a889cbbbb73f
                                                                                                                                                                                  • Instruction Fuzzy Hash: 79115E32204F8082EB10DF62F85475A77A0FB88BA9F444215EBAD47BA8DF7CC149C700
                                                                                                                                                                                  Function 00B6E834 Relevance: 10.1, APIs: 8, Instructions: 83memoryCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000006.00000002.1794451873.0000000000B61000.00000020.80000000.00040000.00000000.sdmp, Offset: 00B60000, based on PE: true
                                                                                                                                                                                  • Associated: 00000006.00000002.1794420795.0000000000B60000.00000004.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794498490.0000000000B94000.00000002.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794521630.0000000000B9B000.00000004.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794551870.0000000000B9E000.00000002.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794583919.0000000000BA0000.00000004.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794610717.0000000000BA2000.00000002.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_6_2_b60000_svchost.jbxd
                                                                                                                                                                                  Yara matches
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: FreeHeap$CloseHandle
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 1910495013-0
                                                                                                                                                                                  • Opcode ID: 712ae6dbe4d1a2a716d5f58249e1d6deb4f11c903f9c1279b5766e862d19691e
                                                                                                                                                                                  • Instruction ID: ca09803dfeaccbbab0e325d02c01dc1e4a79fea5069dd73701c257cd163cef15
                                                                                                                                                                                  • Opcode Fuzzy Hash: 712ae6dbe4d1a2a716d5f58249e1d6deb4f11c903f9c1279b5766e862d19691e
                                                                                                                                                                                  • Instruction Fuzzy Hash: B231F96A601B4482EB18DF66D59876837A2FB88F94F498456CF1E57754CF3CC899C340
                                                                                                                                                                                  Function 00B7618C Relevance: 9.1, APIs: 6, Instructions: 129memoryCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • VirtualProtect.KERNEL32 ref: 00B76277
                                                                                                                                                                                  • VirtualProtect.KERNEL32 ref: 00B762C2
                                                                                                                                                                                  • EnterCriticalSection.KERNEL32 ref: 00B762EE
                                                                                                                                                                                  • LeaveCriticalSection.KERNEL32 ref: 00B7631B
                                                                                                                                                                                  • GetLastError.KERNEL32 ref: 00B76331
                                                                                                                                                                                  • HeapFree.KERNEL32(?,?,00000000,00000001), ref: 00B7635D
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000006.00000002.1794451873.0000000000B61000.00000020.80000000.00040000.00000000.sdmp, Offset: 00B60000, based on PE: true
                                                                                                                                                                                  • Associated: 00000006.00000002.1794420795.0000000000B60000.00000004.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794498490.0000000000B94000.00000002.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794521630.0000000000B9B000.00000004.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794551870.0000000000B9E000.00000002.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794583919.0000000000BA0000.00000004.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794610717.0000000000BA2000.00000002.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_6_2_b60000_svchost.jbxd
                                                                                                                                                                                  Yara matches
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: CriticalProtectSectionVirtual$EnterErrorFreeHeapLastLeave
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 1291379511-0
                                                                                                                                                                                  • Opcode ID: 1dce67d3e119b81359ac4921499da57038aa833b7227bd74065973c4cb36be4c
                                                                                                                                                                                  • Instruction ID: 40c0d96fa196b331fc0aae4cbe267adaf17e203e5518edaae78b9e0b641e3e43
                                                                                                                                                                                  • Opcode Fuzzy Hash: 1dce67d3e119b81359ac4921499da57038aa833b7227bd74065973c4cb36be4c
                                                                                                                                                                                  • Instruction Fuzzy Hash: 74518736215F4482DB50CF26E98475AB7B4F788B84F559126EFAE43B24DF38C956C340
                                                                                                                                                                                  Function 00B7BC6C Relevance: 9.1, APIs: 6, Instructions: 102memoryCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • HeapAlloc.KERNEL32(?,00B64FAE), ref: 00B7BD2D
                                                                                                                                                                                  • HeapAlloc.KERNEL32(?,00B64FAE), ref: 00B7BD89
                                                                                                                                                                                  • wcstombs.NTDLL ref: 00B7BDA5
                                                                                                                                                                                  • GetLastError.KERNEL32(?,00B64FAE), ref: 00B7BDB8
                                                                                                                                                                                  • HeapFree.KERNEL32(?,00B64FAE), ref: 00B7BDCC
                                                                                                                                                                                  • GetLastError.KERNEL32(?,00B64FAE), ref: 00B7BDDB
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000006.00000002.1794451873.0000000000B61000.00000020.80000000.00040000.00000000.sdmp, Offset: 00B60000, based on PE: true
                                                                                                                                                                                  • Associated: 00000006.00000002.1794420795.0000000000B60000.00000004.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794498490.0000000000B94000.00000002.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794521630.0000000000B9B000.00000004.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794551870.0000000000B9E000.00000002.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794583919.0000000000BA0000.00000004.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794610717.0000000000BA2000.00000002.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_6_2_b60000_svchost.jbxd
                                                                                                                                                                                  Yara matches
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: Heap$AllocErrorLast$Freewcstombs
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 324373949-0
                                                                                                                                                                                  • Opcode ID: fca1d958843d7e3c3b2516b3192193544d3782d32cb46beb646a2bd7e35d2366
                                                                                                                                                                                  • Instruction ID: d9ebb2c5260f103e4095aa0d0f962a24b1e93209b8bed9bf4e716ac353b44537
                                                                                                                                                                                  • Opcode Fuzzy Hash: fca1d958843d7e3c3b2516b3192193544d3782d32cb46beb646a2bd7e35d2366
                                                                                                                                                                                  • Instruction Fuzzy Hash: 92417C32214B44CBEB20DF56E484B5EB7A4F788B94F544125EB8D47B24DF78C4AACB40
                                                                                                                                                                                  Function 00B6E200 Relevance: 9.1, APIs: 5, Strings: 1, Instructions: 97memorystringCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                    • Part of subcall function 00B6750C: EnterCriticalSection.KERNEL32(?,?,?,00B675A4,?,?,00000000,00B653A4), ref: 00B6751C
                                                                                                                                                                                    • Part of subcall function 00B6750C: LeaveCriticalSection.KERNEL32(?,?,?,00B675A4,?,?,00000000,00B653A4), ref: 00B67531
                                                                                                                                                                                  • HeapAlloc.KERNEL32(?,?,?,?,?,?,?,?,?,?,00000000,00000000,00000004,?,00000000,00B64470), ref: 00B6E251
                                                                                                                                                                                  • memcpy.NTDLL(?,?,?,?,?,?,?,?,?,?,00000000,00000000,00000004,?,00000000,00B64470), ref: 00B6E269
                                                                                                                                                                                  • lstrcmpiA.KERNEL32(?,?,?,?,?,?,?,?,?,?,00000000,00000000,00000004,?,00000000,00B64470), ref: 00B6E2D3
                                                                                                                                                                                  • memcpy.NTDLL(?,?,?,?,?,?,?,?,?,?,00000000,00000000,00000004,?,00000000,00B64470), ref: 00B6E2EC
                                                                                                                                                                                  • HeapFree.KERNEL32(?,?,?,?,?,?,?,?,?,?,00000000,00000000,00000004,?,00000000,00B64470), ref: 00B6E334
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000006.00000002.1794451873.0000000000B61000.00000020.80000000.00040000.00000000.sdmp, Offset: 00B60000, based on PE: true
                                                                                                                                                                                  • Associated: 00000006.00000002.1794420795.0000000000B60000.00000004.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794498490.0000000000B94000.00000002.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794521630.0000000000B9B000.00000004.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794551870.0000000000B9E000.00000002.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794583919.0000000000BA0000.00000004.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794610717.0000000000BA2000.00000002.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_6_2_b60000_svchost.jbxd
                                                                                                                                                                                  Yara matches
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: CriticalHeapSectionmemcpy$AllocEnterFreeLeavelstrcmpi
                                                                                                                                                                                  • String ID: Blocked
                                                                                                                                                                                  • API String ID: 434168251-367579676
                                                                                                                                                                                  • Opcode ID: 7ba58a7bd79769a5546ec18bbabe4bed34201444ab88aca1e80b4db03b9a3f3a
                                                                                                                                                                                  • Instruction ID: dccbd7d19c853cb066f3783fddc0aae6d2ed933f285ed3f88def7ff4610f3dcb
                                                                                                                                                                                  • Opcode Fuzzy Hash: 7ba58a7bd79769a5546ec18bbabe4bed34201444ab88aca1e80b4db03b9a3f3a
                                                                                                                                                                                  • Instruction Fuzzy Hash: 7131CF2A311A4082DA11DF17E454B5AB7E6FB89BD4F484061DF5E87714EF3CC805C740
                                                                                                                                                                                  Function 00B6CC80 Relevance: 9.1, APIs: 5, Strings: 1, Instructions: 96memorystringCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • HeapAlloc.KERNEL32 ref: 00B6CD37
                                                                                                                                                                                  • lstrcpyA.KERNEL32 ref: 00B6CD53
                                                                                                                                                                                  • lstrcpynA.KERNEL32 ref: 00B6CD64
                                                                                                                                                                                  • lstrlenA.KERNEL32 ref: 00B6CD7C
                                                                                                                                                                                    • Part of subcall function 00B6DA54: lstrlenA.KERNEL32 ref: 00B6DA73
                                                                                                                                                                                    • Part of subcall function 00B6DA54: HeapAlloc.KERNEL32 ref: 00B6DA86
                                                                                                                                                                                    • Part of subcall function 00B6DA54: wsprintfA.USER32 ref: 00B6DAA1
                                                                                                                                                                                    • Part of subcall function 00B6DA54: RegCreateKeyA.ADVAPI32 ref: 00B6DABA
                                                                                                                                                                                    • Part of subcall function 00B6DA54: lstrlenA.KERNEL32 ref: 00B6DAC9
                                                                                                                                                                                    • Part of subcall function 00B6DA54: RegSetValueExA.ADVAPI32 ref: 00B6DAEA
                                                                                                                                                                                    • Part of subcall function 00B6DA54: RegCloseKey.ADVAPI32 ref: 00B6DAF7
                                                                                                                                                                                    • Part of subcall function 00B6DA54: HeapFree.KERNEL32 ref: 00B6DB09
                                                                                                                                                                                  • HeapFree.KERNEL32 ref: 00B6CDCD
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000006.00000002.1794451873.0000000000B61000.00000020.80000000.00040000.00000000.sdmp, Offset: 00B60000, based on PE: true
                                                                                                                                                                                  • Associated: 00000006.00000002.1794420795.0000000000B60000.00000004.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794498490.0000000000B94000.00000002.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794521630.0000000000B9B000.00000004.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794551870.0000000000B9E000.00000002.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794583919.0000000000BA0000.00000004.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794610717.0000000000BA2000.00000002.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_6_2_b60000_svchost.jbxd
                                                                                                                                                                                  Yara matches
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: Heap$lstrlen$AllocFree$CloseCreateValuelstrcpylstrcpynwsprintf
                                                                                                                                                                                  • String ID: grabs=
                                                                                                                                                                                  • API String ID: 3146188056-3012740322
                                                                                                                                                                                  • Opcode ID: 293b14141263fd96c7cc8d01c152de743241c01f945895a192e8ed2311dd21c5
                                                                                                                                                                                  • Instruction ID: daf6e0c367b284e84c930ad5062734023d170c1a1ad9c42ca9d86d7592f984bc
                                                                                                                                                                                  • Opcode Fuzzy Hash: 293b14141263fd96c7cc8d01c152de743241c01f945895a192e8ed2311dd21c5
                                                                                                                                                                                  • Instruction Fuzzy Hash: 3E319232715A9586DB20DF66E4487A9BBA1F784B94F448035DF8D43B48EF3DC44ACB00
                                                                                                                                                                                  Function 00B80624 Relevance: 9.1, APIs: 6, Instructions: 91memoryCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000006.00000002.1794451873.0000000000B61000.00000020.80000000.00040000.00000000.sdmp, Offset: 00B60000, based on PE: true
                                                                                                                                                                                  • Associated: 00000006.00000002.1794420795.0000000000B60000.00000004.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794498490.0000000000B94000.00000002.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794521630.0000000000B9B000.00000004.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794551870.0000000000B9E000.00000002.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794583919.0000000000BA0000.00000004.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794610717.0000000000BA2000.00000002.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_6_2_b60000_svchost.jbxd
                                                                                                                                                                                  Yara matches
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: CriticalSection$AllocEnterErrorHeapItemLastLeaveQueueUserWorkmemset
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 1460566327-0
                                                                                                                                                                                  • Opcode ID: 7245579342ba88b00ec5d04fef03fc844a2d3250b2bbd7d57a028f497faa46b1
                                                                                                                                                                                  • Instruction ID: 1bdfc909d2c18d0aba5e90643443ff994ba901d6a155052c7406284ea39bd084
                                                                                                                                                                                  • Opcode Fuzzy Hash: 7245579342ba88b00ec5d04fef03fc844a2d3250b2bbd7d57a028f497faa46b1
                                                                                                                                                                                  • Instruction Fuzzy Hash: 23415B36210B41C7DB50AF21E84835973B4F788FA8F588225DBA9437A4DF38D959CB40
                                                                                                                                                                                  Function 00B764E0 Relevance: 9.1, APIs: 6, Instructions: 72memorystringCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • lstrlenA.KERNEL32(?,?,?,?,00000001,00B76B7C), ref: 00B76535
                                                                                                                                                                                  • HeapAlloc.KERNEL32(?,?,?,?,00000001,00B76B7C), ref: 00B76548
                                                                                                                                                                                  • lstrcpyA.KERNEL32(?,?,?,?,00000001,00B76B7C), ref: 00B76561
                                                                                                                                                                                  • StrChrA.SHLWAPI(?,?,?,?,00000001,00B76B7C), ref: 00B7656D
                                                                                                                                                                                  • GetModuleHandleA.KERNEL32(?,?,?,?,00000001,00B76B7C), ref: 00B76594
                                                                                                                                                                                    • Part of subcall function 00B76604: VirtualProtect.KERNEL32 ref: 00B76668
                                                                                                                                                                                    • Part of subcall function 00B76604: VirtualProtect.KERNEL32 ref: 00B766E0
                                                                                                                                                                                    • Part of subcall function 00B76604: VirtualProtect.KERNEL32 ref: 00B76728
                                                                                                                                                                                    • Part of subcall function 00B76604: VirtualProtect.KERNEL32 ref: 00B7674B
                                                                                                                                                                                    • Part of subcall function 00B76604: EnterCriticalSection.KERNEL32 ref: 00B76773
                                                                                                                                                                                  • HeapFree.KERNEL32(?,?,?,?,00000001,00B76B7C), ref: 00B765D6
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000006.00000002.1794451873.0000000000B61000.00000020.80000000.00040000.00000000.sdmp, Offset: 00B60000, based on PE: true
                                                                                                                                                                                  • Associated: 00000006.00000002.1794420795.0000000000B60000.00000004.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794498490.0000000000B94000.00000002.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794521630.0000000000B9B000.00000004.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794551870.0000000000B9E000.00000002.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794583919.0000000000BA0000.00000004.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794610717.0000000000BA2000.00000002.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_6_2_b60000_svchost.jbxd
                                                                                                                                                                                  Yara matches
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: ProtectVirtual$Heap$AllocCriticalEnterFreeHandleModuleSectionlstrcpylstrlen
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 1529581827-0
                                                                                                                                                                                  • Opcode ID: d919dc47c01ea2a098c9c2901daff8fb4573608654707b552e5f7b8ffda472d3
                                                                                                                                                                                  • Instruction ID: eb2eaace822677e94362bff28f65cfe9556cdafe01f21ef48b2242111496a016
                                                                                                                                                                                  • Opcode Fuzzy Hash: d919dc47c01ea2a098c9c2901daff8fb4573608654707b552e5f7b8ffda472d3
                                                                                                                                                                                  • Instruction Fuzzy Hash: FA315936205F8487DB20CB26E89476977E0F798B84F488565DF9E87B58DF38C455CB00
                                                                                                                                                                                  Function 00B79CFC Relevance: 9.1, APIs: 6, Instructions: 68sleeptimeCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000006.00000002.1794451873.0000000000B61000.00000020.80000000.00040000.00000000.sdmp, Offset: 00B60000, based on PE: true
                                                                                                                                                                                  • Associated: 00000006.00000002.1794420795.0000000000B60000.00000004.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794498490.0000000000B94000.00000002.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794521630.0000000000B9B000.00000004.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794551870.0000000000B9E000.00000002.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794583919.0000000000BA0000.00000004.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794610717.0000000000BA2000.00000002.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_6_2_b60000_svchost.jbxd
                                                                                                                                                                                  Yara matches
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: CriticalSection$EnterLeave$SleepSystemTime
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 3024894049-0
                                                                                                                                                                                  • Opcode ID: 84fba4327162f24fd09f433f59a57452c1136224fdb12ae2d6cd74647d81762e
                                                                                                                                                                                  • Instruction ID: 4052356bd22a9ba68ea3346086c9c1e80f79bb808758555c46421c874a4ac90c
                                                                                                                                                                                  • Opcode Fuzzy Hash: 84fba4327162f24fd09f433f59a57452c1136224fdb12ae2d6cd74647d81762e
                                                                                                                                                                                  • Instruction Fuzzy Hash: A7317321208A8082EB61DF36E8643797772F785F95F188261DBAE47769CF2CC886C715
                                                                                                                                                                                  Function 00B78AF0 Relevance: 9.1, APIs: 6, Instructions: 68registrymemoryCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000006.00000002.1794451873.0000000000B61000.00000020.80000000.00040000.00000000.sdmp, Offset: 00B60000, based on PE: true
                                                                                                                                                                                  • Associated: 00000006.00000002.1794420795.0000000000B60000.00000004.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794498490.0000000000B94000.00000002.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794521630.0000000000B9B000.00000004.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794551870.0000000000B9E000.00000002.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794583919.0000000000BA0000.00000004.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794610717.0000000000BA2000.00000002.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_6_2_b60000_svchost.jbxd
                                                                                                                                                                                  Yara matches
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: HeapQueryValue$AllocCloseFreeOpen
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 1185057095-0
                                                                                                                                                                                  • Opcode ID: e8305f2ceb14fed5e64cbbc18484981f8c0e7d7dba68c24bb8403d028d88dea1
                                                                                                                                                                                  • Instruction ID: 3cde00a5634e38eec7242581e71ac94f6372e2fd3d2c9d89eb15f7d8e3c43c40
                                                                                                                                                                                  • Opcode Fuzzy Hash: e8305f2ceb14fed5e64cbbc18484981f8c0e7d7dba68c24bb8403d028d88dea1
                                                                                                                                                                                  • Instruction Fuzzy Hash: 8C213776215B4586EB508F26E48872AB7A1F7C8BD4F449121EF9E43B68DF3CC545CB00
                                                                                                                                                                                  Function 00B76804 Relevance: 9.1, APIs: 6, Instructions: 67memoryCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                    • Part of subcall function 00B75E60: HeapAlloc.KERNEL32 ref: 00B75E7C
                                                                                                                                                                                  • VirtualProtect.KERNEL32 ref: 00B76850
                                                                                                                                                                                  • VirtualProtect.KERNEL32 ref: 00B76898
                                                                                                                                                                                  • EnterCriticalSection.KERNEL32 ref: 00B768AC
                                                                                                                                                                                  • LeaveCriticalSection.KERNEL32 ref: 00B768D9
                                                                                                                                                                                  • GetLastError.KERNEL32 ref: 00B768EB
                                                                                                                                                                                  • HeapFree.KERNEL32 ref: 00B76903
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000006.00000002.1794451873.0000000000B61000.00000020.80000000.00040000.00000000.sdmp, Offset: 00B60000, based on PE: true
                                                                                                                                                                                  • Associated: 00000006.00000002.1794420795.0000000000B60000.00000004.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794498490.0000000000B94000.00000002.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794521630.0000000000B9B000.00000004.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794551870.0000000000B9E000.00000002.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794583919.0000000000BA0000.00000004.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794610717.0000000000BA2000.00000002.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_6_2_b60000_svchost.jbxd
                                                                                                                                                                                  Yara matches
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: CriticalHeapProtectSectionVirtual$AllocEnterErrorFreeLastLeave
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 1933264002-0
                                                                                                                                                                                  • Opcode ID: 751667eeb1d73075ad6246b9d7a64db65991e5e774656c60c4973c75748d3e37
                                                                                                                                                                                  • Instruction ID: 9ea9f5c55825f4b497bab2547588dec5aba2821775659ea1e795f5db96374412
                                                                                                                                                                                  • Opcode Fuzzy Hash: 751667eeb1d73075ad6246b9d7a64db65991e5e774656c60c4973c75748d3e37
                                                                                                                                                                                  • Instruction Fuzzy Hash: 1531A236214F4696DB108F66FA9071A73B4F788B94F508126DB9E83B24DF38D8A5C700
                                                                                                                                                                                  Function 00B922A8 Relevance: 9.1, APIs: 6, Instructions: 66threadsleepCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000006.00000002.1794451873.0000000000B61000.00000020.80000000.00040000.00000000.sdmp, Offset: 00B60000, based on PE: true
                                                                                                                                                                                  • Associated: 00000006.00000002.1794420795.0000000000B60000.00000004.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794498490.0000000000B94000.00000002.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794521630.0000000000B9B000.00000004.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794551870.0000000000B9E000.00000002.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794583919.0000000000BA0000.00000004.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794610717.0000000000BA2000.00000002.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_6_2_b60000_svchost.jbxd
                                                                                                                                                                                  Yara matches
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: CriticalResumeSectionThread$EnterLeaveSleepmemset
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 2473309379-0
                                                                                                                                                                                  • Opcode ID: 94c3ff241e1a16132941b14c275fe5b46e0e96927165a22b6f3c3ff1b0bd15e5
                                                                                                                                                                                  • Instruction ID: 1e93f727411c2f1ad667b7ef1a69c36381a55e5062cde38a228c5959182d2d06
                                                                                                                                                                                  • Opcode Fuzzy Hash: 94c3ff241e1a16132941b14c275fe5b46e0e96927165a22b6f3c3ff1b0bd15e5
                                                                                                                                                                                  • Instruction Fuzzy Hash: D331ED75704A449AEF11EB1AE99476837A1FB94B86F468072DB0E47374CF38C486C709
                                                                                                                                                                                  Function 00B9226D Relevance: 9.1, APIs: 6, Instructions: 66threadsleepCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000006.00000002.1794451873.0000000000B61000.00000020.80000000.00040000.00000000.sdmp, Offset: 00B60000, based on PE: true
                                                                                                                                                                                  • Associated: 00000006.00000002.1794420795.0000000000B60000.00000004.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794498490.0000000000B94000.00000002.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794521630.0000000000B9B000.00000004.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794551870.0000000000B9E000.00000002.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794583919.0000000000BA0000.00000004.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794610717.0000000000BA2000.00000002.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_6_2_b60000_svchost.jbxd
                                                                                                                                                                                  Yara matches
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: CriticalResumeSectionThread$EnterLeaveSleepmemset
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 2473309379-0
                                                                                                                                                                                  • Opcode ID: 82bc322c639231dc7b7e77c48a03b79cff7e93e00a150dc7e877d218518c7b89
                                                                                                                                                                                  • Instruction ID: 1e93f727411c2f1ad667b7ef1a69c36381a55e5062cde38a228c5959182d2d06
                                                                                                                                                                                  • Opcode Fuzzy Hash: 82bc322c639231dc7b7e77c48a03b79cff7e93e00a150dc7e877d218518c7b89
                                                                                                                                                                                  • Instruction Fuzzy Hash: D331ED75704A449AEF11EB1AE99476837A1FB94B86F468072DB0E47374CF38C486C709
                                                                                                                                                                                  Function 00B61690 Relevance: 9.1, APIs: 5, Strings: 1, Instructions: 62memorystringCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • lstrlenA.KERNEL32(00000020,00000000,00000000,00B63E67), ref: 00B616C0
                                                                                                                                                                                  • lstrlenA.KERNEL32 ref: 00B616CC
                                                                                                                                                                                  • HeapAlloc.KERNEL32 ref: 00B616E3
                                                                                                                                                                                    • Part of subcall function 00B77D4C: GetLocalTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000000,00B616FE), ref: 00B77D61
                                                                                                                                                                                    • Part of subcall function 00B77D4C: wsprintfA.USER32 ref: 00B77DA5
                                                                                                                                                                                  • wsprintfA.USER32 ref: 00B61715
                                                                                                                                                                                    • Part of subcall function 00B755F0: HeapFree.KERNEL32(?,?,?,?,?,?,00000000,00B61736), ref: 00B75643
                                                                                                                                                                                    • Part of subcall function 00B6F010: GetSystemTime.KERNEL32 ref: 00B6F03A
                                                                                                                                                                                    • Part of subcall function 00B6F010: wsprintfA.USER32 ref: 00B6F063
                                                                                                                                                                                  • HeapFree.KERNEL32 ref: 00B6174E
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000006.00000002.1794451873.0000000000B61000.00000020.80000000.00040000.00000000.sdmp, Offset: 00B60000, based on PE: true
                                                                                                                                                                                  • Associated: 00000006.00000002.1794420795.0000000000B60000.00000004.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794498490.0000000000B94000.00000002.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794521630.0000000000B9B000.00000004.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794551870.0000000000B9E000.00000002.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794583919.0000000000BA0000.00000004.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794610717.0000000000BA2000.00000002.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_6_2_b60000_svchost.jbxd
                                                                                                                                                                                  Yara matches
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: Heapwsprintf$FreeTimelstrlen$AllocLocalSystem
                                                                                                                                                                                  • String ID: | "%s" | %u
                                                                                                                                                                                  • API String ID: 841582789-3278422759
                                                                                                                                                                                  • Opcode ID: 84dd5c2c4e76361107469e360164b49181b95bb97b98fd01178e4891bf86eb4d
                                                                                                                                                                                  • Instruction ID: 4c52123105c9448170fcc7d86e7ea21bb8e7153ba92a4d682150ed5d703193b9
                                                                                                                                                                                  • Opcode Fuzzy Hash: 84dd5c2c4e76361107469e360164b49181b95bb97b98fd01178e4891bf86eb4d
                                                                                                                                                                                  • Instruction Fuzzy Hash: 4B11AC66700A5082E710EB67F844B6AB7A2B788FD0F998421DE1E47B25DF3CC84AC300
                                                                                                                                                                                  Function 00B76EA0 Relevance: 9.1, APIs: 6, Instructions: 58memorystringCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • HeapAlloc.KERNEL32(?,?,?,?,?,00B7138A,?,?,00000000,00B72675), ref: 00B76EDE
                                                                                                                                                                                    • Part of subcall function 00B76E0C: wsprintfA.USER32 ref: 00B76E88
                                                                                                                                                                                  • lstrlenA.KERNEL32(?,?,?,?,?,00B7138A,?,?,00000000,00B72675), ref: 00B76F04
                                                                                                                                                                                  • HeapAlloc.KERNEL32(?,?,?,?,?,00B7138A,?,?,00000000,00B72675), ref: 00B76F18
                                                                                                                                                                                  • lstrcpyA.KERNEL32(?,?,?,?,?,00B7138A,?,?,00000000,00B72675), ref: 00B76F34
                                                                                                                                                                                  • lstrcatA.KERNEL32(?,?,?,?,?,00B7138A,?,?,00000000,00B72675), ref: 00B76F40
                                                                                                                                                                                  • HeapFree.KERNEL32(?,?,?,?,?,00B7138A,?,?,00000000,00B72675), ref: 00B76F52
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000006.00000002.1794451873.0000000000B61000.00000020.80000000.00040000.00000000.sdmp, Offset: 00B60000, based on PE: true
                                                                                                                                                                                  • Associated: 00000006.00000002.1794420795.0000000000B60000.00000004.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794498490.0000000000B94000.00000002.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794521630.0000000000B9B000.00000004.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794551870.0000000000B9E000.00000002.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794583919.0000000000BA0000.00000004.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794610717.0000000000BA2000.00000002.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_6_2_b60000_svchost.jbxd
                                                                                                                                                                                  Yara matches
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: Heap$Alloc$Freelstrcatlstrcpylstrlenwsprintf
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 693774796-0
                                                                                                                                                                                  • Opcode ID: fa083ef0d1399427086a75d687078625c622aebd00adf0903739cb1dca924896
                                                                                                                                                                                  • Instruction ID: 5da4684e96be1f48519317296afc47290a3b356d43985aa628ad62d940576c8d
                                                                                                                                                                                  • Opcode Fuzzy Hash: fa083ef0d1399427086a75d687078625c622aebd00adf0903739cb1dca924896
                                                                                                                                                                                  • Instruction Fuzzy Hash: BB115829715B8081EB159F66A988729B7A2FB88FD0F498065CF5D47B69EF3CC44AC700
                                                                                                                                                                                  Function 00B80E60 Relevance: 9.1, APIs: 6, Instructions: 58memoryCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000006.00000002.1794451873.0000000000B61000.00000020.80000000.00040000.00000000.sdmp, Offset: 00B60000, based on PE: true
                                                                                                                                                                                  • Associated: 00000006.00000002.1794420795.0000000000B60000.00000004.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794498490.0000000000B94000.00000002.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794521630.0000000000B9B000.00000004.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794551870.0000000000B9E000.00000002.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794583919.0000000000BA0000.00000004.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794610717.0000000000BA2000.00000002.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_6_2_b60000_svchost.jbxd
                                                                                                                                                                                  Yara matches
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: AllocByteCharErrorHeapLastMultiWide
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 192197575-0
                                                                                                                                                                                  • Opcode ID: 1ad2cad57e0a2e0139f088179330e02c4f15f4e608d1d45dd397b403f1c495b9
                                                                                                                                                                                  • Instruction ID: c93399a43c84cc0b8927399853724ed5afb83cd1732d88d4150634f41263060a
                                                                                                                                                                                  • Opcode Fuzzy Hash: 1ad2cad57e0a2e0139f088179330e02c4f15f4e608d1d45dd397b403f1c495b9
                                                                                                                                                                                  • Instruction Fuzzy Hash: 8D21D232620F44C7E720AF66E84832A77A1F788FE1F198625EB19477A4DF38C489C700
                                                                                                                                                                                  Function 00B6A7A8 Relevance: 9.0, APIs: 6, Instructions: 49memoryCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000006.00000002.1794451873.0000000000B61000.00000020.80000000.00040000.00000000.sdmp, Offset: 00B60000, based on PE: true
                                                                                                                                                                                  • Associated: 00000006.00000002.1794420795.0000000000B60000.00000004.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794498490.0000000000B94000.00000002.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794521630.0000000000B9B000.00000004.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794551870.0000000000B9E000.00000002.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794583919.0000000000BA0000.00000004.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794610717.0000000000BA2000.00000002.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_6_2_b60000_svchost.jbxd
                                                                                                                                                                                  Yara matches
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: CriticalProtectSectionVirtual$EnterErrorFreeHeapLastLeave
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 1291379511-0
                                                                                                                                                                                  • Opcode ID: f58f25419e3de90290f53e2bbc2f1b2943c40d5c3ac242de8a887a6c4fd557b4
                                                                                                                                                                                  • Instruction ID: 8bc5ac8509fccb2223bc29f5d22409a61fba97fae384456548ee8ac6e86f1dad
                                                                                                                                                                                  • Opcode Fuzzy Hash: f58f25419e3de90290f53e2bbc2f1b2943c40d5c3ac242de8a887a6c4fd557b4
                                                                                                                                                                                  • Instruction Fuzzy Hash: 73211936624B45C2EB40CF62E98475973B4F798F98F558022DB5E53718CF38C8A6CB51
                                                                                                                                                                                  Function 00B71290 Relevance: 9.0, APIs: 6, Instructions: 46COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000006.00000002.1794451873.0000000000B61000.00000020.80000000.00040000.00000000.sdmp, Offset: 00B60000, based on PE: true
                                                                                                                                                                                  • Associated: 00000006.00000002.1794420795.0000000000B60000.00000004.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794498490.0000000000B94000.00000002.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794521630.0000000000B9B000.00000004.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794551870.0000000000B9E000.00000002.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794583919.0000000000BA0000.00000004.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794610717.0000000000BA2000.00000002.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_6_2_b60000_svchost.jbxd
                                                                                                                                                                                  Yara matches
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: CloseEventHandle$CreateErrorLastMultipleObjectsOpenWait
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 368714789-0
                                                                                                                                                                                  • Opcode ID: b7681c9954241ea118b834bf349bfba61330487c79500c98fae845e200a43689
                                                                                                                                                                                  • Instruction ID: 0218a2c5c3672b134b2f8bc7992e91ff37ba5ad97e128cd0cea2af0d9a9b0883
                                                                                                                                                                                  • Opcode Fuzzy Hash: b7681c9954241ea118b834bf349bfba61330487c79500c98fae845e200a43689
                                                                                                                                                                                  • Instruction Fuzzy Hash: 01118F35215B10C3EB209B29E855B1977A0FB88769F448B15DF6E026B4DF3CC55ACB14
                                                                                                                                                                                  Function 00B72D84 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 94memoryCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000006.00000002.1794451873.0000000000B61000.00000020.80000000.00040000.00000000.sdmp, Offset: 00B60000, based on PE: true
                                                                                                                                                                                  • Associated: 00000006.00000002.1794420795.0000000000B60000.00000004.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794498490.0000000000B94000.00000002.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794521630.0000000000B9B000.00000004.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794551870.0000000000B9E000.00000002.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794583919.0000000000BA0000.00000004.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794610717.0000000000BA2000.00000002.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_6_2_b60000_svchost.jbxd
                                                                                                                                                                                  Yara matches
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: AllocHeapmemcpy
                                                                                                                                                                                  • String ID: HTTP$POST
                                                                                                                                                                                  • API String ID: 242294866-4028717631
                                                                                                                                                                                  • Opcode ID: f4eb0f9d84b38b31dab0e79f4672dabb7ff8661f2b50aa4f40fe075bd2a87911
                                                                                                                                                                                  • Instruction ID: 1164037fb30b20e2c84334124f71b7c3029d1a3035633aff27430db21751bdb1
                                                                                                                                                                                  • Opcode Fuzzy Hash: f4eb0f9d84b38b31dab0e79f4672dabb7ff8661f2b50aa4f40fe075bd2a87911
                                                                                                                                                                                  • Instruction Fuzzy Hash: 1F312132B05B4486D7329F19E84076ABBE1E3C0B84F19C2629E7C43B54D679C8C3EB40
                                                                                                                                                                                  Function 00B74E44 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 84memorystringCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000006.00000002.1794451873.0000000000B61000.00000020.80000000.00040000.00000000.sdmp, Offset: 00B60000, based on PE: true
                                                                                                                                                                                  • Associated: 00000006.00000002.1794420795.0000000000B60000.00000004.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794498490.0000000000B94000.00000002.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794521630.0000000000B9B000.00000004.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794551870.0000000000B9E000.00000002.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794583919.0000000000BA0000.00000004.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794610717.0000000000BA2000.00000002.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_6_2_b60000_svchost.jbxd
                                                                                                                                                                                  Yara matches
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: Heap$AllocFreelstrlen
                                                                                                                                                                                  • String ID: Email
                                                                                                                                                                                  • API String ID: 1454990542-642995056
                                                                                                                                                                                  • Opcode ID: c2d3f15fd1f7ec685318d2d9edb5adf660b14529cb32cfc3ae5480164905b42f
                                                                                                                                                                                  • Instruction ID: c61cd6a5e23c7607fa2df67180104b3423b2c49ded3697525298cab052620d34
                                                                                                                                                                                  • Opcode Fuzzy Hash: c2d3f15fd1f7ec685318d2d9edb5adf660b14529cb32cfc3ae5480164905b42f
                                                                                                                                                                                  • Instruction Fuzzy Hash: BF317C32304A5086EB54CF2AE88476AB7D6F788BD5F598025DF9E87B24DF38C5868700
                                                                                                                                                                                  Function 00B7AC94 Relevance: 8.8, APIs: 7, Instructions: 78memorystringCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000006.00000002.1794451873.0000000000B61000.00000020.80000000.00040000.00000000.sdmp, Offset: 00B60000, based on PE: true
                                                                                                                                                                                  • Associated: 00000006.00000002.1794420795.0000000000B60000.00000004.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794498490.0000000000B94000.00000002.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794521630.0000000000B9B000.00000004.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794551870.0000000000B9E000.00000002.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794583919.0000000000BA0000.00000004.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794610717.0000000000BA2000.00000002.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_6_2_b60000_svchost.jbxd
                                                                                                                                                                                  Yara matches
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: Heap$Alloclstrcpy$Freelstrlenmemcpy
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 3375855872-0
                                                                                                                                                                                  • Opcode ID: db236b281f5dc931c2318c35c39ac109e49ca5583059325a35fac4e8a689290b
                                                                                                                                                                                  • Instruction ID: ff410516751cefee4950adb07a4213863ee9b524cd87409b8f25d6e82da31371
                                                                                                                                                                                  • Opcode Fuzzy Hash: db236b281f5dc931c2318c35c39ac109e49ca5583059325a35fac4e8a689290b
                                                                                                                                                                                  • Instruction Fuzzy Hash: CB21C122304B9086E715EF66B84871EBBA2F788FD5F49C4609E5E47B15DF38C446C300
                                                                                                                                                                                  Function 00B797D4 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 75libraryCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • GetModuleHandleA.KERNEL32(?,?,00000010,00B79968), ref: 00B797EA
                                                                                                                                                                                  • LoadLibraryA.KERNEL32(?,?,00000010,00B79968), ref: 00B798AD
                                                                                                                                                                                  • FreeLibrary.KERNEL32(?,?,00000010,00B79968), ref: 00B798BB
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000006.00000002.1794451873.0000000000B61000.00000020.80000000.00040000.00000000.sdmp, Offset: 00B60000, based on PE: true
                                                                                                                                                                                  • Associated: 00000006.00000002.1794420795.0000000000B60000.00000004.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794498490.0000000000B94000.00000002.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794521630.0000000000B9B000.00000004.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794551870.0000000000B9E000.00000002.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794583919.0000000000BA0000.00000004.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794610717.0000000000BA2000.00000002.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_6_2_b60000_svchost.jbxd
                                                                                                                                                                                  Yara matches
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: Library$FreeHandleLoadModule
                                                                                                                                                                                  • String ID: NTDLL.DLL$NTDSAPI.DLL
                                                                                                                                                                                  • API String ID: 2140536961-3558519346
                                                                                                                                                                                  • Opcode ID: 3fa4e7d89d1aa57c99d24b08e8ac4242209e7153ade39bd130a4c50765dc2444
                                                                                                                                                                                  • Instruction ID: b155f77c73e1fce6e20f39c70b3b17099499da76d3b2c27fb0ad6b153d5ae7c2
                                                                                                                                                                                  • Opcode Fuzzy Hash: 3fa4e7d89d1aa57c99d24b08e8ac4242209e7153ade39bd130a4c50765dc2444
                                                                                                                                                                                  • Instruction Fuzzy Hash: A4310D32615B8086DB64CF15F49035AB7E4F789B94F44822AEB9E43B58EF3CC595CB01
                                                                                                                                                                                  Function 00B906E0 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 72libraryloaderCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • LoadLibraryW.KERNEL32(?,?,00B6166F), ref: 00B906EB
                                                                                                                                                                                  • GetProcAddress.KERNEL32(?,?,00B6166F), ref: 00B906FB
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000006.00000002.1794451873.0000000000B61000.00000020.80000000.00040000.00000000.sdmp, Offset: 00B60000, based on PE: true
                                                                                                                                                                                  • Associated: 00000006.00000002.1794420795.0000000000B60000.00000004.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794498490.0000000000B94000.00000002.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794521630.0000000000B9B000.00000004.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794551870.0000000000B9E000.00000002.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794583919.0000000000BA0000.00000004.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794610717.0000000000BA2000.00000002.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_6_2_b60000_svchost.jbxd
                                                                                                                                                                                  Yara matches
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: AddressLibraryLoadProc
                                                                                                                                                                                  • String ID: 0$IsMenu$USER32.dll
                                                                                                                                                                                  • API String ID: 2574300362-703140235
                                                                                                                                                                                  • Opcode ID: c077f8fa2c479e1128e749966dc1246f5c222e917178a61396adef7cc876a59d
                                                                                                                                                                                  • Instruction ID: 29f45e14c754f000cf82a7b55db0157d0656fb292fc618207c73dcd2a69f67fe
                                                                                                                                                                                  • Opcode Fuzzy Hash: c077f8fa2c479e1128e749966dc1246f5c222e917178a61396adef7cc876a59d
                                                                                                                                                                                  • Instruction Fuzzy Hash: 8331B736618684CBDB30DF04E49072ABBA1F788758F144665EACE83B68DB3CDA55CF04
                                                                                                                                                                                  Function 00B77FBC Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 34memoryCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • ExpandEnvironmentStringsA.KERNEL32(?,?,EE553B43,00B782C9), ref: 00B77FD4
                                                                                                                                                                                  • HeapAlloc.KERNEL32(?,?,EE553B43,00B782C9), ref: 00B77FEC
                                                                                                                                                                                  • ExpandEnvironmentStringsA.KERNEL32(?,?,EE553B43,00B782C9), ref: 00B78007
                                                                                                                                                                                  • HeapFree.KERNEL32(?,?,EE553B43,00B782C9), ref: 00B7801D
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000006.00000002.1794451873.0000000000B61000.00000020.80000000.00040000.00000000.sdmp, Offset: 00B60000, based on PE: true
                                                                                                                                                                                  • Associated: 00000006.00000002.1794420795.0000000000B60000.00000004.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794498490.0000000000B94000.00000002.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794521630.0000000000B9B000.00000004.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794551870.0000000000B9E000.00000002.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794583919.0000000000BA0000.00000004.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794610717.0000000000BA2000.00000002.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_6_2_b60000_svchost.jbxd
                                                                                                                                                                                  Yara matches
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: EnvironmentExpandHeapStrings$AllocFree
                                                                                                                                                                                  • String ID: %systemroot%\system32\c_1252.nls
                                                                                                                                                                                  • API String ID: 1767267164-1041879338
                                                                                                                                                                                  • Opcode ID: 3591f0484f2bd45a01443810738b6345e38f4b70cf33f5895870aeed69801143
                                                                                                                                                                                  • Instruction ID: 3a91c3fa4845345c8b055f9074b2fae51b013998cfb686a344dbfd2850bd815a
                                                                                                                                                                                  • Opcode Fuzzy Hash: 3591f0484f2bd45a01443810738b6345e38f4b70cf33f5895870aeed69801143
                                                                                                                                                                                  • Instruction Fuzzy Hash: 88F06725300B4082EB04CFBBB89872273A2AB89BD0F8980348F1DCA755EF38C5898304
                                                                                                                                                                                  Function 00B68170 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 25memoryCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • GetModuleHandleA.KERNEL32 ref: 00B6817D
                                                                                                                                                                                  • TlsAlloc.KERNEL32 ref: 00B6818B
                                                                                                                                                                                  • GetLastError.KERNEL32 ref: 00B681AD
                                                                                                                                                                                    • Part of subcall function 00B67F68: RtlImageNtHeader.NTDLL ref: 00B67F91
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000006.00000002.1794451873.0000000000B61000.00000020.80000000.00040000.00000000.sdmp, Offset: 00B60000, based on PE: true
                                                                                                                                                                                  • Associated: 00000006.00000002.1794420795.0000000000B60000.00000004.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794498490.0000000000B94000.00000002.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794521630.0000000000B9B000.00000004.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794551870.0000000000B9E000.00000002.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794583919.0000000000BA0000.00000004.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794610717.0000000000BA2000.00000002.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_6_2_b60000_svchost.jbxd
                                                                                                                                                                                  Yara matches
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: AllocErrorHandleHeaderImageLastModule
                                                                                                                                                                                  • String ID: CHROME.DLL$CrHook
                                                                                                                                                                                  • API String ID: 3496375761-3894427846
                                                                                                                                                                                  • Opcode ID: 27e1d578cb283c1428a80bb2bf2c043e74bbd5aa64ab2a68cdf539de4df6ac68
                                                                                                                                                                                  • Instruction ID: 27302f964a4f4d46e6d12c6deb461bdf41939e275d6c31ffcf233325a8a8da63
                                                                                                                                                                                  • Opcode Fuzzy Hash: 27e1d578cb283c1428a80bb2bf2c043e74bbd5aa64ab2a68cdf539de4df6ac68
                                                                                                                                                                                  • Instruction Fuzzy Hash: BCF06DA4651B04C1FB18EB61EC94BA437A0EB5E715F940266DA1AA23B1EF3CC48BC705
                                                                                                                                                                                  Function 00B7DFB8 Relevance: 7.6, APIs: 5, Instructions: 129memorytimeCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                    • Part of subcall function 00B7F798: EnterCriticalSection.KERNEL32(00000000,00000000,00000000,00B6FA08), ref: 00B7F7C0
                                                                                                                                                                                    • Part of subcall function 00B7F798: Sleep.KERNEL32 ref: 00B7F7D2
                                                                                                                                                                                    • Part of subcall function 00B7F798: LeaveCriticalSection.KERNEL32 ref: 00B7F8F8
                                                                                                                                                                                  • OpenProcess.KERNEL32 ref: 00B7E022
                                                                                                                                                                                  • CloseHandle.KERNEL32 ref: 00B7E047
                                                                                                                                                                                  • GetSystemTimeAsFileTime.KERNEL32 ref: 00B7E0C3
                                                                                                                                                                                  • HeapAlloc.KERNEL32 ref: 00B7E144
                                                                                                                                                                                  • GetSystemTimeAsFileTime.KERNEL32 ref: 00B7E156
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000006.00000002.1794451873.0000000000B61000.00000020.80000000.00040000.00000000.sdmp, Offset: 00B60000, based on PE: true
                                                                                                                                                                                  • Associated: 00000006.00000002.1794420795.0000000000B60000.00000004.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794498490.0000000000B94000.00000002.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794521630.0000000000B9B000.00000004.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794551870.0000000000B9E000.00000002.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794583919.0000000000BA0000.00000004.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794610717.0000000000BA2000.00000002.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_6_2_b60000_svchost.jbxd
                                                                                                                                                                                  Yara matches
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: Time$CriticalFileSectionSystem$AllocCloseEnterHandleHeapLeaveOpenProcessSleep
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 2757800697-0
                                                                                                                                                                                  • Opcode ID: 199e478dd87b4fc7b8e6de7adb28482b3d3e1d53d826583a9dfb7e40ee9a8513
                                                                                                                                                                                  • Instruction ID: 807f4db60aff8fb783b9d38d87865284ddff232c859baf52e065d2443418038c
                                                                                                                                                                                  • Opcode Fuzzy Hash: 199e478dd87b4fc7b8e6de7adb28482b3d3e1d53d826583a9dfb7e40ee9a8513
                                                                                                                                                                                  • Instruction Fuzzy Hash: 0A51C172300A4086DB14DF22E9843A977A1FB49B98F898461DF2E67B24CF78C9D5C744
                                                                                                                                                                                  Function 00B78D48 Relevance: 7.6, APIs: 5, Instructions: 121stringmemoryCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                    • Part of subcall function 00B799DC: HeapAlloc.KERNEL32 ref: 00B79A24
                                                                                                                                                                                  • HeapAlloc.KERNEL32(?,00B64FAE), ref: 00B78DFF
                                                                                                                                                                                  • lstrlenA.KERNEL32(?,00B64FAE), ref: 00B78E4A
                                                                                                                                                                                  • memcpy.NTDLL(?,00B64FAE), ref: 00B78E89
                                                                                                                                                                                  • lstrcatA.KERNEL32(?,00B64FAE), ref: 00B78EB0
                                                                                                                                                                                  • lstrcatA.KERNEL32(?,00B64FAE), ref: 00B78ECC
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000006.00000002.1794451873.0000000000B61000.00000020.80000000.00040000.00000000.sdmp, Offset: 00B60000, based on PE: true
                                                                                                                                                                                  • Associated: 00000006.00000002.1794420795.0000000000B60000.00000004.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794498490.0000000000B94000.00000002.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794521630.0000000000B9B000.00000004.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794551870.0000000000B9E000.00000002.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794583919.0000000000BA0000.00000004.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794610717.0000000000BA2000.00000002.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_6_2_b60000_svchost.jbxd
                                                                                                                                                                                  Yara matches
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: AllocHeaplstrcat$lstrlenmemcpy
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 783231797-0
                                                                                                                                                                                  • Opcode ID: 413aeb3e24c033b2a11a7dedb50ee19f14292aa784bc4655abf93f1c7fec80af
                                                                                                                                                                                  • Instruction ID: 2e9fbd68f281734c17a7117eb48d92ec3d00b826bb08d3667a2cf836ba7e3d2e
                                                                                                                                                                                  • Opcode Fuzzy Hash: 413aeb3e24c033b2a11a7dedb50ee19f14292aa784bc4655abf93f1c7fec80af
                                                                                                                                                                                  • Instruction Fuzzy Hash: 8A41E4737106458BD710CF2AA8487AAB7E6F3D8B94F8A8125DF5E53724DB38D845CB00
                                                                                                                                                                                  Function 00B7F798 Relevance: 7.6, APIs: 6, Instructions: 112memorysleepCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • EnterCriticalSection.KERNEL32(00000000,00000000,00000000,00B6FA08), ref: 00B7F7C0
                                                                                                                                                                                  • Sleep.KERNEL32 ref: 00B7F7D2
                                                                                                                                                                                  • HeapAlloc.KERNEL32 ref: 00B7F850
                                                                                                                                                                                  • memset.NTDLL ref: 00B7F86B
                                                                                                                                                                                  • HeapFree.KERNEL32 ref: 00B7F8EF
                                                                                                                                                                                  • LeaveCriticalSection.KERNEL32 ref: 00B7F8F8
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000006.00000002.1794451873.0000000000B61000.00000020.80000000.00040000.00000000.sdmp, Offset: 00B60000, based on PE: true
                                                                                                                                                                                  • Associated: 00000006.00000002.1794420795.0000000000B60000.00000004.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794498490.0000000000B94000.00000002.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794521630.0000000000B9B000.00000004.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794551870.0000000000B9E000.00000002.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794583919.0000000000BA0000.00000004.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794610717.0000000000BA2000.00000002.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_6_2_b60000_svchost.jbxd
                                                                                                                                                                                  Yara matches
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: CriticalHeapSection$AllocEnterFreeLeaveSleepmemset
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 2182527880-0
                                                                                                                                                                                  • Opcode ID: d3f21245442e79fe433506daf971e393c38a1ea74645433ce2e754c497c5800e
                                                                                                                                                                                  • Instruction ID: e1ef436a78b71affd3a36df8203e52f208adf5f3028760bb1231cc4d5d173367
                                                                                                                                                                                  • Opcode Fuzzy Hash: d3f21245442e79fe433506daf971e393c38a1ea74645433ce2e754c497c5800e
                                                                                                                                                                                  • Instruction Fuzzy Hash: F9417936201B42C6DB24CF16E98436A77A5F748B94F598066DFAE47B10DF38E8A6C304
                                                                                                                                                                                  Function 00B6A90C Relevance: 7.6, APIs: 4, Strings: 1, Instructions: 100memoryCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                    • Part of subcall function 00B678F8: GetSystemTimeAsFileTime.KERNEL32 ref: 00B67922
                                                                                                                                                                                  • HeapAlloc.KERNEL32 ref: 00B6A9A5
                                                                                                                                                                                  • HeapAlloc.KERNEL32 ref: 00B6AA36
                                                                                                                                                                                    • Part of subcall function 00B75498: CreateFileW.KERNEL32 ref: 00B754F6
                                                                                                                                                                                    • Part of subcall function 00B75498: GetLastError.KERNEL32 ref: 00B75505
                                                                                                                                                                                    • Part of subcall function 00B75498: WaitForSingleObject.KERNEL32 ref: 00B75528
                                                                                                                                                                                    • Part of subcall function 00B75498: CreateFileW.KERNEL32 ref: 00B7555C
                                                                                                                                                                                    • Part of subcall function 00B75498: SetFilePointer.KERNEL32 ref: 00B7558B
                                                                                                                                                                                    • Part of subcall function 00B75498: WriteFile.KERNEL32 ref: 00B755A8
                                                                                                                                                                                    • Part of subcall function 00B75498: SetEndOfFile.KERNEL32 ref: 00B755B5
                                                                                                                                                                                    • Part of subcall function 00B75498: CloseHandle.KERNEL32 ref: 00B755CA
                                                                                                                                                                                  • HeapFree.KERNEL32 ref: 00B6AA86
                                                                                                                                                                                  • HeapFree.KERNEL32 ref: 00B6AA98
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000006.00000002.1794451873.0000000000B61000.00000020.80000000.00040000.00000000.sdmp, Offset: 00B60000, based on PE: true
                                                                                                                                                                                  • Associated: 00000006.00000002.1794420795.0000000000B60000.00000004.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794498490.0000000000B94000.00000002.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794521630.0000000000B9B000.00000004.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794551870.0000000000B9E000.00000002.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794583919.0000000000BA0000.00000004.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794610717.0000000000BA2000.00000002.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_6_2_b60000_svchost.jbxd
                                                                                                                                                                                  Yara matches
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: File$Heap$AllocCreateFreeTime$CloseErrorHandleLastObjectPointerSingleSystemWaitWrite
                                                                                                                                                                                  • String ID: https://
                                                                                                                                                                                  • API String ID: 739339341-4275131719
                                                                                                                                                                                  • Opcode ID: 2f991493c00834de2d843db49973326096f2ad2cb939c012dffa9483223c9ba0
                                                                                                                                                                                  • Instruction ID: 8727cf4ad6d6f2471f3fc6766fc60d361910cab64444281fd4f5d286db072503
                                                                                                                                                                                  • Opcode Fuzzy Hash: 2f991493c00834de2d843db49973326096f2ad2cb939c012dffa9483223c9ba0
                                                                                                                                                                                  • Instruction Fuzzy Hash: 0D41287A214B8486DB60CF66E894B9AB762F789BC4F458015DF4E43B28CF3DD449CB00
                                                                                                                                                                                  Function 00B787EC Relevance: 7.6, APIs: 5, Instructions: 78memorystringCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000006.00000002.1794451873.0000000000B61000.00000020.80000000.00040000.00000000.sdmp, Offset: 00B60000, based on PE: true
                                                                                                                                                                                  • Associated: 00000006.00000002.1794420795.0000000000B60000.00000004.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794498490.0000000000B94000.00000002.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794521630.0000000000B9B000.00000004.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794551870.0000000000B9E000.00000002.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794583919.0000000000BA0000.00000004.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794610717.0000000000BA2000.00000002.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_6_2_b60000_svchost.jbxd
                                                                                                                                                                                  Yara matches
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: Heap$AllocFreelstrlenmemset
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 3413666641-0
                                                                                                                                                                                  • Opcode ID: 0a7f5607d9679ba22f24d11424e4777c3b4d8175e3d8d47c5931ce399c3501ef
                                                                                                                                                                                  • Instruction ID: ffc88559a7a01ffff5440c1db5f733d599848d108c527e74d17ec1d1ca5c8aa7
                                                                                                                                                                                  • Opcode Fuzzy Hash: 0a7f5607d9679ba22f24d11424e4777c3b4d8175e3d8d47c5931ce399c3501ef
                                                                                                                                                                                  • Instruction Fuzzy Hash: 29316D26641A94C7DB04EF62E948329B7A2F788FD4F88C461DF0A07B28DF78C849C711
                                                                                                                                                                                  Function 00B80D48 Relevance: 7.6, APIs: 6, Instructions: 75memorystringCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • lstrlenW.KERNEL32(?,?,?,?,?,?,?,00B69A08,?,?,?,?,?,?,00000000,00B69AC1), ref: 00B80D6D
                                                                                                                                                                                  • lstrlenW.KERNEL32(?,?,?,?,?,?,?,00B69A08,?,?,?,?,?,?,00000000,00B69AC1), ref: 00B80D7C
                                                                                                                                                                                  • HeapAlloc.KERNEL32(?,?,?,?,?,?,?,00B69A08,?,?,?,?,?,?,00000000,00B69AC1), ref: 00B80DA6
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000006.00000002.1794451873.0000000000B61000.00000020.80000000.00040000.00000000.sdmp, Offset: 00B60000, based on PE: true
                                                                                                                                                                                  • Associated: 00000006.00000002.1794420795.0000000000B60000.00000004.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794498490.0000000000B94000.00000002.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794521630.0000000000B9B000.00000004.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794551870.0000000000B9E000.00000002.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794583919.0000000000BA0000.00000004.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794610717.0000000000BA2000.00000002.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_6_2_b60000_svchost.jbxd
                                                                                                                                                                                  Yara matches
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: lstrlen$AllocHeap
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 669319671-0
                                                                                                                                                                                  • Opcode ID: 1f112051586ef7e940093c43a3a9e6b31c671564a7a3567f5a36b11d87a4ed48
                                                                                                                                                                                  • Instruction ID: ef489cc7adbd8fcbff9ce594120f3744692b2966904798e8360307b2a07769be
                                                                                                                                                                                  • Opcode Fuzzy Hash: 1f112051586ef7e940093c43a3a9e6b31c671564a7a3567f5a36b11d87a4ed48
                                                                                                                                                                                  • Instruction Fuzzy Hash: 0F218C26B20B9486EB50FF22E89576A77A1F784FC9F494465DF0A47728CF38D58AC340
                                                                                                                                                                                  Function 00B6AAB4 Relevance: 7.6, APIs: 5, Instructions: 73memorysynchronizationCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000006.00000002.1794451873.0000000000B61000.00000020.80000000.00040000.00000000.sdmp, Offset: 00B60000, based on PE: true
                                                                                                                                                                                  • Associated: 00000006.00000002.1794420795.0000000000B60000.00000004.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794498490.0000000000B94000.00000002.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794521630.0000000000B9B000.00000004.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794551870.0000000000B9E000.00000002.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794583919.0000000000BA0000.00000004.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794610717.0000000000BA2000.00000002.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_6_2_b60000_svchost.jbxd
                                                                                                                                                                                  Yara matches
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: ErrorHeapLast$AllocFreeObjectSingleWait
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 1605943399-0
                                                                                                                                                                                  • Opcode ID: 85e0ef9b0a87e22e9f1e86994261048df1228265ba4529271e13d7c847bf535d
                                                                                                                                                                                  • Instruction ID: f4a2459ce5a481f81d46fdf06da81032d8b2b61f20771e32d0861b73d7cd275b
                                                                                                                                                                                  • Opcode Fuzzy Hash: 85e0ef9b0a87e22e9f1e86994261048df1228265ba4529271e13d7c847bf535d
                                                                                                                                                                                  • Instruction Fuzzy Hash: 1C315172300A44C6EB108F26E88875937A2F784FD5F594155CF4997B94CF7DC889CB01
                                                                                                                                                                                  Function 00B90B10 Relevance: 7.6, APIs: 5, Instructions: 70threadCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • SetThreadAffinityMask.KERNEL32 ref: 00B90B9E
                                                                                                                                                                                  • SetThreadAffinityMask.KERNEL32 ref: 00B90BE2
                                                                                                                                                                                  • SetThreadPriority.KERNEL32 ref: 00B90C15
                                                                                                                                                                                  • ResumeThread.KERNEL32 ref: 00B90C5C
                                                                                                                                                                                  • SwitchToThread.KERNEL32 ref: 00B90C62
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000006.00000002.1794451873.0000000000B61000.00000020.80000000.00040000.00000000.sdmp, Offset: 00B60000, based on PE: true
                                                                                                                                                                                  • Associated: 00000006.00000002.1794420795.0000000000B60000.00000004.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794498490.0000000000B94000.00000002.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794521630.0000000000B9B000.00000004.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794551870.0000000000B9E000.00000002.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794583919.0000000000BA0000.00000004.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794610717.0000000000BA2000.00000002.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_6_2_b60000_svchost.jbxd
                                                                                                                                                                                  Yara matches
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: Thread$AffinityMask$PriorityResumeSwitch
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 1762957244-0
                                                                                                                                                                                  • Opcode ID: 68fc506ad74617053b9c131fa5460d51274306e4c8cb16f81a9165dc72bfc570
                                                                                                                                                                                  • Instruction ID: 7161c5cac06321861cffe8c3f27db964699a76881b195a63c7f9bd199a4e00c6
                                                                                                                                                                                  • Opcode Fuzzy Hash: 68fc506ad74617053b9c131fa5460d51274306e4c8cb16f81a9165dc72bfc570
                                                                                                                                                                                  • Instruction Fuzzy Hash: 99311D72629640CEEB20AF15E49876977B1F384B4DF504275EB4E076A8CB7CC485CF04
                                                                                                                                                                                  Function 00B7D4F4 Relevance: 7.6, APIs: 5, Instructions: 64memorystringthreadCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000006.00000002.1794451873.0000000000B61000.00000020.80000000.00040000.00000000.sdmp, Offset: 00B60000, based on PE: true
                                                                                                                                                                                  • Associated: 00000006.00000002.1794420795.0000000000B60000.00000004.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794498490.0000000000B94000.00000002.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794521630.0000000000B9B000.00000004.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794551870.0000000000B9E000.00000002.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794583919.0000000000BA0000.00000004.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794610717.0000000000BA2000.00000002.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_6_2_b60000_svchost.jbxd
                                                                                                                                                                                  Yara matches
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: Heap$AllocFreeResumeThread_wcsuprlstrlen
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 2224000192-0
                                                                                                                                                                                  • Opcode ID: 59a7adb5201f75a9345ccfb5a5ef280db9ce9391f5c6ded0f2d639243ddf4b52
                                                                                                                                                                                  • Instruction ID: 4ba3fcbd1b4bf27fc087bcf864a0228fc7da662df70673c5488360983de98053
                                                                                                                                                                                  • Opcode Fuzzy Hash: 59a7adb5201f75a9345ccfb5a5ef280db9ce9391f5c6ded0f2d639243ddf4b52
                                                                                                                                                                                  • Instruction Fuzzy Hash: 3E218C25704A4086EB10EB23F95471A7BA2F788FD8F988461DF1E57724CF7CC8998740
                                                                                                                                                                                  Function 00B78900 Relevance: 7.6, APIs: 5, Instructions: 59memoryCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000006.00000002.1794451873.0000000000B61000.00000020.80000000.00040000.00000000.sdmp, Offset: 00B60000, based on PE: true
                                                                                                                                                                                  • Associated: 00000006.00000002.1794420795.0000000000B60000.00000004.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794498490.0000000000B94000.00000002.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794521630.0000000000B9B000.00000004.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794551870.0000000000B9E000.00000002.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794583919.0000000000BA0000.00000004.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794610717.0000000000BA2000.00000002.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_6_2_b60000_svchost.jbxd
                                                                                                                                                                                  Yara matches
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: Trim$AllocHeap
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 1148042354-0
                                                                                                                                                                                  • Opcode ID: 1ca7e0557b0d577f551be483b87445b1d40036cfe9ff91b6855998dfe6bf3379
                                                                                                                                                                                  • Instruction ID: 863076781be6741c4baf43f78f2cd713292fca2a04ce164b91e1946b0db09e7a
                                                                                                                                                                                  • Opcode Fuzzy Hash: 1ca7e0557b0d577f551be483b87445b1d40036cfe9ff91b6855998dfe6bf3379
                                                                                                                                                                                  • Instruction Fuzzy Hash: B9118F25345B4086EB11DF86B88876A7BA0F789BD0F99A024DF5E07B15DF3DC886C701
                                                                                                                                                                                  Function 00B63048 Relevance: 7.6, APIs: 5, Instructions: 58memoryCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • StrChrA.SHLWAPI(?,?,?,00B645F2), ref: 00B63062
                                                                                                                                                                                  • StrRChrA.SHLWAPI(?,?,?,00B645F2), ref: 00B63084
                                                                                                                                                                                  • StrTrimA.SHLWAPI(?,?,?,00B645F2), ref: 00B630A9
                                                                                                                                                                                  • StrTrimA.SHLWAPI(?,?,?,00B645F2), ref: 00B630B9
                                                                                                                                                                                  • HeapFree.KERNEL32(?,?,?,00B645F2), ref: 00B63101
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000006.00000002.1794451873.0000000000B61000.00000020.80000000.00040000.00000000.sdmp, Offset: 00B60000, based on PE: true
                                                                                                                                                                                  • Associated: 00000006.00000002.1794420795.0000000000B60000.00000004.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794498490.0000000000B94000.00000002.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794521630.0000000000B9B000.00000004.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794551870.0000000000B9E000.00000002.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794583919.0000000000BA0000.00000004.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794610717.0000000000BA2000.00000002.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_6_2_b60000_svchost.jbxd
                                                                                                                                                                                  Yara matches
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: Trim$FreeHeap
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 2132463267-0
                                                                                                                                                                                  • Opcode ID: 60ce8389cd37a5f8540ba024439be25fd484fa759489d0637cb35b7f41f2e7db
                                                                                                                                                                                  • Instruction ID: b1506d2c84039bd3045be14791c4b4c71e8ac6314e99def1ce1ba31516ac0daa
                                                                                                                                                                                  • Opcode Fuzzy Hash: 60ce8389cd37a5f8540ba024439be25fd484fa759489d0637cb35b7f41f2e7db
                                                                                                                                                                                  • Instruction Fuzzy Hash: B611AC26304B8182EB148B16E8547A977E1EB89BD4F895021DF4E57B18EF3CC949C740
                                                                                                                                                                                  Function 00B6A088 Relevance: 7.6, APIs: 5, Instructions: 55memorystringtimeCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000006.00000002.1794451873.0000000000B61000.00000020.80000000.00040000.00000000.sdmp, Offset: 00B60000, based on PE: true
                                                                                                                                                                                  • Associated: 00000006.00000002.1794420795.0000000000B60000.00000004.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794498490.0000000000B94000.00000002.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794521630.0000000000B9B000.00000004.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794551870.0000000000B9E000.00000002.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794583919.0000000000BA0000.00000004.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794610717.0000000000BA2000.00000002.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_6_2_b60000_svchost.jbxd
                                                                                                                                                                                  Yara matches
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: HeapTime$AllocFileFreeSystemlstrlenmemcpy
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 4256269096-0
                                                                                                                                                                                  • Opcode ID: 64edf74208e35fc793bb9c2507020ffad4e9c6e3794ece24355fba5d66a0c3e1
                                                                                                                                                                                  • Instruction ID: 41773c795a9535f3cfe0f022f6ea8ba132ceec9fb88198117945d3c0764c33e8
                                                                                                                                                                                  • Opcode Fuzzy Hash: 64edf74208e35fc793bb9c2507020ffad4e9c6e3794ece24355fba5d66a0c3e1
                                                                                                                                                                                  • Instruction Fuzzy Hash: 93217F362147808AEB10DB26F58475ABBA1FB88BC0F458015EF4E93B99DF3CC949CB01
                                                                                                                                                                                  Function 00B79AF8 Relevance: 7.5, APIs: 5, Instructions: 40stringCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000006.00000002.1794451873.0000000000B61000.00000020.80000000.00040000.00000000.sdmp, Offset: 00B60000, based on PE: true
                                                                                                                                                                                  • Associated: 00000006.00000002.1794420795.0000000000B60000.00000004.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794498490.0000000000B94000.00000002.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794521630.0000000000B9B000.00000004.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794551870.0000000000B9E000.00000002.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794583919.0000000000BA0000.00000004.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794610717.0000000000BA2000.00000002.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_6_2_b60000_svchost.jbxd
                                                                                                                                                                                  Yara matches
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: lstrcat$AllocHeaplstrcpylstrlen
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 119870250-0
                                                                                                                                                                                  • Opcode ID: 47e5b15fda6d6d419a3616b792dc021ac0800072298144e4e009bed468e2211b
                                                                                                                                                                                  • Instruction ID: 2461cd2137e93b62e87c82850751e296908ddc08802ecb829182b9147a12dfe9
                                                                                                                                                                                  • Opcode Fuzzy Hash: 47e5b15fda6d6d419a3616b792dc021ac0800072298144e4e009bed468e2211b
                                                                                                                                                                                  • Instruction Fuzzy Hash: C8012C36B10A5181EE149F26F94075973A2F749BD0F599132DB5E43728CF38C99AC700
                                                                                                                                                                                  Function 00B78034 Relevance: 7.5, APIs: 5, Instructions: 29stringmemoryCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • lstrlenA.KERNEL32(?,?,00000000,00B713A9,?,?,00000000,00B72675,?,?,?,?,?,?,00000000,00B615DD), ref: 00B78049
                                                                                                                                                                                  • lstrlenA.KERNEL32(?,?,00000000,00B713A9,?,?,00000000,00B72675,?,?,?,?,?,?,00000000,00B615DD), ref: 00B78054
                                                                                                                                                                                  • HeapAlloc.KERNEL32(?,?,00000000,00B713A9,?,?,00000000,00B72675,?,?,?,?,?,?,00000000,00B615DD), ref: 00B78068
                                                                                                                                                                                  • lstrcpyA.KERNEL32(?,?,00000000,00B713A9,?,?,00000000,00B72675,?,?,?,?,?,?,00000000,00B615DD), ref: 00B7807C
                                                                                                                                                                                  • lstrcatA.KERNEL32(?,?,00000000,00B713A9,?,?,00000000,00B72675,?,?,?,?,?,?,00000000,00B615DD), ref: 00B78088
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000006.00000002.1794451873.0000000000B61000.00000020.80000000.00040000.00000000.sdmp, Offset: 00B60000, based on PE: true
                                                                                                                                                                                  • Associated: 00000006.00000002.1794420795.0000000000B60000.00000004.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794498490.0000000000B94000.00000002.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794521630.0000000000B9B000.00000004.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794551870.0000000000B9E000.00000002.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794583919.0000000000BA0000.00000004.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794610717.0000000000BA2000.00000002.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_6_2_b60000_svchost.jbxd
                                                                                                                                                                                  Yara matches
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: lstrlen$AllocHeaplstrcatlstrcpy
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 1176035441-0
                                                                                                                                                                                  • Opcode ID: 61002c62298a034fbc224b47af0d4d74e5ac52985d266c527ef7032bf941d148
                                                                                                                                                                                  • Instruction ID: 244f78d62bbd0f7d345cdc2dffc9b3bd1f9e3bf8d03548600bb76fcf9a2c0425
                                                                                                                                                                                  • Opcode Fuzzy Hash: 61002c62298a034fbc224b47af0d4d74e5ac52985d266c527ef7032bf941d148
                                                                                                                                                                                  • Instruction Fuzzy Hash: F6F03426710B8082EB148B26B948719B3A2FB8CFD0F4880319F4E07B28DF3CC49A8700
                                                                                                                                                                                  Function 00B6EBEC Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 42sleepCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000006.00000002.1794451873.0000000000B61000.00000020.80000000.00040000.00000000.sdmp, Offset: 00B60000, based on PE: true
                                                                                                                                                                                  • Associated: 00000006.00000002.1794420795.0000000000B60000.00000004.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794498490.0000000000B94000.00000002.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794521630.0000000000B9B000.00000004.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794551870.0000000000B9E000.00000002.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794583919.0000000000BA0000.00000004.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794610717.0000000000BA2000.00000002.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_6_2_b60000_svchost.jbxd
                                                                                                                                                                                  Yara matches
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: CriticalEnterEventSectionSleep
                                                                                                                                                                                  • String ID: Jw
                                                                                                                                                                                  • API String ID: 1727231358-2844248137
                                                                                                                                                                                  • Opcode ID: 60e08bac1271c2285be4e708c65154579ca23889d248c3059e47e4a462a79f03
                                                                                                                                                                                  • Instruction ID: 29a885bc717d43447a7b4eb77999b4bec54012832d5b3ed0d11507e790b26373
                                                                                                                                                                                  • Opcode Fuzzy Hash: 60e08bac1271c2285be4e708c65154579ca23889d248c3059e47e4a462a79f03
                                                                                                                                                                                  • Instruction Fuzzy Hash: 2211CC35210A41C2EF54DF22F888BA93BA0FB58708F500026E72B56660DF3CD8CAC702
                                                                                                                                                                                  Function 00B65230 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 37registryCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • RegSetValueExA.ADVAPI32(?,?,?,?,?,?,?,00000000,00B79CD0), ref: 00B652A6
                                                                                                                                                                                  • RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,00000000,00B79CD0), ref: 00B652B3
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000006.00000002.1794451873.0000000000B61000.00000020.80000000.00040000.00000000.sdmp, Offset: 00B60000, based on PE: true
                                                                                                                                                                                  • Associated: 00000006.00000002.1794420795.0000000000B60000.00000004.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794498490.0000000000B94000.00000002.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794521630.0000000000B9B000.00000004.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794551870.0000000000B9E000.00000002.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794583919.0000000000BA0000.00000004.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794610717.0000000000BA2000.00000002.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_6_2_b60000_svchost.jbxd
                                                                                                                                                                                  Yara matches
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: CloseValue
                                                                                                                                                                                  • String ID: ($Client
                                                                                                                                                                                  • API String ID: 3132538880-90774469
                                                                                                                                                                                  • Opcode ID: 4442f9436c2bd9947de3683c73117d734735defe927fdaeb37d1855aa333db79
                                                                                                                                                                                  • Instruction ID: 7ace8ce3f711299f8b26e74e1fd5348e4e45c1fec807d686ddb3f35401a05903
                                                                                                                                                                                  • Opcode Fuzzy Hash: 4442f9436c2bd9947de3683c73117d734735defe927fdaeb37d1855aa333db79
                                                                                                                                                                                  • Instruction Fuzzy Hash: 62014F71315B8693EF108B66F99476A77A0F789788F405025EA4A87B15DF3CC914CB04
                                                                                                                                                                                  Function 00B68A68 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 34libraryCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • GetModuleHandleA.KERNEL32 ref: 00B68A94
                                                                                                                                                                                  • LoadLibraryExW.KERNEL32 ref: 00B68AA6
                                                                                                                                                                                  • GetModuleHandleA.KERNEL32 ref: 00B68AC0
                                                                                                                                                                                    • Part of subcall function 00B68170: GetModuleHandleA.KERNEL32 ref: 00B6817D
                                                                                                                                                                                    • Part of subcall function 00B68170: TlsAlloc.KERNEL32 ref: 00B6818B
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000006.00000002.1794451873.0000000000B61000.00000020.80000000.00040000.00000000.sdmp, Offset: 00B60000, based on PE: true
                                                                                                                                                                                  • Associated: 00000006.00000002.1794420795.0000000000B60000.00000004.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794498490.0000000000B94000.00000002.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794521630.0000000000B9B000.00000004.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794551870.0000000000B9E000.00000002.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794583919.0000000000BA0000.00000004.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794610717.0000000000BA2000.00000002.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_6_2_b60000_svchost.jbxd
                                                                                                                                                                                  Yara matches
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: HandleModule$AllocLibraryLoad
                                                                                                                                                                                  • String ID: CHROME.DLL
                                                                                                                                                                                  • API String ID: 636078091-1627437769
                                                                                                                                                                                  • Opcode ID: 6729fda242bbee9c5afd84a7b5f1e335c9ae7ad33cd5c9114417432f3baa95eb
                                                                                                                                                                                  • Instruction ID: cc3e946435644f41456d7e03e903a30e8be46c135d515a68366811ce7967b190
                                                                                                                                                                                  • Opcode Fuzzy Hash: 6729fda242bbee9c5afd84a7b5f1e335c9ae7ad33cd5c9114417432f3baa95eb
                                                                                                                                                                                  • Instruction Fuzzy Hash: 32016930312B4082EE509B12BC44719B6A5EB98BE0F584226EE5D43B64EF3CC8868700
                                                                                                                                                                                  Function 00B8BB24 Relevance: 6.4, APIs: 5, Instructions: 187COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000006.00000002.1794451873.0000000000B61000.00000020.80000000.00040000.00000000.sdmp, Offset: 00B60000, based on PE: true
                                                                                                                                                                                  • Associated: 00000006.00000002.1794420795.0000000000B60000.00000004.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794498490.0000000000B94000.00000002.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794521630.0000000000B9B000.00000004.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794551870.0000000000B9E000.00000002.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794583919.0000000000BA0000.00000004.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794610717.0000000000BA2000.00000002.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_6_2_b60000_svchost.jbxd
                                                                                                                                                                                  Yara matches
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: memset
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 2221118986-0
                                                                                                                                                                                  • Opcode ID: e93d1e321c6ff50006d4915723a8c94107410980c79d58556a32022528d812aa
                                                                                                                                                                                  • Instruction ID: b4ca2e40f138b073abdf7e4432409e82a49c1e20c6c10eed279c21f0ac274bbb
                                                                                                                                                                                  • Opcode Fuzzy Hash: e93d1e321c6ff50006d4915723a8c94107410980c79d58556a32022528d812aa
                                                                                                                                                                                  • Instruction Fuzzy Hash: 1261E132714A8497DB34EF76F444AAABBA1F3D8B98F484125DE4953B68DB38E501CB00
                                                                                                                                                                                  Function 00B84938 Relevance: 6.4, APIs: 5, Instructions: 165COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • memcpy.NTDLL(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00B84B98
                                                                                                                                                                                    • Part of subcall function 00B84804: memset.NTDLL ref: 00B8481E
                                                                                                                                                                                  • memcpy.NTDLL(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00B84A58
                                                                                                                                                                                  • memcpy.NTDLL(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00B84A9C
                                                                                                                                                                                  • memcpy.NTDLL(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00B84AD3
                                                                                                                                                                                  • memcpy.NTDLL(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00B84B0A
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000006.00000002.1794451873.0000000000B61000.00000020.80000000.00040000.00000000.sdmp, Offset: 00B60000, based on PE: true
                                                                                                                                                                                  • Associated: 00000006.00000002.1794420795.0000000000B60000.00000004.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794498490.0000000000B94000.00000002.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794521630.0000000000B9B000.00000004.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794551870.0000000000B9E000.00000002.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794583919.0000000000BA0000.00000004.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794610717.0000000000BA2000.00000002.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_6_2_b60000_svchost.jbxd
                                                                                                                                                                                  Yara matches
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: memcpy$memset
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 438689982-0
                                                                                                                                                                                  • Opcode ID: 2151103be0c501ab8c7147797b707165b7821e2b9d692d2995731587fd7a70f6
                                                                                                                                                                                  • Instruction ID: e04ef6517c7332aff148d6ae8425841cd07bb509dfb2e867d81fe5a656aad2a5
                                                                                                                                                                                  • Opcode Fuzzy Hash: 2151103be0c501ab8c7147797b707165b7821e2b9d692d2995731587fd7a70f6
                                                                                                                                                                                  • Instruction Fuzzy Hash: 11513B76314A8086C724EF22E45076AB3E5F748FC8F589466EF9987B28DF38C941C744
                                                                                                                                                                                  Function 00B8BE78 Relevance: 6.4, APIs: 5, Instructions: 115COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000006.00000002.1794451873.0000000000B61000.00000020.80000000.00040000.00000000.sdmp, Offset: 00B60000, based on PE: true
                                                                                                                                                                                  • Associated: 00000006.00000002.1794420795.0000000000B60000.00000004.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794498490.0000000000B94000.00000002.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794521630.0000000000B9B000.00000004.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794551870.0000000000B9E000.00000002.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794583919.0000000000BA0000.00000004.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794610717.0000000000BA2000.00000002.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_6_2_b60000_svchost.jbxd
                                                                                                                                                                                  Yara matches
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: memset$memcpy
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 368790112-0
                                                                                                                                                                                  • Opcode ID: 1a582670cfd5f0da8f5518a0681e20485fb747911a26339ec5949d6b307eaa12
                                                                                                                                                                                  • Instruction ID: d7c3a58c5b854bc96a9a51452a032f0dccf1c8355f87cb17932aa2f035572744
                                                                                                                                                                                  • Opcode Fuzzy Hash: 1a582670cfd5f0da8f5518a0681e20485fb747911a26339ec5949d6b307eaa12
                                                                                                                                                                                  • Instruction Fuzzy Hash: A941B072204BCA96CB20EF52E8847DAB3A4F7C5B88F404152EF8957B58DB39C906CB40
                                                                                                                                                                                  Function 00B7F920 Relevance: 6.3, APIs: 5, Instructions: 64sleepCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • EnterCriticalSection.KERNEL32(?,?,00000000,00B7E45C), ref: 00B7F94E
                                                                                                                                                                                  • LeaveCriticalSection.KERNEL32(?,?,00000000,00B7E45C), ref: 00B7F95C
                                                                                                                                                                                  • EnterCriticalSection.KERNEL32(?,?,00000000,00B7E45C), ref: 00B7F9A5
                                                                                                                                                                                  • Sleep.KERNEL32(?,?,00000000,00B7E45C), ref: 00B7F9B7
                                                                                                                                                                                  • LeaveCriticalSection.KERNEL32(?,?,00000000,00B7E45C), ref: 00B7F9DB
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000006.00000002.1794451873.0000000000B61000.00000020.80000000.00040000.00000000.sdmp, Offset: 00B60000, based on PE: true
                                                                                                                                                                                  • Associated: 00000006.00000002.1794420795.0000000000B60000.00000004.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794498490.0000000000B94000.00000002.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794521630.0000000000B9B000.00000004.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794551870.0000000000B9E000.00000002.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794583919.0000000000BA0000.00000004.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794610717.0000000000BA2000.00000002.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_6_2_b60000_svchost.jbxd
                                                                                                                                                                                  Yara matches
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: CriticalSection$EnterLeave$Sleep
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 2348874005-0
                                                                                                                                                                                  • Opcode ID: 6f6af1bfff6e63d47e0886f6c70d8e42b8b50da5e7bd5e05439e824e36fb427c
                                                                                                                                                                                  • Instruction ID: 1ade82f3daf53b29b125b1d103e8d29d2d1021b612bf73f00e3d8ee1d59a74b2
                                                                                                                                                                                  • Opcode Fuzzy Hash: 6f6af1bfff6e63d47e0886f6c70d8e42b8b50da5e7bd5e05439e824e36fb427c
                                                                                                                                                                                  • Instruction Fuzzy Hash: 1E217C32215A61D7CA219B22E68037D73A0F348FE4F548262EF6E57B54CF38DC928744
                                                                                                                                                                                  Function 00B67A04 Relevance: 6.3, APIs: 5, Instructions: 52memoryCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                    • Part of subcall function 00B7A224: lstrlenA.KERNEL32 ref: 00B7A23B
                                                                                                                                                                                  • HeapAlloc.KERNEL32 ref: 00B67A48
                                                                                                                                                                                  • memcpy.NTDLL ref: 00B67A5F
                                                                                                                                                                                  • EnterCriticalSection.KERNEL32 ref: 00B67A6F
                                                                                                                                                                                  • LeaveCriticalSection.KERNEL32 ref: 00B67A84
                                                                                                                                                                                  • HeapFree.KERNEL32 ref: 00B67AC5
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000006.00000002.1794451873.0000000000B61000.00000020.80000000.00040000.00000000.sdmp, Offset: 00B60000, based on PE: true
                                                                                                                                                                                  • Associated: 00000006.00000002.1794420795.0000000000B60000.00000004.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794498490.0000000000B94000.00000002.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794521630.0000000000B9B000.00000004.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794551870.0000000000B9E000.00000002.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794583919.0000000000BA0000.00000004.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794610717.0000000000BA2000.00000002.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_6_2_b60000_svchost.jbxd
                                                                                                                                                                                  Yara matches
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: CriticalHeapSection$AllocEnterFreeLeavelstrlenmemcpy
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 3023213279-0
                                                                                                                                                                                  • Opcode ID: 5c66df63fe2fdc2084343691ddd8154e3b81d62e5bc9ab35f37a36ed80c2d611
                                                                                                                                                                                  • Instruction ID: a5400b4e8c0668eeb80ffbb2dacc7b73081eb053277a00f315e9138b00fff13c
                                                                                                                                                                                  • Opcode Fuzzy Hash: 5c66df63fe2fdc2084343691ddd8154e3b81d62e5bc9ab35f37a36ed80c2d611
                                                                                                                                                                                  • Instruction Fuzzy Hash: AC217920614B8186EB44DB63F88835977A1FB98FD8F488162DB1E03769DF3CC546C300
                                                                                                                                                                                  Function 00B6F96C Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 111memoryCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                    • Part of subcall function 00B780A4: lstrlenA.KERNEL32 ref: 00B780C2
                                                                                                                                                                                    • Part of subcall function 00B780A4: HeapAlloc.KERNEL32 ref: 00B780DC
                                                                                                                                                                                    • Part of subcall function 00B780A4: memcpy.NTDLL ref: 00B780F3
                                                                                                                                                                                    • Part of subcall function 00B780A4: memset.NTDLL ref: 00B78105
                                                                                                                                                                                    • Part of subcall function 00B677B0: EnterCriticalSection.KERNEL32 ref: 00B677F8
                                                                                                                                                                                    • Part of subcall function 00B677B0: LeaveCriticalSection.KERNEL32 ref: 00B6780D
                                                                                                                                                                                    • Part of subcall function 00B677B0: GetSystemTimeAsFileTime.KERNEL32 ref: 00B6781F
                                                                                                                                                                                    • Part of subcall function 00B677B0: HeapAlloc.KERNEL32 ref: 00B6789A
                                                                                                                                                                                  • HeapFree.KERNEL32 ref: 00B6FA32
                                                                                                                                                                                  • HeapFree.KERNEL32 ref: 00B6FA6C
                                                                                                                                                                                  • HeapFree.KERNEL32 ref: 00B6FAE7
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000006.00000002.1794451873.0000000000B61000.00000020.80000000.00040000.00000000.sdmp, Offset: 00B60000, based on PE: true
                                                                                                                                                                                  • Associated: 00000006.00000002.1794420795.0000000000B60000.00000004.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794498490.0000000000B94000.00000002.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794521630.0000000000B9B000.00000004.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794551870.0000000000B9E000.00000002.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794583919.0000000000BA0000.00000004.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794610717.0000000000BA2000.00000002.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_6_2_b60000_svchost.jbxd
                                                                                                                                                                                  Yara matches
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: Heap$Free$AllocCriticalSectionTime$EnterFileLeaveSystemlstrlenmemcpymemset
                                                                                                                                                                                  • String ID: POST
                                                                                                                                                                                  • API String ID: 2875012177-1814004025
                                                                                                                                                                                  • Opcode ID: b974fd209a9491e2838ed67794c6862d5f0bed6116ae8d6e4011d264c0dad5ec
                                                                                                                                                                                  • Instruction ID: 47148b4ad7698b2af0b4af9fc0158c52e8fdda793685cf6d6f4c45202efd8681
                                                                                                                                                                                  • Opcode Fuzzy Hash: b974fd209a9491e2838ed67794c6862d5f0bed6116ae8d6e4011d264c0dad5ec
                                                                                                                                                                                  • Instruction Fuzzy Hash: 2F416A36215B8186EB15DF66E58876A7BA2FB84BC8F098065DF4D47758DF3CC444CB40
                                                                                                                                                                                  Function 00B7E534 Relevance: 6.1, APIs: 4, Instructions: 101COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000006.00000002.1794451873.0000000000B61000.00000020.80000000.00040000.00000000.sdmp, Offset: 00B60000, based on PE: true
                                                                                                                                                                                  • Associated: 00000006.00000002.1794420795.0000000000B60000.00000004.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794498490.0000000000B94000.00000002.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794521630.0000000000B9B000.00000004.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794551870.0000000000B9E000.00000002.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794583919.0000000000BA0000.00000004.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794610717.0000000000BA2000.00000002.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_6_2_b60000_svchost.jbxd
                                                                                                                                                                                  Yara matches
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: _strupr
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 3408778250-0
                                                                                                                                                                                  • Opcode ID: e95def599b6be568e0c0c4b8050dea5a4f3a396607785bdc34cbd836d867b625
                                                                                                                                                                                  • Instruction ID: be11623674a9a41ca1f94e510f3964d2cb8f6eeeb063251d9f4079384c52f40d
                                                                                                                                                                                  • Opcode Fuzzy Hash: e95def599b6be568e0c0c4b8050dea5a4f3a396607785bdc34cbd836d867b625
                                                                                                                                                                                  • Instruction Fuzzy Hash: 8541BF32300A4597DB30DF15E49075D73A1F7ACB88F8185A6DAAD93718EF38CA49CB81
                                                                                                                                                                                  Function 00B85424 Relevance: 6.1, APIs: 4, Instructions: 95fileCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000006.00000002.1794451873.0000000000B61000.00000020.80000000.00040000.00000000.sdmp, Offset: 00B60000, based on PE: true
                                                                                                                                                                                  • Associated: 00000006.00000002.1794420795.0000000000B60000.00000004.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794498490.0000000000B94000.00000002.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794521630.0000000000B9B000.00000004.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794551870.0000000000B9E000.00000002.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794583919.0000000000BA0000.00000004.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794610717.0000000000BA2000.00000002.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_6_2_b60000_svchost.jbxd
                                                                                                                                                                                  Yara matches
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: File$AttributesDeleteErrorLastmemset
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 1100829392-0
                                                                                                                                                                                  • Opcode ID: c80293da243557e800bab2278a7b442136f4385fdbf883f503e418d6ac8ddb66
                                                                                                                                                                                  • Instruction ID: c408f7d3bfec4af93ad2d932acd47a460350823005946082e28c8a37e277ac46
                                                                                                                                                                                  • Opcode Fuzzy Hash: c80293da243557e800bab2278a7b442136f4385fdbf883f503e418d6ac8ddb66
                                                                                                                                                                                  • Instruction Fuzzy Hash: D531DD22320B4481DB30BB65E49476D73D5F798B84FAD0191EA9947B79DF38C98ACB01
                                                                                                                                                                                  Function 00B7B0B4 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 87memoryCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000006.00000002.1794451873.0000000000B61000.00000020.80000000.00040000.00000000.sdmp, Offset: 00B60000, based on PE: true
                                                                                                                                                                                  • Associated: 00000006.00000002.1794420795.0000000000B60000.00000004.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794498490.0000000000B94000.00000002.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794521630.0000000000B9B000.00000004.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794551870.0000000000B9E000.00000002.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794583919.0000000000BA0000.00000004.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794610717.0000000000BA2000.00000002.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_6_2_b60000_svchost.jbxd
                                                                                                                                                                                  Yara matches
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: Heap$AllocFreelstrlenmemset
                                                                                                                                                                                  • String ID: form
                                                                                                                                                                                  • API String ID: 3413666641-1384709455
                                                                                                                                                                                  • Opcode ID: 4d06ac19f0937385aa9aa8198b59dcbdb0a7c6742e4cf9a880a18db54867c6ed
                                                                                                                                                                                  • Instruction ID: 7b25717ea84f43f3b4a5cf494b17b1d39671ff921a6502a8949c343c911a2a89
                                                                                                                                                                                  • Opcode Fuzzy Hash: 4d06ac19f0937385aa9aa8198b59dcbdb0a7c6742e4cf9a880a18db54867c6ed
                                                                                                                                                                                  • Instruction Fuzzy Hash: A13181227107408AEB209B17EA94B5A77E1FB58BD4F498065DF6D67B21DF38C845CB40
                                                                                                                                                                                  Function 00B836F8 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 83COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000006.00000002.1794451873.0000000000B61000.00000020.80000000.00040000.00000000.sdmp, Offset: 00B60000, based on PE: true
                                                                                                                                                                                  • Associated: 00000006.00000002.1794420795.0000000000B60000.00000004.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794498490.0000000000B94000.00000002.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794521630.0000000000B9B000.00000004.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794551870.0000000000B9E000.00000002.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794583919.0000000000BA0000.00000004.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794610717.0000000000BA2000.00000002.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_6_2_b60000_svchost.jbxd
                                                                                                                                                                                  Yara matches
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: memset
                                                                                                                                                                                  • String ID: VUUU
                                                                                                                                                                                  • API String ID: 2221118986-2040033107
                                                                                                                                                                                  • Opcode ID: 9bc236940aad1b5ce8851f04594bdbca9ce8a5efe46d42dd9ed25d347f93adbe
                                                                                                                                                                                  • Instruction ID: 6fefca89851f34f02ee94e488e8fb8232ac5cc3908aedbf74896e6bccf3b04a3
                                                                                                                                                                                  • Opcode Fuzzy Hash: 9bc236940aad1b5ce8851f04594bdbca9ce8a5efe46d42dd9ed25d347f93adbe
                                                                                                                                                                                  • Instruction Fuzzy Hash: 853106B3A19B808AC758CF39E4413983BE9F748B08F58813EEA4D8B758DB35C555CB54
                                                                                                                                                                                  Function 00B6865E Relevance: 6.1, APIs: 4, Instructions: 83memoryregistryCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000006.00000002.1794451873.0000000000B61000.00000020.80000000.00040000.00000000.sdmp, Offset: 00B60000, based on PE: true
                                                                                                                                                                                  • Associated: 00000006.00000002.1794420795.0000000000B60000.00000004.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794498490.0000000000B94000.00000002.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794521630.0000000000B9B000.00000004.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794551870.0000000000B9E000.00000002.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794583919.0000000000BA0000.00000004.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794610717.0000000000BA2000.00000002.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_6_2_b60000_svchost.jbxd
                                                                                                                                                                                  Yara matches
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: Heap$AllocFreeObjectRegisterSingleWaitmemcpy
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 1973534486-0
                                                                                                                                                                                  • Opcode ID: 346b769411756dfe5dd0b46c5a878bf756fba6b0f97e2c603990bb43fe3e2104
                                                                                                                                                                                  • Instruction ID: 5d8bab6c78fc3954d3e77a1974d6452dec0eaf5f0f679809353e73626da178b8
                                                                                                                                                                                  • Opcode Fuzzy Hash: 346b769411756dfe5dd0b46c5a878bf756fba6b0f97e2c603990bb43fe3e2104
                                                                                                                                                                                  • Instruction Fuzzy Hash: 83316A76200B8086EB10CF22F8447597BA4F788BE4F598625DF6D437A4DF38C98AC740
                                                                                                                                                                                  Function 00B677B0 Relevance: 6.1, APIs: 4, Instructions: 82memorytimeCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                    • Part of subcall function 00B7A224: lstrlenA.KERNEL32 ref: 00B7A23B
                                                                                                                                                                                  • EnterCriticalSection.KERNEL32 ref: 00B677F8
                                                                                                                                                                                  • LeaveCriticalSection.KERNEL32 ref: 00B6780D
                                                                                                                                                                                  • GetSystemTimeAsFileTime.KERNEL32 ref: 00B6781F
                                                                                                                                                                                  • HeapAlloc.KERNEL32 ref: 00B6789A
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000006.00000002.1794451873.0000000000B61000.00000020.80000000.00040000.00000000.sdmp, Offset: 00B60000, based on PE: true
                                                                                                                                                                                  • Associated: 00000006.00000002.1794420795.0000000000B60000.00000004.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794498490.0000000000B94000.00000002.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794521630.0000000000B9B000.00000004.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794551870.0000000000B9E000.00000002.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794583919.0000000000BA0000.00000004.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794610717.0000000000BA2000.00000002.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_6_2_b60000_svchost.jbxd
                                                                                                                                                                                  Yara matches
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: CriticalSectionTime$AllocEnterFileHeapLeaveSystemlstrlen
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 1835621383-0
                                                                                                                                                                                  • Opcode ID: 76b5b553587c6a42277e599698decd0c98e90a65f6a63c9ee63cc6e04314244e
                                                                                                                                                                                  • Instruction ID: ac5069f64cdd2456a3454492fe364010687d828e79dd8c3747d721159d9626f1
                                                                                                                                                                                  • Opcode Fuzzy Hash: 76b5b553587c6a42277e599698decd0c98e90a65f6a63c9ee63cc6e04314244e
                                                                                                                                                                                  • Instruction Fuzzy Hash: 3A313632615B4086EB20DF27E944719B7A1F794BA8F488526DF4D43B64EF3CE84ACB40
                                                                                                                                                                                  Function 00B6BA94 Relevance: 6.1, APIs: 4, Instructions: 78COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                    • Part of subcall function 00B6A640: EnterCriticalSection.KERNEL32(?,?,00000000,00B70965,?,?,?,00B68501), ref: 00B6A65E
                                                                                                                                                                                    • Part of subcall function 00B6A640: LeaveCriticalSection.KERNEL32(?,?,00000000,00B70965,?,?,?,00B68501), ref: 00B6A66C
                                                                                                                                                                                  • TlsGetValue.KERNEL32 ref: 00B6BAD7
                                                                                                                                                                                  • SetEvent.KERNEL32 ref: 00B6BB20
                                                                                                                                                                                  • TlsSetValue.KERNEL32 ref: 00B6BB58
                                                                                                                                                                                  • TlsSetValue.KERNEL32 ref: 00B6BB7E
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000006.00000002.1794451873.0000000000B61000.00000020.80000000.00040000.00000000.sdmp, Offset: 00B60000, based on PE: true
                                                                                                                                                                                  • Associated: 00000006.00000002.1794420795.0000000000B60000.00000004.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794498490.0000000000B94000.00000002.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794521630.0000000000B9B000.00000004.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794551870.0000000000B9E000.00000002.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794583919.0000000000BA0000.00000004.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794610717.0000000000BA2000.00000002.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_6_2_b60000_svchost.jbxd
                                                                                                                                                                                  Yara matches
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: Value$CriticalSection$EnterEventLeave
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 2812457690-0
                                                                                                                                                                                  • Opcode ID: 750e4bbb064d700f1ef07fb13a46bfa9256fbede9e21c3a83c8156bd852c1a75
                                                                                                                                                                                  • Instruction ID: f72e1214c146b7b4d582ba59c0da76f2ce086c3ccaa131bd3358054c91695172
                                                                                                                                                                                  • Opcode Fuzzy Hash: 750e4bbb064d700f1ef07fb13a46bfa9256fbede9e21c3a83c8156bd852c1a75
                                                                                                                                                                                  • Instruction Fuzzy Hash: 4A314F3260069086EB24DF26E845B2DB7A2F795BA4F494165EE4947768CB3CD882C700
                                                                                                                                                                                  Function 00B694E4 Relevance: 6.1, APIs: 4, Instructions: 75stringCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • memset.NTDLL ref: 00B6951F
                                                                                                                                                                                  • lstrlenW.KERNEL32 ref: 00B69568
                                                                                                                                                                                  • OpenFileMappingA.KERNEL32 ref: 00B695BC
                                                                                                                                                                                  • CloseHandle.KERNEL32 ref: 00B695E7
                                                                                                                                                                                    • Part of subcall function 00B69608: GetTickCount.KERNEL32 ref: 00B69622
                                                                                                                                                                                    • Part of subcall function 00B69608: CreateFileW.KERNEL32 ref: 00B6964D
                                                                                                                                                                                    • Part of subcall function 00B69608: GetFileSize.KERNEL32 ref: 00B69685
                                                                                                                                                                                    • Part of subcall function 00B69608: CreateFileMappingA.KERNEL32 ref: 00B696A8
                                                                                                                                                                                    • Part of subcall function 00B69608: lstrlenA.KERNEL32 ref: 00B696C0
                                                                                                                                                                                    • Part of subcall function 00B69608: lstrcpyA.KERNEL32 ref: 00B696D0
                                                                                                                                                                                    • Part of subcall function 00B69608: HeapFree.KERNEL32 ref: 00B696EC
                                                                                                                                                                                    • Part of subcall function 00B69608: CloseHandle.KERNEL32 ref: 00B696FC
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000006.00000002.1794451873.0000000000B61000.00000020.80000000.00040000.00000000.sdmp, Offset: 00B60000, based on PE: true
                                                                                                                                                                                  • Associated: 00000006.00000002.1794420795.0000000000B60000.00000004.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794498490.0000000000B94000.00000002.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794521630.0000000000B9B000.00000004.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794551870.0000000000B9E000.00000002.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794583919.0000000000BA0000.00000004.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794610717.0000000000BA2000.00000002.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_6_2_b60000_svchost.jbxd
                                                                                                                                                                                  Yara matches
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: File$CloseCreateHandleMappinglstrlen$CountFreeHeapOpenSizeTicklstrcpymemset
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 3239194699-0
                                                                                                                                                                                  • Opcode ID: 685bde45d33e7c5f8411c894f789424f4aee07f75795b69abcacfccdb6cc1eb7
                                                                                                                                                                                  • Instruction ID: f80ed0fd74009005ab862f9920eb7eeabbad8cb1cce6c8eb9a64628562fb2919
                                                                                                                                                                                  • Opcode Fuzzy Hash: 685bde45d33e7c5f8411c894f789424f4aee07f75795b69abcacfccdb6cc1eb7
                                                                                                                                                                                  • Instruction Fuzzy Hash: FD21523221878182DB20DF11F4807AD77A5F398BA4F544366EBAA43B98DF3CC54ACB00
                                                                                                                                                                                  Function 00B79E14 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 61memorystringCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000006.00000002.1794451873.0000000000B61000.00000020.80000000.00040000.00000000.sdmp, Offset: 00B60000, based on PE: true
                                                                                                                                                                                  • Associated: 00000006.00000002.1794420795.0000000000B60000.00000004.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794498490.0000000000B94000.00000002.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794521630.0000000000B9B000.00000004.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794551870.0000000000B9E000.00000002.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794583919.0000000000BA0000.00000004.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794610717.0000000000BA2000.00000002.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_6_2_b60000_svchost.jbxd
                                                                                                                                                                                  Yara matches
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: AllocHeap_snprintflstrlen
                                                                                                                                                                                  • String ID: %c%02X
                                                                                                                                                                                  • API String ID: 1081233772-58068880
                                                                                                                                                                                  • Opcode ID: 0f0b83d6d2dc2e7281f34d3a0a2676f1c757570369989d4a0254706c776a0837
                                                                                                                                                                                  • Instruction ID: be78c090c6e6df4bc97b67a412aaccd0eb9e8f49fb67fdd7aff8de7507f58f34
                                                                                                                                                                                  • Opcode Fuzzy Hash: 0f0b83d6d2dc2e7281f34d3a0a2676f1c757570369989d4a0254706c776a0837
                                                                                                                                                                                  • Instruction Fuzzy Hash: 6B11E935A08784C5DB28CB19A4043A573A2E785B84F88C0B2DAAC0732DDF3AC48B8705
                                                                                                                                                                                  Function 00B64B38 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 52memorystringCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • HeapAlloc.KERNEL32(?,?,?,?,?,00B643C2), ref: 00B64B6C
                                                                                                                                                                                    • Part of subcall function 00B6F8D0: GetLastError.KERNEL32(?,00B66499), ref: 00B6F93C
                                                                                                                                                                                    • Part of subcall function 00B6F8D0: CloseHandle.KERNEL32(?,00B66499), ref: 00B6F947
                                                                                                                                                                                  • lstrlenA.KERNEL32(?,?,?,?,?,00B643C2), ref: 00B64BAB
                                                                                                                                                                                  • HeapFree.KERNEL32 ref: 00B64BDA
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000006.00000002.1794451873.0000000000B61000.00000020.80000000.00040000.00000000.sdmp, Offset: 00B60000, based on PE: true
                                                                                                                                                                                  • Associated: 00000006.00000002.1794420795.0000000000B60000.00000004.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794498490.0000000000B94000.00000002.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794521630.0000000000B9B000.00000004.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794551870.0000000000B9E000.00000002.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794583919.0000000000BA0000.00000004.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794610717.0000000000BA2000.00000002.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_6_2_b60000_svchost.jbxd
                                                                                                                                                                                  Yara matches
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: Heap$AllocCloseErrorFreeHandleLastlstrlen
                                                                                                                                                                                  • String ID: EMPTY
                                                                                                                                                                                  • API String ID: 3364428157-1696604233
                                                                                                                                                                                  • Opcode ID: 7167d9b4c663ce876442ba6d7154f53fa24b029d4d6896b6e83f87b3561637d2
                                                                                                                                                                                  • Instruction ID: f202cd4a914c5f185472465af64a862989b47501492ab86036806cf3829ad1db
                                                                                                                                                                                  • Opcode Fuzzy Hash: 7167d9b4c663ce876442ba6d7154f53fa24b029d4d6896b6e83f87b3561637d2
                                                                                                                                                                                  • Instruction Fuzzy Hash: 9B116D36724B5086EB04CB5AE54431AB7A1FBC8BD0F588065DF4C43B24EF38C559CB40
                                                                                                                                                                                  Function 00B632AC Relevance: 6.0, APIs: 4, Instructions: 49filestringsynchronizationCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • lstrcatW.KERNEL32 ref: 00B632D6
                                                                                                                                                                                    • Part of subcall function 00B75498: CreateFileW.KERNEL32 ref: 00B754F6
                                                                                                                                                                                    • Part of subcall function 00B75498: GetLastError.KERNEL32 ref: 00B75505
                                                                                                                                                                                    • Part of subcall function 00B75498: WaitForSingleObject.KERNEL32 ref: 00B75528
                                                                                                                                                                                    • Part of subcall function 00B75498: CreateFileW.KERNEL32 ref: 00B7555C
                                                                                                                                                                                    • Part of subcall function 00B75498: SetFilePointer.KERNEL32 ref: 00B7558B
                                                                                                                                                                                    • Part of subcall function 00B75498: WriteFile.KERNEL32 ref: 00B755A8
                                                                                                                                                                                    • Part of subcall function 00B75498: SetEndOfFile.KERNEL32 ref: 00B755B5
                                                                                                                                                                                    • Part of subcall function 00B75498: CloseHandle.KERNEL32 ref: 00B755CA
                                                                                                                                                                                  • WaitForSingleObject.KERNEL32 ref: 00B63305
                                                                                                                                                                                  • CreateFileW.KERNEL32 ref: 00B6333A
                                                                                                                                                                                  • GetLastError.KERNEL32 ref: 00B63353
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000006.00000002.1794451873.0000000000B61000.00000020.80000000.00040000.00000000.sdmp, Offset: 00B60000, based on PE: true
                                                                                                                                                                                  • Associated: 00000006.00000002.1794420795.0000000000B60000.00000004.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794498490.0000000000B94000.00000002.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794521630.0000000000B9B000.00000004.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794551870.0000000000B9E000.00000002.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794583919.0000000000BA0000.00000004.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794610717.0000000000BA2000.00000002.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_6_2_b60000_svchost.jbxd
                                                                                                                                                                                  Yara matches
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: File$Create$ErrorLastObjectSingleWait$CloseHandlePointerWritelstrcat
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 3370347312-0
                                                                                                                                                                                  • Opcode ID: 8d41ba1735437e2d3a95ec48ebd6bebac4cf2e31f3b5621b3d2dbc184706cd2b
                                                                                                                                                                                  • Instruction ID: d89496003b95078e29e80c77db5ea0fa853256259b760e6fbba6277f5346d990
                                                                                                                                                                                  • Opcode Fuzzy Hash: 8d41ba1735437e2d3a95ec48ebd6bebac4cf2e31f3b5621b3d2dbc184706cd2b
                                                                                                                                                                                  • Instruction Fuzzy Hash: 65118271614B5082FB108F26F85471A7BA0F798FF5F148610EE6A57BA8CF7CC9864B00
                                                                                                                                                                                  Function 00B6246C Relevance: 6.0, APIs: 3, Strings: 1, Instructions: 46memorystringCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • HeapAlloc.KERNEL32(?,00B6166F), ref: 00B624A3
                                                                                                                                                                                  • lstrcpyA.KERNEL32(?,00B6166F), ref: 00B624CF
                                                                                                                                                                                  • HeapFree.KERNEL32(?,00B6166F), ref: 00B62514
                                                                                                                                                                                    • Part of subcall function 00B80C44: SetEvent.KERNEL32(?,?,00000000,00B723A8,?,?,?,00B61617,?,?,?,?,00B61686), ref: 00B80C71
                                                                                                                                                                                    • Part of subcall function 00B80C44: WaitForSingleObject.KERNEL32 ref: 00B80C91
                                                                                                                                                                                    • Part of subcall function 00B80C44: CloseHandle.KERNEL32 ref: 00B80C9E
                                                                                                                                                                                    • Part of subcall function 00B80C44: CloseHandle.KERNEL32 ref: 00B80CAD
                                                                                                                                                                                    • Part of subcall function 00B80C44: EnterCriticalSection.KERNEL32 ref: 00B80CB7
                                                                                                                                                                                    • Part of subcall function 00B80C44: LeaveCriticalSection.KERNEL32 ref: 00B80CE3
                                                                                                                                                                                    • Part of subcall function 00B80C44: CloseHandle.KERNEL32 ref: 00B80CFF
                                                                                                                                                                                    • Part of subcall function 00B80C44: LocalFree.KERNEL32 ref: 00B80D0E
                                                                                                                                                                                    • Part of subcall function 00B80C44: DeleteCriticalSection.KERNEL32(?,?,00000000,00B723A8,?,?,?,00B61617,?,?,?,?,00B61686), ref: 00B80D18
                                                                                                                                                                                    • Part of subcall function 00B80C44: HeapFree.KERNEL32(?,?,00000000,00B723A8,?,?,?,00B61617,?,?,?,?,00B61686), ref: 00B80D2A
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000006.00000002.1794451873.0000000000B61000.00000020.80000000.00040000.00000000.sdmp, Offset: 00B60000, based on PE: true
                                                                                                                                                                                  • Associated: 00000006.00000002.1794420795.0000000000B60000.00000004.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794498490.0000000000B94000.00000002.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794521630.0000000000B9B000.00000004.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794551870.0000000000B9E000.00000002.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794583919.0000000000BA0000.00000004.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794610717.0000000000BA2000.00000002.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_6_2_b60000_svchost.jbxd
                                                                                                                                                                                  Yara matches
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: CloseCriticalFreeHandleHeapSection$AllocDeleteEnterEventLeaveLocalObjectSingleWaitlstrcpy
                                                                                                                                                                                  • String ID: -01
                                                                                                                                                                                  • API String ID: 2414850186-1095514728
                                                                                                                                                                                  • Opcode ID: 8beed915b7ad8edbe6181fb7090812dcf533cfe8ef429b7f0b894fb32f714f4b
                                                                                                                                                                                  • Instruction ID: 94017e6d153cec6f3c7f331c01044f5d79c00ebb17b40184d465c66c0e655420
                                                                                                                                                                                  • Opcode Fuzzy Hash: 8beed915b7ad8edbe6181fb7090812dcf533cfe8ef429b7f0b894fb32f714f4b
                                                                                                                                                                                  • Instruction Fuzzy Hash: 3311CB25704B8182EB10DB56F89436977A1FB89BD0F948065DF4D83B68EF3CC54AC744
                                                                                                                                                                                  Function 00B6F6E8 Relevance: 6.0, APIs: 4, Instructions: 42filesynchronizationpipeCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000006.00000002.1794451873.0000000000B61000.00000020.80000000.00040000.00000000.sdmp, Offset: 00B60000, based on PE: true
                                                                                                                                                                                  • Associated: 00000006.00000002.1794420795.0000000000B60000.00000004.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794498490.0000000000B94000.00000002.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794521630.0000000000B9B000.00000004.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794551870.0000000000B9E000.00000002.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794583919.0000000000BA0000.00000004.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794610717.0000000000BA2000.00000002.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_6_2_b60000_svchost.jbxd
                                                                                                                                                                                  Yara matches
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: Wait$CreateErrorFileLastNamedObjectPipeSingle
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 4211439915-0
                                                                                                                                                                                  • Opcode ID: 3060af342db21d5209f74c4acb9a3446997aeaeb89077ca4e1f10c8ad64a7e21
                                                                                                                                                                                  • Instruction ID: 5f4d0cb3e7cd7fb72a240001ec3f8bfa2dcf4370adc4a1d253d611d9b68444ea
                                                                                                                                                                                  • Opcode Fuzzy Hash: 3060af342db21d5209f74c4acb9a3446997aeaeb89077ca4e1f10c8ad64a7e21
                                                                                                                                                                                  • Instruction Fuzzy Hash: 87018C32718A4182EB108F65F89473A72A1F7887A4F144734EA6E47BA8CF7CC8928700
                                                                                                                                                                                  Function 00B752A4 Relevance: 6.0, APIs: 4, Instructions: 40memorystringCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • lstrlenA.KERNEL32(?,?,00000000,00B75454,?,?,00000000,00B64CAE), ref: 00B752C2
                                                                                                                                                                                  • HeapAlloc.KERNEL32(?,?,00000000,00B75454,?,?,00000000,00B64CAE), ref: 00B752D8
                                                                                                                                                                                  • mbstowcs.NTDLL ref: 00B752F0
                                                                                                                                                                                    • Part of subcall function 00B75224: ExpandEnvironmentStringsW.KERNEL32(?,?,00000000,00B752FD,?,?,00000000,00B75454,?,?,00000000,00B64CAE), ref: 00B75242
                                                                                                                                                                                    • Part of subcall function 00B75224: HeapAlloc.KERNEL32(?,?,00000000,00B752FD,?,?,00000000,00B75454,?,?,00000000,00B64CAE), ref: 00B7525B
                                                                                                                                                                                    • Part of subcall function 00B75224: ExpandEnvironmentStringsW.KERNEL32(?,?,00000000,00B752FD,?,?,00000000,00B75454,?,?,00000000,00B64CAE), ref: 00B75272
                                                                                                                                                                                    • Part of subcall function 00B75224: HeapFree.KERNEL32(?,?,00000000,00B752FD,?,?,00000000,00B75454,?,?,00000000,00B64CAE), ref: 00B75288
                                                                                                                                                                                  • HeapFree.KERNEL32(?,?,00000000,00B75454,?,?,00000000,00B64CAE), ref: 00B75311
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000006.00000002.1794451873.0000000000B61000.00000020.80000000.00040000.00000000.sdmp, Offset: 00B60000, based on PE: true
                                                                                                                                                                                  • Associated: 00000006.00000002.1794420795.0000000000B60000.00000004.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794498490.0000000000B94000.00000002.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794521630.0000000000B9B000.00000004.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794551870.0000000000B9E000.00000002.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794583919.0000000000BA0000.00000004.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794610717.0000000000BA2000.00000002.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_6_2_b60000_svchost.jbxd
                                                                                                                                                                                  Yara matches
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: Heap$AllocEnvironmentExpandFreeStrings$lstrlenmbstowcs
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 3901268477-0
                                                                                                                                                                                  • Opcode ID: ad9cb20e42ac9de5aaa51327553505b7ef11dba5c8b9831e6c4d8df0d7c50afe
                                                                                                                                                                                  • Instruction ID: ce8849587b8387cd79e12e133f1800c3751bd95037333dad6a4386540f5a4d6b
                                                                                                                                                                                  • Opcode Fuzzy Hash: ad9cb20e42ac9de5aaa51327553505b7ef11dba5c8b9831e6c4d8df0d7c50afe
                                                                                                                                                                                  • Instruction Fuzzy Hash: 27018B25715F8486EF24DBA7B58436977A1EB88BC0F498061EF0E07B29EFBCC4458700
                                                                                                                                                                                  Function 00B7E4A4 Relevance: 6.0, APIs: 4, Instructions: 38memorystringCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000006.00000002.1794451873.0000000000B61000.00000020.80000000.00040000.00000000.sdmp, Offset: 00B60000, based on PE: true
                                                                                                                                                                                  • Associated: 00000006.00000002.1794420795.0000000000B60000.00000004.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794498490.0000000000B94000.00000002.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794521630.0000000000B9B000.00000004.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794551870.0000000000B9E000.00000002.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794583919.0000000000BA0000.00000004.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794610717.0000000000BA2000.00000002.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_6_2_b60000_svchost.jbxd
                                                                                                                                                                                  Yara matches
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: Heap$AllocFreelstrlenmbstowcs
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 2623916776-0
                                                                                                                                                                                  • Opcode ID: dff5e3022174667202c4809c0b5a09113d1501610630b414dee12b31e23a9e26
                                                                                                                                                                                  • Instruction ID: 9822b605ab7514637e118b762e6eafe88bccec1eae0dfa5c48f4d742ff444eb0
                                                                                                                                                                                  • Opcode Fuzzy Hash: dff5e3022174667202c4809c0b5a09113d1501610630b414dee12b31e23a9e26
                                                                                                                                                                                  • Instruction Fuzzy Hash: 58015A3560068082EB24CB66F94471AB7E1EF8CBD4F4981A19B2D47724EF38C4958700
                                                                                                                                                                                  Function 00B75224 Relevance: 6.0, APIs: 4, Instructions: 38memoryCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • ExpandEnvironmentStringsW.KERNEL32(?,?,00000000,00B752FD,?,?,00000000,00B75454,?,?,00000000,00B64CAE), ref: 00B75242
                                                                                                                                                                                  • HeapAlloc.KERNEL32(?,?,00000000,00B752FD,?,?,00000000,00B75454,?,?,00000000,00B64CAE), ref: 00B7525B
                                                                                                                                                                                  • ExpandEnvironmentStringsW.KERNEL32(?,?,00000000,00B752FD,?,?,00000000,00B75454,?,?,00000000,00B64CAE), ref: 00B75272
                                                                                                                                                                                  • HeapFree.KERNEL32(?,?,00000000,00B752FD,?,?,00000000,00B75454,?,?,00000000,00B64CAE), ref: 00B75288
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000006.00000002.1794451873.0000000000B61000.00000020.80000000.00040000.00000000.sdmp, Offset: 00B60000, based on PE: true
                                                                                                                                                                                  • Associated: 00000006.00000002.1794420795.0000000000B60000.00000004.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794498490.0000000000B94000.00000002.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794521630.0000000000B9B000.00000004.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794551870.0000000000B9E000.00000002.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794583919.0000000000BA0000.00000004.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794610717.0000000000BA2000.00000002.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_6_2_b60000_svchost.jbxd
                                                                                                                                                                                  Yara matches
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: EnvironmentExpandHeapStrings$AllocFree
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 1767267164-0
                                                                                                                                                                                  • Opcode ID: fed6347cabf80d0af22ef7871cd1b909bc6aa0d2a35c41c23dee7b1c1759a040
                                                                                                                                                                                  • Instruction ID: ed5c566250e32b9a8cd8899633d87d969deeb558c70f773b9542bf2891c23956
                                                                                                                                                                                  • Opcode Fuzzy Hash: fed6347cabf80d0af22ef7871cd1b909bc6aa0d2a35c41c23dee7b1c1759a040
                                                                                                                                                                                  • Instruction Fuzzy Hash: D701AF25310B5582FB248BABA884B2A77E1EB8CFD0F8985749F0D83B14DF7CC44A8700
                                                                                                                                                                                  Function 00B76E0C Relevance: 6.0, APIs: 1, Strings: 3, Instructions: 38COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  Strings
                                                                                                                                                                                  • %08X-%04X-%04X-%04X-%08X%04X, xrefs: 00B76E27
                                                                                                                                                                                  • Software\AppDataLow\Software\Microsoft\, xrefs: 00B76E16
                                                                                                                                                                                  • {%08X-%04X-%04X-%04X-%08X%04X}, xrefs: 00B76E33
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000006.00000002.1794451873.0000000000B61000.00000020.80000000.00040000.00000000.sdmp, Offset: 00B60000, based on PE: true
                                                                                                                                                                                  • Associated: 00000006.00000002.1794420795.0000000000B60000.00000004.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794498490.0000000000B94000.00000002.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794521630.0000000000B9B000.00000004.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794551870.0000000000B9E000.00000002.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794583919.0000000000BA0000.00000004.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794610717.0000000000BA2000.00000002.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_6_2_b60000_svchost.jbxd
                                                                                                                                                                                  Yara matches
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: wsprintf
                                                                                                                                                                                  • String ID: %08X-%04X-%04X-%04X-%08X%04X$Software\AppDataLow\Software\Microsoft\${%08X-%04X-%04X-%04X-%08X%04X}
                                                                                                                                                                                  • API String ID: 2111968516-3970486703
                                                                                                                                                                                  • Opcode ID: 076f8bcd80f2886f432539d8ed26838c92be1bba3b221acfd546edc2bebf704f
                                                                                                                                                                                  • Instruction ID: c98db1a947ae27ccc20bdfaf3d4ec6f571dafbb7ec62e4f06ad0bda15634a256
                                                                                                                                                                                  • Opcode Fuzzy Hash: 076f8bcd80f2886f432539d8ed26838c92be1bba3b221acfd546edc2bebf704f
                                                                                                                                                                                  • Instruction Fuzzy Hash: 76019A666242E486D7509F06E0443B9BBA0F749BC5F548029FEC857B68E77CC886CB14
                                                                                                                                                                                  Function 00B7D990 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 82memoryCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000006.00000002.1794451873.0000000000B61000.00000020.80000000.00040000.00000000.sdmp, Offset: 00B60000, based on PE: true
                                                                                                                                                                                  • Associated: 00000006.00000002.1794420795.0000000000B60000.00000004.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794498490.0000000000B94000.00000002.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794521630.0000000000B9B000.00000004.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794551870.0000000000B9E000.00000002.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794583919.0000000000BA0000.00000004.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794610717.0000000000BA2000.00000002.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_6_2_b60000_svchost.jbxd
                                                                                                                                                                                  Yara matches
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: FreeHandleHeapModule
                                                                                                                                                                                  • String ID: ADVAPI32.DLL
                                                                                                                                                                                  • API String ID: 3297502364-33758204
                                                                                                                                                                                  • Opcode ID: 7cf014e9a0a4d45d9d512c83e61a21764932d8125ae9bebe526526eca8bfaaa3
                                                                                                                                                                                  • Instruction ID: 0218adfc04699f9c3b46c95a289078e8e176c70475ee819901198c90607f31cb
                                                                                                                                                                                  • Opcode Fuzzy Hash: 7cf014e9a0a4d45d9d512c83e61a21764932d8125ae9bebe526526eca8bfaaa3
                                                                                                                                                                                  • Instruction Fuzzy Hash: E631D132718E9486DB20DF16E88079977B0F789BD0F688062EB5D47B24DF38C986C740
                                                                                                                                                                                  Function 00B6F010 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 75timeCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000006.00000002.1794451873.0000000000B61000.00000020.80000000.00040000.00000000.sdmp, Offset: 00B60000, based on PE: true
                                                                                                                                                                                  • Associated: 00000006.00000002.1794420795.0000000000B60000.00000004.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794498490.0000000000B94000.00000002.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794521630.0000000000B9B000.00000004.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794551870.0000000000B9E000.00000002.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794583919.0000000000BA0000.00000004.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794610717.0000000000BA2000.00000002.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_6_2_b60000_svchost.jbxd
                                                                                                                                                                                  Yara matches
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: SystemTimewsprintf
                                                                                                                                                                                  • String ID: %02u:%02u:%02u
                                                                                                                                                                                  • API String ID: 425189169-982595855
                                                                                                                                                                                  • Opcode ID: 79f31565c2b44c472f4a2d3eff178b785a234df3ca233b41bc9c632548cc9dbf
                                                                                                                                                                                  • Instruction ID: b589862e5ee2f2091629619dcaebf25bf35079e2263a001bf1e93b099391f2d5
                                                                                                                                                                                  • Opcode Fuzzy Hash: 79f31565c2b44c472f4a2d3eff178b785a234df3ca233b41bc9c632548cc9dbf
                                                                                                                                                                                  • Instruction Fuzzy Hash: 8C312776214A86C2EB608F26F895B5AB770F389B89F519112DF8D47B28CF3DC449CB00
                                                                                                                                                                                  Function 00B77D4C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 27timeCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • GetLocalTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000000,00B616FE), ref: 00B77D61
                                                                                                                                                                                  • wsprintfA.USER32 ref: 00B77DA5
                                                                                                                                                                                  Strings
                                                                                                                                                                                  • %02u-%02u-%02u %02u:%02u:%02u, xrefs: 00B77D96
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000006.00000002.1794451873.0000000000B61000.00000020.80000000.00040000.00000000.sdmp, Offset: 00B60000, based on PE: true
                                                                                                                                                                                  • Associated: 00000006.00000002.1794420795.0000000000B60000.00000004.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794498490.0000000000B94000.00000002.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794521630.0000000000B9B000.00000004.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794551870.0000000000B9E000.00000002.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794583919.0000000000BA0000.00000004.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794610717.0000000000BA2000.00000002.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_6_2_b60000_svchost.jbxd
                                                                                                                                                                                  Yara matches
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: LocalTimewsprintf
                                                                                                                                                                                  • String ID: %02u-%02u-%02u %02u:%02u:%02u
                                                                                                                                                                                  • API String ID: 1577811021-3005227379
                                                                                                                                                                                  • Opcode ID: 73fa6c8311dbdf94794f3b40969db0a53fa09f1f780771b08853d10b82051151
                                                                                                                                                                                  • Instruction ID: f36ef2390bb92b90b71f9909315b9af6cc58ca20959486b05950747bea9a4fbe
                                                                                                                                                                                  • Opcode Fuzzy Hash: 73fa6c8311dbdf94794f3b40969db0a53fa09f1f780771b08853d10b82051151
                                                                                                                                                                                  • Instruction Fuzzy Hash: 39F0E77361869086C7918F15F44136BBB72F7C5BA2F644225FFEA02A98EB3DC564CB10
                                                                                                                                                                                  Function 00B90820 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 23COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                    • Part of subcall function 00B906B0: LoadLibraryW.KERNEL32(00B6166F), ref: 00B906C0
                                                                                                                                                                                    • Part of subcall function 00B906B0: GetProcAddress.KERNEL32 ref: 00B906CE
                                                                                                                                                                                  • GetCurrentProcess.KERNEL32 ref: 00B9084F
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000006.00000002.1794451873.0000000000B61000.00000020.80000000.00040000.00000000.sdmp, Offset: 00B60000, based on PE: true
                                                                                                                                                                                  • Associated: 00000006.00000002.1794420795.0000000000B60000.00000004.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794498490.0000000000B94000.00000002.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794521630.0000000000B9B000.00000004.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794551870.0000000000B9E000.00000002.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794583919.0000000000BA0000.00000004.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794610717.0000000000BA2000.00000002.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_6_2_b60000_svchost.jbxd
                                                                                                                                                                                  Yara matches
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: AddressCurrentLibraryLoadProcProcess
                                                                                                                                                                                  • String ID: @$NtAllocateVirtualMemory
                                                                                                                                                                                  • API String ID: 353374858-1474625276
                                                                                                                                                                                  • Opcode ID: 8f3227b3002da1eb26b51a5b875edc3cb9b3c939d0a29d7011adfd9aa498864a
                                                                                                                                                                                  • Instruction ID: 996c3305b9c130d5456c3bcbb841f29a4e314d1f8fe0b28579b7a02abdc069cb
                                                                                                                                                                                  • Opcode Fuzzy Hash: 8f3227b3002da1eb26b51a5b875edc3cb9b3c939d0a29d7011adfd9aa498864a
                                                                                                                                                                                  • Instruction Fuzzy Hash: 64F0FE7263CB8086DB50EF10F48974B77A0F784748F901524FB8A46A58DFBDC589CB40
                                                                                                                                                                                  Function 00B906B0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 9libraryloaderCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • LoadLibraryW.KERNEL32(00B6166F), ref: 00B906C0
                                                                                                                                                                                  • GetProcAddress.KERNEL32 ref: 00B906CE
                                                                                                                                                                                  Strings
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000006.00000002.1794451873.0000000000B61000.00000020.80000000.00040000.00000000.sdmp, Offset: 00B60000, based on PE: true
                                                                                                                                                                                  • Associated: 00000006.00000002.1794420795.0000000000B60000.00000004.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794498490.0000000000B94000.00000002.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794521630.0000000000B9B000.00000004.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794551870.0000000000B9E000.00000002.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794583919.0000000000BA0000.00000004.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794610717.0000000000BA2000.00000002.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_6_2_b60000_svchost.jbxd
                                                                                                                                                                                  Yara matches
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: AddressLibraryLoadProc
                                                                                                                                                                                  • String ID: ntdll.dll
                                                                                                                                                                                  • API String ID: 2574300362-2227199552
                                                                                                                                                                                  • Opcode ID: 0792588500a2e208f63433b103357f76d80acb6b169e5c5433297ba0e55253c7
                                                                                                                                                                                  • Instruction ID: a21a6f80b2d27ff28e650c6bfa0471add56c70ebac76bf0bc361c70c298f74ec
                                                                                                                                                                                  • Opcode Fuzzy Hash: 0792588500a2e208f63433b103357f76d80acb6b169e5c5433297ba0e55253c7
                                                                                                                                                                                  • Instruction Fuzzy Hash: A4D01225A22A40D2DA08EF22F889B0A3370F788B80F814010EB4E02724DF3CC0AE8B00
                                                                                                                                                                                  Function 00B6B308 Relevance: 5.1, APIs: 4, Instructions: 139memorystringCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                    • Part of subcall function 00B6A640: EnterCriticalSection.KERNEL32(?,?,00000000,00B70965,?,?,?,00B68501), ref: 00B6A65E
                                                                                                                                                                                    • Part of subcall function 00B6A640: LeaveCriticalSection.KERNEL32(?,?,00000000,00B70965,?,?,?,00B68501), ref: 00B6A66C
                                                                                                                                                                                  • lstrlenA.KERNEL32 ref: 00B6B37A
                                                                                                                                                                                  • HeapAlloc.KERNEL32 ref: 00B6B38F
                                                                                                                                                                                  • memcpy.NTDLL ref: 00B6B3A6
                                                                                                                                                                                  • HeapFree.KERNEL32 ref: 00B6B4BC
                                                                                                                                                                                    • Part of subcall function 00B7F920: EnterCriticalSection.KERNEL32(?,?,00000000,00B7E45C), ref: 00B7F9A5
                                                                                                                                                                                    • Part of subcall function 00B7F920: Sleep.KERNEL32(?,?,00000000,00B7E45C), ref: 00B7F9B7
                                                                                                                                                                                    • Part of subcall function 00B7F920: LeaveCriticalSection.KERNEL32(?,?,00000000,00B7E45C), ref: 00B7F9DB
                                                                                                                                                                                    • Part of subcall function 00B7F920: EnterCriticalSection.KERNEL32(?,?,00000000,00B7E45C), ref: 00B7F94E
                                                                                                                                                                                    • Part of subcall function 00B7F920: LeaveCriticalSection.KERNEL32(?,?,00000000,00B7E45C), ref: 00B7F95C
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000006.00000002.1794451873.0000000000B61000.00000020.80000000.00040000.00000000.sdmp, Offset: 00B60000, based on PE: true
                                                                                                                                                                                  • Associated: 00000006.00000002.1794420795.0000000000B60000.00000004.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794498490.0000000000B94000.00000002.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794521630.0000000000B9B000.00000004.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794551870.0000000000B9E000.00000002.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794583919.0000000000BA0000.00000004.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794610717.0000000000BA2000.00000002.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_6_2_b60000_svchost.jbxd
                                                                                                                                                                                  Yara matches
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: CriticalSection$EnterLeave$Heap$AllocFreeSleeplstrlenmemcpy
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 676758734-0
                                                                                                                                                                                  • Opcode ID: 7fff4ab2d167cc6616b4e9bb5a214f9a96c6f73ad6ffcdccc4831ba80444a0b2
                                                                                                                                                                                  • Instruction ID: c6cdd4b1a0e9cf8d5f8e98e85a1cc666319841d7ff79388313ab32ae890a908e
                                                                                                                                                                                  • Opcode Fuzzy Hash: 7fff4ab2d167cc6616b4e9bb5a214f9a96c6f73ad6ffcdccc4831ba80444a0b2
                                                                                                                                                                                  • Instruction Fuzzy Hash: EA519A32211B8582DB25CF26A5557AA77E1FB88BD8F488065EE4E8BB25DF3CC485C700
                                                                                                                                                                                  Function 00B7E6A8 Relevance: 5.1, APIs: 4, Instructions: 137memoryCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • memset.NTDLL ref: 00B7E6E4
                                                                                                                                                                                  • memset.NTDLL ref: 00B7E700
                                                                                                                                                                                  • memset.NTDLL ref: 00B7E712
                                                                                                                                                                                    • Part of subcall function 00B7E534: _strupr.NTDLL ref: 00B7E591
                                                                                                                                                                                    • Part of subcall function 00B7E534: _strupr.NTDLL ref: 00B7E5EA
                                                                                                                                                                                    • Part of subcall function 00B7E534: _strupr.NTDLL ref: 00B7E627
                                                                                                                                                                                    • Part of subcall function 00B7E534: _strupr.NTDLL ref: 00B7E664
                                                                                                                                                                                    • Part of subcall function 00B7DFB8: OpenProcess.KERNEL32 ref: 00B7E022
                                                                                                                                                                                    • Part of subcall function 00B7DFB8: CloseHandle.KERNEL32 ref: 00B7E047
                                                                                                                                                                                    • Part of subcall function 00B7DFB8: GetSystemTimeAsFileTime.KERNEL32 ref: 00B7E0C3
                                                                                                                                                                                    • Part of subcall function 00B7DFB8: HeapAlloc.KERNEL32 ref: 00B7E144
                                                                                                                                                                                  • HeapFree.KERNEL32 ref: 00B7E8AC
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000006.00000002.1794451873.0000000000B61000.00000020.80000000.00040000.00000000.sdmp, Offset: 00B60000, based on PE: true
                                                                                                                                                                                  • Associated: 00000006.00000002.1794420795.0000000000B60000.00000004.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794498490.0000000000B94000.00000002.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794521630.0000000000B9B000.00000004.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794551870.0000000000B9E000.00000002.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794583919.0000000000BA0000.00000004.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794610717.0000000000BA2000.00000002.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_6_2_b60000_svchost.jbxd
                                                                                                                                                                                  Yara matches
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: _strupr$memset$HeapTime$AllocCloseFileFreeHandleOpenProcessSystem
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 2236697911-0
                                                                                                                                                                                  • Opcode ID: dcf531802eb9114e7febdc1824f7008b0e8d4dc9a03ee6783834ac2e2e7fe071
                                                                                                                                                                                  • Instruction ID: ddba1655e80f3748790864c8e330c30bb8566be2312c3c4b36384d088aa94849
                                                                                                                                                                                  • Opcode Fuzzy Hash: dcf531802eb9114e7febdc1824f7008b0e8d4dc9a03ee6783834ac2e2e7fe071
                                                                                                                                                                                  • Instruction Fuzzy Hash: 7F5102376146C08AD720DB25E84479EBBA5FBCC784F988195EBAD43B58DB38C849CB01
                                                                                                                                                                                  Function 00B6B824 Relevance: 5.1, APIs: 4, Instructions: 88memoryCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                    • Part of subcall function 00B6B308: lstrlenA.KERNEL32 ref: 00B6B37A
                                                                                                                                                                                    • Part of subcall function 00B6B308: HeapAlloc.KERNEL32 ref: 00B6B38F
                                                                                                                                                                                    • Part of subcall function 00B6B308: memcpy.NTDLL ref: 00B6B3A6
                                                                                                                                                                                  • GetLastError.KERNEL32 ref: 00B6B8F3
                                                                                                                                                                                  • HeapFree.KERNEL32 ref: 00B6B90C
                                                                                                                                                                                  • HeapFree.KERNEL32 ref: 00B6B923
                                                                                                                                                                                  • SetLastError.KERNEL32 ref: 00B6B92B
                                                                                                                                                                                    • Part of subcall function 00B7F920: EnterCriticalSection.KERNEL32(?,?,00000000,00B7E45C), ref: 00B7F9A5
                                                                                                                                                                                    • Part of subcall function 00B7F920: Sleep.KERNEL32(?,?,00000000,00B7E45C), ref: 00B7F9B7
                                                                                                                                                                                    • Part of subcall function 00B7F920: LeaveCriticalSection.KERNEL32(?,?,00000000,00B7E45C), ref: 00B7F9DB
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000006.00000002.1794451873.0000000000B61000.00000020.80000000.00040000.00000000.sdmp, Offset: 00B60000, based on PE: true
                                                                                                                                                                                  • Associated: 00000006.00000002.1794420795.0000000000B60000.00000004.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794498490.0000000000B94000.00000002.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794521630.0000000000B9B000.00000004.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794551870.0000000000B9E000.00000002.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794583919.0000000000BA0000.00000004.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794610717.0000000000BA2000.00000002.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_6_2_b60000_svchost.jbxd
                                                                                                                                                                                  Yara matches
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: Heap$CriticalErrorFreeLastSection$AllocEnterLeaveSleeplstrlenmemcpy
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 3488247953-0
                                                                                                                                                                                  • Opcode ID: 1f3fe50f218c0630be2c157853e86ca519af0a5686cc215bdc8f4155a2f1d67b
                                                                                                                                                                                  • Instruction ID: 74a054f13259dbb2d00b3a56d706f61ab16d3486edc3a2fd1ae5ae44e1d25386
                                                                                                                                                                                  • Opcode Fuzzy Hash: 1f3fe50f218c0630be2c157853e86ca519af0a5686cc215bdc8f4155a2f1d67b
                                                                                                                                                                                  • Instruction Fuzzy Hash: 38317E26711B8086EB40DF22A888B5977A5F788FE0F594266DF6D87754CF39C886C700
                                                                                                                                                                                  Function 00B6B95C Relevance: 5.1, APIs: 4, Instructions: 88memoryCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                    • Part of subcall function 00B6B4F4: lstrlenW.KERNEL32 ref: 00B6B52F
                                                                                                                                                                                    • Part of subcall function 00B6B4F4: HeapAlloc.KERNEL32 ref: 00B6B546
                                                                                                                                                                                    • Part of subcall function 00B6B4F4: wcstombs.NTDLL ref: 00B6B55D
                                                                                                                                                                                    • Part of subcall function 00B6B4F4: lstrlenA.KERNEL32 ref: 00B6B589
                                                                                                                                                                                    • Part of subcall function 00B6B4F4: HeapAlloc.KERNEL32 ref: 00B6B5A0
                                                                                                                                                                                    • Part of subcall function 00B6B4F4: mbstowcs.NTDLL ref: 00B6B5B7
                                                                                                                                                                                    • Part of subcall function 00B6B4F4: HeapFree.KERNEL32 ref: 00B6B5C9
                                                                                                                                                                                    • Part of subcall function 00B6B4F4: HeapFree.KERNEL32 ref: 00B6B5E0
                                                                                                                                                                                  • GetLastError.KERNEL32 ref: 00B6BA2B
                                                                                                                                                                                  • HeapFree.KERNEL32 ref: 00B6BA44
                                                                                                                                                                                  • HeapFree.KERNEL32 ref: 00B6BA5B
                                                                                                                                                                                  • SetLastError.KERNEL32 ref: 00B6BA63
                                                                                                                                                                                    • Part of subcall function 00B7F920: EnterCriticalSection.KERNEL32(?,?,00000000,00B7E45C), ref: 00B7F9A5
                                                                                                                                                                                    • Part of subcall function 00B7F920: Sleep.KERNEL32(?,?,00000000,00B7E45C), ref: 00B7F9B7
                                                                                                                                                                                    • Part of subcall function 00B7F920: LeaveCriticalSection.KERNEL32(?,?,00000000,00B7E45C), ref: 00B7F9DB
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000006.00000002.1794451873.0000000000B61000.00000020.80000000.00040000.00000000.sdmp, Offset: 00B60000, based on PE: true
                                                                                                                                                                                  • Associated: 00000006.00000002.1794420795.0000000000B60000.00000004.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794498490.0000000000B94000.00000002.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794521630.0000000000B9B000.00000004.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794551870.0000000000B9E000.00000002.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794583919.0000000000BA0000.00000004.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794610717.0000000000BA2000.00000002.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_6_2_b60000_svchost.jbxd
                                                                                                                                                                                  Yara matches
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: Heap$Free$AllocCriticalErrorLastSectionlstrlen$EnterLeaveSleepmbstowcswcstombs
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 69115920-0
                                                                                                                                                                                  • Opcode ID: e659a9f90a80453cee2a791c79ddb40193090b50b82e6806ac880837bf21badf
                                                                                                                                                                                  • Instruction ID: 7247019a844157db4094d93467033fff57dd3e36d70d7aea7104b99a5871cda5
                                                                                                                                                                                  • Opcode Fuzzy Hash: e659a9f90a80453cee2a791c79ddb40193090b50b82e6806ac880837bf21badf
                                                                                                                                                                                  • Instruction Fuzzy Hash: C3319E36310B4086DB40DF62A849B5977A5F788FE0F5A4265DE6D87750DF38C886C700
                                                                                                                                                                                  Function 00B85674 Relevance: 5.1, APIs: 4, Instructions: 76memoryCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • HeapAlloc.KERNEL32(?,?,?,00B86ADF,?,?,?,?,?,00000000,?,?,00000000,00B86BCD), ref: 00B856AF
                                                                                                                                                                                  • memcpy.NTDLL(?,?,?,00B86ADF,?,?,?,?,?,00000000,?,?,00000000,00B86BCD), ref: 00B856F3
                                                                                                                                                                                  • memcpy.NTDLL(?,?,?,00B86ADF,?,?,?,?,?,00000000,?,?,00000000,00B86BCD), ref: 00B85718
                                                                                                                                                                                  • memcpy.NTDLL(?,?,?,00B86ADF,?,?,?,?,?,00000000,?,?,00000000,00B86BCD), ref: 00B8572F
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000006.00000002.1794451873.0000000000B61000.00000020.80000000.00040000.00000000.sdmp, Offset: 00B60000, based on PE: true
                                                                                                                                                                                  • Associated: 00000006.00000002.1794420795.0000000000B60000.00000004.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794498490.0000000000B94000.00000002.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794521630.0000000000B9B000.00000004.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794551870.0000000000B9E000.00000002.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794583919.0000000000BA0000.00000004.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794610717.0000000000BA2000.00000002.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_6_2_b60000_svchost.jbxd
                                                                                                                                                                                  Yara matches
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: memcpy$AllocHeap
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 3679461081-0
                                                                                                                                                                                  • Opcode ID: 680b58c017d16d2729eee9609a70293c3ca4cf757aafdd8cc029703adffa6a23
                                                                                                                                                                                  • Instruction ID: 8cc73e7afe512960f464eb2fde3435bab01ec228c47364f6d0e434bbdbcdf25d
                                                                                                                                                                                  • Opcode Fuzzy Hash: 680b58c017d16d2729eee9609a70293c3ca4cf757aafdd8cc029703adffa6a23
                                                                                                                                                                                  • Instruction Fuzzy Hash: D83167B7611A20CBCBA0DF39D58432837B5F388F99F25A528DA0967718DB34C884CB80
                                                                                                                                                                                  Function 00B85310 Relevance: 5.1, APIs: 4, Instructions: 73COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000006.00000002.1794451873.0000000000B61000.00000020.80000000.00040000.00000000.sdmp, Offset: 00B60000, based on PE: true
                                                                                                                                                                                  • Associated: 00000006.00000002.1794420795.0000000000B60000.00000004.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794498490.0000000000B94000.00000002.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794521630.0000000000B9B000.00000004.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794551870.0000000000B9E000.00000002.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794583919.0000000000BA0000.00000004.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794610717.0000000000BA2000.00000002.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_6_2_b60000_svchost.jbxd
                                                                                                                                                                                  Yara matches
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: memset
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 2221118986-0
                                                                                                                                                                                  • Opcode ID: 3e9d582d92d6fbffd743ff7e139870ecc4ff6e7d32a13b20da571c2e549c5581
                                                                                                                                                                                  • Instruction ID: 3e55cc85d0b2d3d247f769675cdba6a40ce25c59013d470ebd61a50ac50ea753
                                                                                                                                                                                  • Opcode Fuzzy Hash: 3e9d582d92d6fbffd743ff7e139870ecc4ff6e7d32a13b20da571c2e549c5581
                                                                                                                                                                                  • Instruction Fuzzy Hash: E6314932201E4097DF74EB26E58436E73A1FB88B84F584165DB8E47B28DF39D9A6C740
                                                                                                                                                                                  Function 00B72EC4 Relevance: 5.1, APIs: 4, Instructions: 72COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000006.00000002.1794451873.0000000000B61000.00000020.80000000.00040000.00000000.sdmp, Offset: 00B60000, based on PE: true
                                                                                                                                                                                  • Associated: 00000006.00000002.1794420795.0000000000B60000.00000004.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794498490.0000000000B94000.00000002.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794521630.0000000000B9B000.00000004.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794551870.0000000000B9E000.00000002.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794583919.0000000000BA0000.00000004.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794610717.0000000000BA2000.00000002.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_6_2_b60000_svchost.jbxd
                                                                                                                                                                                  Yara matches
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: CriticalErrorLastSection$EnterLeave
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 2124651672-0
                                                                                                                                                                                  • Opcode ID: 6545f90bcf2dca0b77ae44bfe7d8ee9c9b361d3b0fe3c54c64daa03890c88edd
                                                                                                                                                                                  • Instruction ID: 76a4a3541a731a14c93cb586e7158fa5ac15086b5c9e4ebc7838439a22b0b43f
                                                                                                                                                                                  • Opcode Fuzzy Hash: 6545f90bcf2dca0b77ae44bfe7d8ee9c9b361d3b0fe3c54c64daa03890c88edd
                                                                                                                                                                                  • Instruction Fuzzy Hash: B2310776218B80C6D794CF26E44476AB7B0F788F95F149226EF9E47B58CF38C8858B40
                                                                                                                                                                                  Function 00B84244 Relevance: 5.1, APIs: 4, Instructions: 62COMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000006.00000002.1794451873.0000000000B61000.00000020.80000000.00040000.00000000.sdmp, Offset: 00B60000, based on PE: true
                                                                                                                                                                                  • Associated: 00000006.00000002.1794420795.0000000000B60000.00000004.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794498490.0000000000B94000.00000002.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794521630.0000000000B9B000.00000004.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794551870.0000000000B9E000.00000002.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794583919.0000000000BA0000.00000004.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794610717.0000000000BA2000.00000002.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_6_2_b60000_svchost.jbxd
                                                                                                                                                                                  Yara matches
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: memset
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 2221118986-0
                                                                                                                                                                                  • Opcode ID: 27545142fd4bf6cb75ded84454e513902f61039e3de0631772d606428d0bb51b
                                                                                                                                                                                  • Instruction ID: 8de21064b522d646160e7ca25fb665bd80c402d377aec9c90d8d2f574609462d
                                                                                                                                                                                  • Opcode Fuzzy Hash: 27545142fd4bf6cb75ded84454e513902f61039e3de0631772d606428d0bb51b
                                                                                                                                                                                  • Instruction Fuzzy Hash: 96214F32200A4197DF24EF26E55436E73A1FB89B88F085565EB4E47B24DF39D9A6C304
                                                                                                                                                                                  Function 00B666C8 Relevance: 5.1, APIs: 4, Instructions: 60memorystringCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000006.00000002.1794451873.0000000000B61000.00000020.80000000.00040000.00000000.sdmp, Offset: 00B60000, based on PE: true
                                                                                                                                                                                  • Associated: 00000006.00000002.1794420795.0000000000B60000.00000004.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794498490.0000000000B94000.00000002.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794521630.0000000000B9B000.00000004.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794551870.0000000000B9E000.00000002.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794583919.0000000000BA0000.00000004.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794610717.0000000000BA2000.00000002.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_6_2_b60000_svchost.jbxd
                                                                                                                                                                                  Yara matches
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: AllocHeaplstrcpylstrlenmemcpy
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 4223645407-0
                                                                                                                                                                                  • Opcode ID: ca48124d3430b7c390367f6894358fd97c0fb7ea5ae142c2c95dd5a3183e795d
                                                                                                                                                                                  • Instruction ID: 65277a13bb008edb9d187546e14273a1be23ef826f937631c71e1a03f493915f
                                                                                                                                                                                  • Opcode Fuzzy Hash: ca48124d3430b7c390367f6894358fd97c0fb7ea5ae142c2c95dd5a3183e795d
                                                                                                                                                                                  • Instruction Fuzzy Hash: 8D214776600B9082C704CF12E884659BBB9F388FD4F568566DF9D43B20DF79D8A5C740
                                                                                                                                                                                  Function 00B7A2B0 Relevance: 5.1, APIs: 4, Instructions: 53memoryCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000006.00000002.1794451873.0000000000B61000.00000020.80000000.00040000.00000000.sdmp, Offset: 00B60000, based on PE: true
                                                                                                                                                                                  • Associated: 00000006.00000002.1794420795.0000000000B60000.00000004.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794498490.0000000000B94000.00000002.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794521630.0000000000B9B000.00000004.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794551870.0000000000B9E000.00000002.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794583919.0000000000BA0000.00000004.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794610717.0000000000BA2000.00000002.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_6_2_b60000_svchost.jbxd
                                                                                                                                                                                  Yara matches
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: Heap$AllocFreememcpymemset
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 872336148-0
                                                                                                                                                                                  • Opcode ID: ce89aa1512b08b9bc148288236480470f5ee08c5b94dcd1c06e94d24e0c31f0c
                                                                                                                                                                                  • Instruction ID: 2f0d0ffe274069b691357b538725ff7c27ca8a254dadef01a8b2924128eaa630
                                                                                                                                                                                  • Opcode Fuzzy Hash: ce89aa1512b08b9bc148288236480470f5ee08c5b94dcd1c06e94d24e0c31f0c
                                                                                                                                                                                  • Instruction Fuzzy Hash: 39018415700B8046E714EBA7B98472BBBA1B7C9FD4F588465AF0D53B25DF38C546C704
                                                                                                                                                                                  Function 00B64FE0 Relevance: 5.0, APIs: 4, Instructions: 43memorysleepCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                    • Part of subcall function 00B78900: StrChrA.SHLWAPI ref: 00B78930
                                                                                                                                                                                    • Part of subcall function 00B78900: HeapAlloc.KERNEL32 ref: 00B7894B
                                                                                                                                                                                    • Part of subcall function 00B78900: StrTrimA.SHLWAPI ref: 00B78963
                                                                                                                                                                                    • Part of subcall function 00B78900: StrChrA.SHLWAPI ref: 00B78976
                                                                                                                                                                                    • Part of subcall function 00B78900: StrTrimA.SHLWAPI ref: 00B78994
                                                                                                                                                                                  • EnterCriticalSection.KERNEL32 ref: 00B65006
                                                                                                                                                                                  • Sleep.KERNEL32 ref: 00B65023
                                                                                                                                                                                  • HeapFree.KERNEL32 ref: 00B65054
                                                                                                                                                                                  • HeapFree.KERNEL32 ref: 00B6506E
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000006.00000002.1794451873.0000000000B61000.00000020.80000000.00040000.00000000.sdmp, Offset: 00B60000, based on PE: true
                                                                                                                                                                                  • Associated: 00000006.00000002.1794420795.0000000000B60000.00000004.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794498490.0000000000B94000.00000002.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794521630.0000000000B9B000.00000004.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794551870.0000000000B9E000.00000002.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794583919.0000000000BA0000.00000004.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794610717.0000000000BA2000.00000002.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_6_2_b60000_svchost.jbxd
                                                                                                                                                                                  Yara matches
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: Heap$FreeTrim$AllocCriticalEnterSectionSleep
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 2834552664-0
                                                                                                                                                                                  • Opcode ID: ad5279459391961f5dfcb7659a12027f6016105841dedb0424ca390f1278914e
                                                                                                                                                                                  • Instruction ID: 2ff2939a3f55e3702646e946a9fc8b900023d895e61676bded77a36a2d06d89c
                                                                                                                                                                                  • Opcode Fuzzy Hash: ad5279459391961f5dfcb7659a12027f6016105841dedb0424ca390f1278914e
                                                                                                                                                                                  • Instruction Fuzzy Hash: 87111536204B8082E750CF66E8847A933A1FB88F94F154116DB0E47324CF3DC89A8341
                                                                                                                                                                                  Function 00B7FA00 Relevance: 5.0, APIs: 4, Instructions: 42sleepmemoryCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • EnterCriticalSection.KERNEL32(?,?,00000000,00B72414,?,?,?,00B61617,?,?,?,?,00B61686), ref: 00B7FA17
                                                                                                                                                                                  • Sleep.KERNEL32(?,?,00000000,00B72414,?,?,?,00B61617,?,?,?,?,00B61686), ref: 00B7FA29
                                                                                                                                                                                  • LeaveCriticalSection.KERNEL32(?,?,00000000,00B72414,?,?,?,00B61617), ref: 00B7FA6A
                                                                                                                                                                                  • HeapFree.KERNEL32(?,?,00000000,00B72414,?,?,?,00B61617), ref: 00B7FA7C
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000006.00000002.1794451873.0000000000B61000.00000020.80000000.00040000.00000000.sdmp, Offset: 00B60000, based on PE: true
                                                                                                                                                                                  • Associated: 00000006.00000002.1794420795.0000000000B60000.00000004.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794498490.0000000000B94000.00000002.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794521630.0000000000B9B000.00000004.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794551870.0000000000B9E000.00000002.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794583919.0000000000BA0000.00000004.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794610717.0000000000BA2000.00000002.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_6_2_b60000_svchost.jbxd
                                                                                                                                                                                  Yara matches
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: CriticalSection$EnterFreeHeapLeaveSleep
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 58946197-0
                                                                                                                                                                                  • Opcode ID: 1390580125b078c5954bfa133fd8b43126873a2a03080b93b8ec54b19443005c
                                                                                                                                                                                  • Instruction ID: 5adfcb3cfb96fa6a76b59fd0cd5d4402663b98dcaf99882f8100a4d9b76f31f4
                                                                                                                                                                                  • Opcode Fuzzy Hash: 1390580125b078c5954bfa133fd8b43126873a2a03080b93b8ec54b19443005c
                                                                                                                                                                                  • Instruction Fuzzy Hash: 5F014C36714A91C6D7109F22E94476A3371F788FE0F488061EF6D17B05CF38C8968700
                                                                                                                                                                                  Function 00B78128 Relevance: 5.0, APIs: 4, Instructions: 39memorystringCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000006.00000002.1794451873.0000000000B61000.00000020.80000000.00040000.00000000.sdmp, Offset: 00B60000, based on PE: true
                                                                                                                                                                                  • Associated: 00000006.00000002.1794420795.0000000000B60000.00000004.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794498490.0000000000B94000.00000002.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794521630.0000000000B9B000.00000004.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794551870.0000000000B9E000.00000002.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794583919.0000000000BA0000.00000004.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794610717.0000000000BA2000.00000002.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_6_2_b60000_svchost.jbxd
                                                                                                                                                                                  Yara matches
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: AllocHeaplstrlenmemcpymemset
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 422472530-0
                                                                                                                                                                                  • Opcode ID: 60c68c99296b297b491be475d76d41a6bde58e45dca68315750598ec8011d1c8
                                                                                                                                                                                  • Instruction ID: 20d972c85b5fcd06041801548761e9c750a5b760174001ed9d266aa112011614
                                                                                                                                                                                  • Opcode Fuzzy Hash: 60c68c99296b297b491be475d76d41a6bde58e45dca68315750598ec8011d1c8
                                                                                                                                                                                  • Instruction Fuzzy Hash: 99017C32610B9086DB14DF26A84434977A2F788FC0F898165DF4E53B14EF38D945C740
                                                                                                                                                                                  Function 00B7DF2C Relevance: 5.0, APIs: 4, Instructions: 38memoryCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  • HeapReAlloc.KERNEL32(?,?,00000000,00B7E2CE), ref: 00B7DF57
                                                                                                                                                                                  • HeapAlloc.KERNEL32(?,?,00000000,00B7E2CE), ref: 00B7DF71
                                                                                                                                                                                  • memcpy.NTDLL(?,?,00000000,00B7E2CE), ref: 00B7DF88
                                                                                                                                                                                  • HeapFree.KERNEL32(?,?,00000000,00B7E2CE), ref: 00B7DF99
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000006.00000002.1794451873.0000000000B61000.00000020.80000000.00040000.00000000.sdmp, Offset: 00B60000, based on PE: true
                                                                                                                                                                                  • Associated: 00000006.00000002.1794420795.0000000000B60000.00000004.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794498490.0000000000B94000.00000002.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794521630.0000000000B9B000.00000004.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794551870.0000000000B9E000.00000002.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794583919.0000000000BA0000.00000004.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794610717.0000000000BA2000.00000002.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_6_2_b60000_svchost.jbxd
                                                                                                                                                                                  Yara matches
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: Heap$Alloc$Freememcpy
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 2973548000-0
                                                                                                                                                                                  • Opcode ID: b9d4a2200634b328304186aee88c4ad51c57b9ab19d1fe4f7a1b8454d8594192
                                                                                                                                                                                  • Instruction ID: 8aab3e51b068146cc97ddecfa3a7691295f5e6150732c5178b1a7ed5281b403f
                                                                                                                                                                                  • Opcode Fuzzy Hash: b9d4a2200634b328304186aee88c4ad51c57b9ab19d1fe4f7a1b8454d8594192
                                                                                                                                                                                  • Instruction Fuzzy Hash: 4E013C25705B8086EB04DB57B8947667BA2EBC8FD0F488474AF5E97B59EF3CC4858700
                                                                                                                                                                                  Function 00B780A4 Relevance: 5.0, APIs: 4, Instructions: 37memorystringCOMMON
                                                                                                                                                                                  Download Yara Rule
                                                                                                                                                                                  APIs
                                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                                  • Source File: 00000006.00000002.1794451873.0000000000B61000.00000020.80000000.00040000.00000000.sdmp, Offset: 00B60000, based on PE: true
                                                                                                                                                                                  • Associated: 00000006.00000002.1794420795.0000000000B60000.00000004.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794498490.0000000000B94000.00000002.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794521630.0000000000B9B000.00000004.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794551870.0000000000B9E000.00000002.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794583919.0000000000BA0000.00000004.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  • Associated: 00000006.00000002.1794610717.0000000000BA2000.00000002.80000000.00040000.00000000.sdmpDownload File
                                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                                  • Snapshot File: hcaresult_6_2_b60000_svchost.jbxd
                                                                                                                                                                                  Yara matches
                                                                                                                                                                                  Similarity
                                                                                                                                                                                  • API ID: AllocHeaplstrlenmemcpymemset
                                                                                                                                                                                  • String ID:
                                                                                                                                                                                  • API String ID: 422472530-0
                                                                                                                                                                                  • Opcode ID: 10dd29ffcd3f4c6f55555f06f037d4f7329e564a7be5f2aa9e3b50b35378bf94
                                                                                                                                                                                  • Instruction ID: 89e27a443db2e9cdb55f7db7d9619c503a6469794829682c5d3ff27316853df7
                                                                                                                                                                                  • Opcode Fuzzy Hash: 10dd29ffcd3f4c6f55555f06f037d4f7329e564a7be5f2aa9e3b50b35378bf94
                                                                                                                                                                                  • Instruction Fuzzy Hash: 2B014B32610B9086DB24DF27A84461977A2F788FC0F498065DF5E53B14EF39D945C744